Attendify – Privacy Policy

Quick summary

• Attendify is a workforce attendance platform used by organizations (“Customers”).
• We collect account, attendance, and device information to run the service. If your employer enables it, we may process biometric templates for identity verification. We do not store raw face images or fingerprints for matching.
• We don’t sell your data or show ads. We share data with your employer and trusted providers that help us operate the service.
• You can reach us to exercise your rights at privacy@attendify.me (replace with your address).

1) Scope & Roles

This Privacy Policy describes how Attendify (the “Service”) handles personal data of users who access our mobile apps, web dashboards, and APIs.

Roles: For enterprise deployments, your organization (the “Customer”) is typically the data controller for employee data, and Attendify acts as a data processor under a services agreement. For direct or self‑serve accounts, Attendify may act as the data controller for your account data.

2) Data We Collect

A. Data you and your employer provide

• Account & Profile: name, username, email/phone, role/position, organization info, password hashes.
• Employment & Scheduling: shifts, organization unit, permitted locations, device assignment, manager/assistant info.
• Attendance Records: check‑in/out times, lunch/break times, over‑time, notes, and related HR events.
• Identifiers: employee ID, badge number, or other internal identifiers.

B. Data collected automatically

• Device & App Data: device model, OS version, app version, language, crash logs.
• Network Data: IP address, approximate location inferred from IP, timestamps.
• Location (optional): if your employer enables geofencing, the app may access precise location during attendance actions to confirm presence at permitted sites.

C. Biometric data (optional)

Some Customers enable biometric verification (e.g., face or fingerprint). Attendify uses biometric templates derived from your image/scan for matching. Templates are stored encrypted and cannot be used to reconstruct the original image. Customers can configure whether templates are kept on‑device only or synchronized to their secure tenant storage. Raw images/scans used to create templates are not stored for matching.

D. Sources

We receive data from: (i) you, (ii) your employer, (iii) devices running the app, and (iv) third‑party providers (e.g., authentication, cloud hosting, push notifications).

3) How We Use Data

• Provide, operate, and maintain attendance, scheduling, and reporting features.
• Authenticate users and prevent fraud or misuse (including identity verification where enabled).
• Enforce location policies and access controls configured by your employer.
• Monitor reliability, debug issues, and improve performance and user experience.
• Communicate about service updates, security alerts, and support.
• Comply with legal obligations and enforce agreements.

Legal bases (EEA/UK): contract performance, legitimate interests (security, improvement), consent (where required, e.g., optional biometrics), and legal obligations.

4) How We Share Data

• Your Organization: attendance and related data are shared with your employer and its authorized administrators.
• Service Providers: trusted vendors for cloud hosting, storage, analytics, error tracking, push/email delivery, and customer support (bound by confidentiality and data protection terms).
• Legal/Compliance: if required by law, subpoena, or to protect rights, safety, and the Service.
• Business Transfers: in a merger, acquisition, or asset sale, data may be transferred subject to this Policy.

We do not sell personal information or use it for targeted advertising.

5) Security

We apply industry‑standard safeguards, including transport layer encryption (TLS), encryption at rest, role‑based access controls, logging, and regular backups. No method is 100% secure, and we encourage Customers to enforce strong authentication and device security policies.

6) Retention

We retain personal data for as long as needed to provide the Service to the Customer and to meet legal, accounting, or reporting requirements. Customers can configure retention periods for attendance records. When an account is closed or data is no longer required, we delete or de‑identify it within a reasonable time unless we must keep it by law.

7) Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, and to portability.

• If your employer is the controller, please contact your employer first. We will support them in responding to your request.
• If Attendify is the controller (e.g., direct/self‑serve accounts), contact us at privacy@attendify.me (replace with your address).

You may withdraw consent where processing relies on consent (e.g., optional biometrics). This won’t affect prior processing.

8) Cookies & SDKs

The mobile apps may use device identifiers and SDKs for functionality (e.g., push notifications, crash analytics). The web dashboard uses necessary cookies for login and session management. We do not use third‑party advertising cookies.

9) International Transfers

We may process and store data in data centers located outside your country. Where required, we use appropriate safeguards such as Standard Contractual Clauses. Customers can request information about data residency options.

10) Children’s Privacy

The Service is intended for workplace use and is not directed to children under 16. We do not knowingly collect personal data from children.

11) Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via the Service or by email to administrators. The “Last updated” date at the top reflects the current version.

12) Contact Us

Company: [Your Legal Entity Name]
Address: [Street, City, Country]
Email: privacy@attendify.me (replace with your address)
DPO/Privacy Contact: [Name or team]

Appendix – GDPR & CCPA Notices

EEA/UK (GDPR)

• Controller/Processor: As described above, your employer is typically the controller; Attendify acts as processor. For direct accounts, Attendify may be the controller.
• Legal bases: contract, legitimate interests, consent (where required), legal obligations.
• Data subject rights: access, rectification, erasure, restriction, portability, objection, and complaint to your local supervisory authority.
• EU/UK Representative & DPO: [Insert details if applicable]

California (CCPA/CPRA)

We collect the following categories for business purposes: identifiers; employment‑related information; internet/network activity; geolocation (if enabled); inferences for security/anti‑fraud; and biometric information (if enabled by your employer). We do not sell or share personal information as defined by the CCPA/CPRA. You may exercise your rights via the contact methods above or through your employer.