Our Privacy Policy

Efective from May 2025
Last Updated on June 2026

ANDO TECHNOLOGIES, INC
440 N BARRANCA AVE #9660
COVINA, CA 91723
Email: legal@ando.work

  1. Introduction

Ando (operated by Ando Technologies, Inc, "Ando," "we," "our," or "us") provides labor scheduling, forecasting, and workforce management software ("Services") for restaurants and other hospitality businesses ("Customers"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what choices you have.

This Policy applies to: (i) employees and managers of our Customers who use the Ando mobile app and management interface ("Users"); (ii) visitors to our marketing and product websites; and (iii) prospective customers and other contacts.

Where Ando processes personal information on behalf of a Customer (e.g., scheduling data, attendance records, wage information), Ando acts as a service provider or data processor for that Customer, who is the controller of that data. The Customer's own privacy policy governs that processing; this Policy describes what Ando does in either capacity.

Ando (operated by Ando Technologies, Inc, "Ando," "we," "our," or "us") provides labor scheduling, forecasting, and workforce management software ("Services") for restaurants and other hospitality businesses ("Customers"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what choices you have.

This Policy applies to: (i) employees and managers of our Customers who use the Ando mobile app and management interface ("Users"); (ii) visitors to our marketing and product websites; and (iii) prospective customers and other contacts.

Where Ando processes personal information on behalf of a Customer (e.g., scheduling data, attendance records, wage information), Ando acts as a service provider or data processor for that Customer, who is the controller of that data. The Customer's own privacy policy governs that processing; this Policy describes what Ando does in either capacity.

  1. Information We Collect

Account and Profile Information. When a User is invited to the platform, we collect: name, preferred name, email address, phone number, mailing address, date of birth, gender (optional), pronouns (optional), and authentication credentials.

Employment Information. Provided by your employer or by you: job role(s), department, jobsite assignments, employment status, hire and termination dates, hourly wage or salary, overtime eligibility, tipped status, manager assignments, and notes.

Sensitive Information. Where required for payroll or legal compliance, we may collect and store Social Security Numbers (or equivalent national identifiers) provided by your employer. SSNs are stored encrypted at the field level and access is restricted.

Scheduling and Time Data. Shifts assigned to you, hours scheduled, attendance records, clock-in and clock-out timestamps, break events, and geographic location (latitude/longitude) at the moment of clock-in or clock-out, where your employer's policy and your device permit.

Preferences. Role preference order, availability and shift-exclusion preferences, default timezone, time-off requests, and onboarding state.

Device and Notification Data. Push notification tokens, device platform (iOS, Android, web), notification delivery preferences (push, email, SMS toggles, quiet hours).

Communications. Messages and notifications sent to you (title, body, delivery status), and email/SMS communications you receive from the Service.

Operational and Diagnostic Data. IP addresses, browser and device identifiers, session and error logs, and analytics events related to how the Service is used.

Information from Integrations. Where your employer connects a Point-of-Sale (POS), payroll, or HR system to Ando (e.g., Toast, Square, NCR Aloha, Revel, Sling, Paycom), we receive employee and operational data from those systems to operate the Service. The data we receive depends on the integration and your employer's configuration.

  1. How We Use Personal Information

We use the information described above to:

  • Provide the Services and the underlying scheduling, forecasting, attendance, payroll-adjacent, and reporting features.

  • Authenticate Users, manage accounts, and route Users to the correct mobile or management surface.                                                                                                                                  

  • Send operational notifications (shift releases, schedule changes, attendance reminders) to the channels you have enabled.

  • Generate forecasts, anomaly alerts, and AI-assisted explanations and recommendations using AWS Bedrock (Claude) operating within our cloud infrastructure (see Section 5).                                                         

  • Detect and prevent fraud, abuse, and unauthorized access, and to enforce our terms.

  • Comply with legal obligations, respond to lawful requests, and protect our rights.                                                                                                                                                 

  • Improve the Services, debug issues, and develop new features. Where this work uses Customer Data, we use de-identified or aggregated data wherever feasible.

We do not sell personal information. We do not use Customer Data to train third-party AI models.

We use the information described above to:

  • Provide the Services and the underlying scheduling, forecasting, attendance, payroll-adjacent, and reporting features.

  • Authenticate Users, manage accounts, and route Users to the correct mobile or management surface.                                                                                                                                  

  • Send operational notifications (shift releases, schedule changes, attendance reminders) to the channels you have enabled.

  • Generate forecasts, anomaly alerts, and AI-assisted explanations and recommendations using AWS Bedrock (Claude) operating within our cloud infrastructure (see Section 5).                                                         

  • Detect and prevent fraud, abuse, and unauthorized access, and to enforce our terms.

  • Comply with legal obligations, respond to lawful requests, and protect our rights.                                                                                                                                                 

  • Improve the Services, debug issues, and develop new features. Where this work uses Customer Data, we use de-identified or aggregated data wherever feasible.

We do not sell personal information. We do not use Customer Data to train third-party AI models.

We use the information described above to:

  • Provide the Services and the underlying scheduling, forecasting, attendance, payroll-adjacent, and reporting features.

  • Authenticate Users, manage accounts, and route Users to the correct mobile or management surface.                                                                                                                                  

  • Send operational notifications (shift releases, schedule changes, attendance reminders) to the channels you have enabled.

  • Generate forecasts, anomaly alerts, and AI-assisted explanations and recommendations using AWS Bedrock (Claude) operating within our cloud infrastructure (see Section 5).                                                         

  • Detect and prevent fraud, abuse, and unauthorized access, and to enforce our terms.

  • Comply with legal obligations, respond to lawful requests, and protect our rights.                                                                                                                                                 

  • Improve the Services, debug issues, and develop new features. Where this work uses Customer Data, we use de-identified or aggregated data wherever feasible.

We do not sell personal information. We do not use Customer Data to train third-party AI models.

  1. Legal Bases (EEA/UK Users)

Where the GDPR or UK GDPR applies, our legal bases for processing are: performance of a contract (operating the Services for our Customer who employs you); compliance with legal obligations; our legitimate interests in maintaining and improving the Services; and, where required, your consent (which you may withdraw at any time).

  1. Service Providers and Subprocessors

We engage third parties to operate the Services. Our current subprocessor list is maintained at subprocessor list and is updated when subprocessors change. Categories include:

  • Cloud hosting and infrastructure (AWS): application hosting (App Runner), databases (RDS PostgreSQL), authentication (Cognito), file/object storage (S3), serverless compute (Lambda), and supporting services. All Customer Data is stored in the AWS [REGION, e.g., us-east-1] region.

  • AI model providers: AI features are delivered via AWS Bedrock, which invokes Anthropic Claude models within the AWS environment. These providers are contractually prohibited from using Customer Data to train their models and do not retain Customer Data beyond what is necessary to deliver the requested output.

  • Email delivery: Amazon SES for transactional and notification email.

  • Error tracking and observability: Sentry for application error reporting.

  • Customer support tooling: Intercom.

  • Payment processing: Stripe (applies to billing between Ando and Customers, not Customer end-users).

  1. Sharing and Disclosure

We disclose personal information only to:

  • The Customer that employs you, and other Users authorized by that Customer (e.g., your managers see your schedule and attendance).                                                                                                 

  • Subprocessors listed above, under written contracts that bind them to confidentiality, security, and processing limitations consistent with this Policy.                                                                           

  • Law enforcement or other governmental authorities where required by law or to protect rights, safety, or the integrity of the Services.                                                                                            

  • An acquirer, successor, or other party to a corporate transaction, subject to confidentiality protections.

  1. International Transfers

Ando primarily processes Customer Data in the United States. Where personal information is transferred from the EEA, UK, Switzerland, or other regions with cross-border transfer rules, transfers rely on Standard Contractual Clauses or other lawful transfer mechanisms.

  1. Retention

We retain personal information for as long as your employer's Ando account is active, plus the period required to meet our legal, accounting, and recordkeeping obligations. Specific retention periods for categories such as attendance, wage, and notification logs are described in the DPA (see /dpa).

  1. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, and unauthorized access. These include encryption in transit (TLS) and at rest (AWS KMS), row-level security in our database to isolate Customer tenants, least-privilege access controls, secrets management via AWS Secrets Manager, audit logging, and a defined incident response process. No system is fully impenetrable; we cannot guarantee absolute security.

  1. Your Choices and Rights

Depending on where you live, you may have the following rights:

  • Access — request a copy of the personal information we hold about you.

  • Correction — ask us to fix inaccurate information.

  • Deletion — ask us to delete information, subject to legal exceptions.

  • Portability — receive your data in a structured, machine-readable format.

  • Restriction or Objection — limit or object to certain processing.

  • Withdraw consent — where processing is based on consent.         

Because Ando processes most personal information on behalf of your employer, requests of this type are typically routed to your employer first. We will assist your employer in responding. To exercise rights directly, contact privacy@ando.work.

Residents of California, Colorado, Virginia, Connecticut, Utah, and other states with comprehensive privacy laws have additional rights described in the Region-Specific Notices section below.

  1. Cookies and Similar Technologies

Our marketing and product websites use cookies and similar technologies for authentication, session management, and limited analytics. See our Cookie Notice for details and controls.

  1. Children's Privacy

The Services are not directed to children under [16]. We do not knowingly collect information from children. If you believe a child has provided information to us, contact us at privacy@ando.work so we can delete it.

  1. Changes to This Policy

We may update this Policy from time to time. When we make material changes we will notify Users via the Services or by email. The "Last Updated" date above reflects the most recent version.

  1. Contact Information

For questions or concerns regarding this Privacy Policy, please contact:

Ando Technologies, Inc.
440 N Barranca Ave #9660

Covina, CA 91723
Email: legal@Ando.work