🔐 Privacy Policy

doAttendance — Proxy-Free Attendance System | Last Updated: March 10, 2026

🇮🇳 This policy complies with the Digital Personal Data Protection (DPDP) Act, 2023 and Google Play Developer Policies.

1. Information We Collect

Data Type	What We Collect	Purpose	Storage
Identity	Name, Employee ID, Email	Account management	Server (encrypted)
Biometric	Fingerprint authentication status	Identity verification	Device only
Face Data	Face embedding vector (NOT photos)	Identity verification	Server (no photo)
Location	GPS coordinates (only at check-in/out events)	Campus verification	Server (event-only)
WiFi	Connected WiFi BSSID (MAC address)	Indoor location verification	Server (event-only)
Device	Device UUID, model, Android version	Device binding (anti-fraud)	Server

2. What We Do NOT Collect

❌ Fingerprint images or data — stays on your device hardware, never transmitted
❌ Face photos — only mathematical vector stored, photos are discarded immediately
❌ Continuous location tracking — GPS only used at attendance events
❌ Contacts, messages, call logs, or browsing data
❌ Personal files or media

3. How We Use Your Data

✅ To record attendance when you check in/out
✅ To verify you are physically present at the campus
✅ To prevent proxy (fraudulent) attendance
✅ To generate attendance reports for your employer

We do NOT: Sell, share, or monetize your personal data. Data is used solely for attendance.

4. Data Retention

Data Type	Retention Period
Attendance records	2 years (730 days)
Location events (geofence)	90 days
Face embedding vectors	Active employment period only
Selfie challenge records	90 days
Privacy audit logs	3 years (compliance)

After the retention period, data is automatically purged by the system.

5. Your Rights (DPDP Act 2023)

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

📋 Right to Access — Request a copy of your attendance data
✏️ Right to Correction — Request correction of inaccurate data
🗑️ Right to Erasure — Request deletion of your personal data
📤 Right to Grievance Redressal — Contact the Data Protection Officer
🔔 Right to be Informed — Know when your data is processed

To exercise any right, use the "Request Data Deletion" button in the app, or contact your administrator. Requests will be processed within 30 days.

6. Data Security

🔒 All API communication over HTTPS (TLS 1.3)
🔑 Authentication via JWT tokens with 8-hour expiry
🛡️ Passwords hashed with bcrypt (salt rounds: 10)
⏱️ API rate limiting to prevent abuse
📝 All data access audit logged

7. Third-Party Services

Service	Purpose	Data Shared
Google Play Integrity API	App integrity verification	Device attestation token (no PII)
OpenStreetMap	Map display in admin panel	No user data shared

8. Children's Privacy

This service is intended for employees aged 18 and above. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this policy from time to time. Users will be notified of significant changes via in-app notification. Continued use of the app constitutes acceptance of the updated policy.

10. Contact

Data Protection Officer: Contact your organization's HR or IT department.

Grievance Officer: As required under DPDP Act 2023, your organization will designate a Grievance Officer whose details will be provided in the app.