Privacy Policy

1. Introduction

Welcome to WorkTime One ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time tracking and employee management platform.

By using WorkTime One, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Data We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, company name, and billing information
• Employee Data: Employee names, IDs, departments, positions, salary information, and work schedules
• Contact Information: Phone numbers, addresses, and emergency contacts
• Communication Data: Messages, support tickets, and correspondence with our team
• Payment Information: Credit card details, billing addresses (processed securely through third-party payment processors)

2.2 Automatically Collected Information

• Time Tracking Data: Clock-in/clock-out times, work hours, attendance records, and location data from smart locks
• Device Information: IP addresses, browser types, operating systems, device IDs
• Usage Data: Pages visited, features used, time spent on platform, click patterns
• Smart Lock Data: TTLock integration data including lock access logs, RFID/NFC card scans, fingerprint recognition data, PIN code usage
• Location Data: Geographic location from smart lock installations and IP addresses
• Cookies and Analytics: Session data, preferences, and analytics information

2.3 Biometric Data

When using fingerprint authentication through TTLock smart locks, we collect and process biometric data. This data is:

• Encrypted using AES-256 encryption
• Stored in hashed format and cannot be reverse-engineered
• Used solely for employee identification and time tracking purposes
• Never shared with third parties except as required by law
• Deleted upon employee termination or account closure

3. How We Use Your Data

We use the collected information for the following purposes:

3.1 Service Provision

• Tracking employee attendance and work hours
• Calculating payroll, overtime, and penalties
• Generating reports and analytics
• Managing employee records and organizational structures
• Integrating with TTLock smart locks for automatic time tracking

3.2 Communication

• Sending automated email notifications about penalties, reports, and system updates
• Providing customer support and responding to inquiries
• Sending important service announcements and security alerts
• Marketing communications (with your consent, and you may opt-out anytime)

3.3 Security and Fraud Prevention

• Detecting and preventing unauthorized access
• Protecting against fraudulent activity and time theft
• Ensuring data integrity and system security
• Enforcing our Terms of Service

3.4 Improvement and Analytics

• Analyzing usage patterns to improve our services
• Developing new features and functionalities
• Conducting research and statistical analysis
• Testing and optimizing platform performance

3.5 Legal Compliance

• Complying with legal obligations and regulations
• Responding to lawful requests from authorities
• Maintaining records for accounting and tax purposes
• Protecting our legal rights and interests

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist us in operating our platform:

• Firebase (Google): Authentication, database, and hosting services
• SendGrid: Email notification delivery
• TTLock API: Smart lock integration and access control
• Payment Processors: Secure payment processing (they never receive full credit card details)
• Cloud Infrastructure: Data storage and server hosting

All service providers are bound by strict confidentiality agreements and are only permitted to use your data to provide services to us.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Court orders, subpoenas, or legal processes
• Requests from law enforcement or government agencies
• Protection of our rights, property, or safety
• Investigation of fraud or security issues

4.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the new entity. We will notify you of any such change and provide options regarding your data.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Security

We implement industry-leading security measures to protect your personal information:

5.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Authentication: Two-factor authentication (2FA) via Google Authenticator and email
• Access Controls: Role-based access control (RBAC) and principle of least privilege
• Firewalls: Network-level protection and intrusion detection systems
• Regular Audits: Security assessments, penetration testing, and vulnerability scans
• Secure Backups: Encrypted, geographically distributed backups with disaster recovery

5.2 Organizational Safeguards

• Employee training on data protection and privacy best practices
• Confidentiality agreements with all staff and contractors
• Limited access to personal data on a need-to-know basis
• Incident response plan for security breaches
• Regular security awareness programs

5.3 Security Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify you within 72 hours as required by GDPR and other applicable regulations. We will provide details about the breach, potential impact, and remedial actions.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Data is retained while your account is active
• Employee Records: Retained for 7 years after employment termination (for legal and tax compliance)
• Time Tracking Data: Retained for 7 years (as required by labor laws)
• Biometric Data: Deleted within 30 days of employee termination or upon request
• Financial Records: Retained for 7 years (for tax and accounting purposes)
• Marketing Data: Deleted immediately upon opt-out request
• Backup Data: Deleted from backups within 90 days of primary deletion

Upon account closure, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

7. Your Rights

Under GDPR, CCPA, and other privacy regulations, you have the following rights:

7.1 Right to Access

You can request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days.

7.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

7.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data, subject to certain legal exceptions (e.g., tax compliance, legal obligations).

7.4 Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances, such as when you contest its accuracy.

7.5 Right to Data Portability

You can request to receive your data in a portable format or have it transferred directly to another service provider.

7.6 Right to Object

You can object to processing of your personal data for direct marketing purposes or based on legitimate interests.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device that help us provide and improve our services. We use both session cookies (deleted when you close your browser) and persistent cookies (remain on your device for a set period).

8.2 Types of Cookies We Use

• Essential Cookies: Required for basic platform functionality (login, security, session management)
• Performance Cookies: Help us understand how users interact with our platform (Google Analytics)
• Functional Cookies: Remember your preferences (language, timezone, dashboard layout)
• Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

8.3 Third-Party Cookies

We use the following third-party cookies:

• Google Analytics: Website analytics and usage statistics
• Firebase: Authentication and session management
• SendGrid: Email tracking (open rates, click rates)

8.4 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect platform functionality. Most browsers allow you to:

• View and delete existing cookies
• Block third-party cookies
• Block all cookies
• Delete cookies when closing the browser

9. Third-Party Services

Our platform integrates with the following third-party services:

9.1 TTLock Smart Locks

We integrate with TTLock's API to retrieve smart lock access logs. TTLock's privacy policy governs their data collection. We only access data necessary for time tracking purposes.

9.2 Firebase (Google)

We use Firebase for authentication, database, and hosting. Data is stored in Google Cloud Platform data centers with enterprise-grade security. Google's privacy policy applies to their services.

9.3 SendGrid

Email notifications are sent via SendGrid. They process email addresses and message content but do not use your data for their own purposes.

9.4 Payment Processors

We use PCI DSS compliant payment processors. We never store full credit card details on our servers.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States and EU. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
• Adequacy Decisions: Transfers to countries with adequate data protection laws
• Privacy Shield (legacy): For US-based service providers where applicable
• Encryption: All international data transfers are encrypted

EU users' data is primarily stored in EU-based data centers to minimize international transfers.

11. Children's Privacy

WorkTime One is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a child under 18, we will delete it immediately.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending email notifications to registered users
• Displaying in-app notifications for significant changes

Your continued use of WorkTime One after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: