Privacy Policy

1. Introduction

RPM (Smart Attendance Management) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application and services. By using RPM, you consent to the data practices described in this policy.

We prioritize your privacy and implement industry-standard security measures to protect your personal and biometric data.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

Employee identification number
Full name
Email address
Job position and department
Work schedule information

2.2 Biometric Data

RPM collects and processes facial biometric data for attendance verification purposes. This includes:

Facial photographs taken during registration
Facial vector data (mathematical representation of facial features)
Selfie images taken during attendance submission

2.3 Attendance Records

We automatically record:

Check-in and check-out timestamps
Date and time of attendance submissions
Attendance status (present, late, early checkout)
Working hours and overtime calculations
Leave requests and approvals

2.4 Device Information

We collect device-related information including:

Device model and operating system version
Bluetooth device identifiers
Application version and configuration
IP address and network information

2.5 Location Data

When you submit attendance, we may collect approximate location data to verify you are at the workplace. This data is only collected during attendance submission and is not continuously tracked.

3. How We Use Your Information

We use the collected information for the following purposes:

Attendance verification and tracking
Generating attendance reports for employees and management
Calculating work hours, overtime, and leave balances
Processing payroll and compensation
Preventing fraud and buddy punching
Improving application performance and user experience
Complying with legal and regulatory requirements
Providing customer support and responding to inquiries

4. Legal Basis for Processing

We process your personal data based on:

Consent: You have given explicit consent for the processing of your biometric data
Contract: Processing is necessary for the employment contract between you and your employer
Legal obligation: Processing is required to comply with labor laws and regulations
Legitimate interests: Processing is necessary for the legitimate interests of your employer

5. Data Storage and Retention

5.1 Storage Location

Your data is stored on secure servers managed by your organization or our trusted cloud service providers. Data is encrypted both in transit (using HTTPS/TLS) and at rest.

5.2 Retention Period

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law. Typically:

Attendance records: Retained for the duration of employment plus applicable statutory periods (usually 3-7 years)
Facial biometric data: Retained until you request deletion or employment termination, whichever comes first
Account credentials: Deleted within 30 days of employment termination

6. Data Sharing and Disclosure

6.1 Internal Sharing

Your attendance data may be shared with:

Your direct supervisors and managers
Human Resources department
Payroll processing team
System administrators (with access limited to necessary functions)

6.2 Third-Party Service Providers

We may share data with trusted third-party service providers who assist us in:

Cloud hosting and data storage
Facial recognition technology processing
Application maintenance and technical support

All third-party providers are contractually obligated to maintain data confidentiality and security.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to:

Comply with legal processes
Protect the rights and safety of RPM, employees, or the public
Prevent fraud or security breaches

6.4 No Sale of Data

We do not sell, rent, or trade your personal or biometric data to third parties for marketing purposes.

7. Security Measures

We implement comprehensive security measures to protect your data:

End-to-end encryption for data transmission (HTTPS/TLS 1.2+)
Encrypted storage for sensitive data including biometric information
Secure JWT (JSON Web Token) authentication with automatic token refresh
Role-based access control (RBAC) to limit data access
Regular security audits and vulnerability assessments
Secure local storage using platform-specific encryption
Multi-factor authentication for administrative access
Regular backups with encrypted storage

8. Your Rights

You have the following rights regarding your personal data:

8.1 Right to Access

You can view your attendance records and personal information through the RPM application at any time.

8.2 Right to Rectification

If you believe any of your personal data is incorrect or incomplete, you can request corrections by contacting your HR administrator.

8.3 Right to Erasure

You have the right to request deletion of your biometric data, subject to legal and contractual obligations. Note that this may affect your ability to use the attendance system.

8.4 Right to Data Portability

You can request a copy of your attendance data in a structured, commonly used format (such as CSV or PDF).

8.5 Right to Object

You have the right to object to certain types of data processing. However, this may impact your employment relationship and use of the attendance system.

8.6 Right to Withdraw Consent

You can withdraw your consent to biometric data processing at any time. To do so, contact your organization's HR department or RPM administrator.

To exercise any of these rights, please contact your organization's administrator or send a request through the application's support channel.

9. Cookies and Tracking

The RPM mobile application does not use cookies. However, we do store essential data locally on your device using secure encrypted storage to:

Maintain your login session
Cache attendance data for offline access
Store application preferences and settings

This local data is encrypted and automatically cleared when you log out or uninstall the application.

10. Children's Privacy

RPM is designed for use by employees in a workplace setting. The application is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors.

11. International Data Transfers

Your data is primarily stored and processed in the country where your organization operates. If data is transferred internationally, we ensure appropriate safeguards are in place, including:

Standard contractual clauses approved by data protection authorities
Adequacy decisions confirming adequate data protection levels
Certification under recognized privacy frameworks

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal or biometric information, we will:

Notify affected individuals within 72 hours of discovery
Report to relevant data protection authorities as required by law
Provide information about the nature of the breach and steps being taken
Offer guidance on protective measures you can take

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

Updating the 'Last Updated' date at the top of this policy
Sending a notification through the RPM application
Posting a notice on our website or through email

Your continued use of RPM after such changes constitutes acceptance of the updated Privacy Policy.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Your organization's RPM administrator
Your Human Resources department
RPM support through the contact form on our website

We will respond to your inquiry within 30 days.

15. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority or supervisory body.