Employee privacy notice

Last updated: 2026

What data we collect

• Your name and (optionally) email.
• A hashed PIN you choose for clock-in / clock-out. The raw PIN is never stored.
• An optional badge code (also stored only as a hash plus a lookup index).
• Each clock-in and clock-out event: the time, the office, the kiosk used, the IP address of the device that scanned the QR, and the browser's user-agent string.
• Failed PIN attempts (time, IP, user-agent) so we can detect repeated wrong-PIN attempts.

Why we collect it

• To record working hours accurately and pay you for time worked.
• To detect anomalies — e.g. someone scanning your badge while you're absent.
• To produce attendance summaries required for HR and labour-law compliance.

Who can access it

• You — ask any admin and they can show or export your records.
• Managers can read records and propose corrections, but cannot approve them.
• Admins and owners can read records and approve corrections.
• No data is shared with any third party. There is no analytics, no advertising, no tracking pixel.

How long it is kept

Attendance events are retained for the period required by local labour law (typically 3–5 years). Failed PIN attempts and audit logs are retained for at least 12 months and used only for security review.

Corrections

Original clock-in / clock-out events are never modified or deleted. If a time is wrong, a manager files a correction proposal which an admin or owner must approve. The approved correction is added as a new immutable record linked to the original. You can ask any manager to file a correction on your behalf.

Integrity

Each event is hash-chained: tampering with any past event would break the chain and be detected by the admin's ledger-verification tool.

Contact

Questions or data-access requests: contact your HR representative or any account owner from the office admin panel.