Privacy Policy

Last updated: December 31, 2025

Summary: We collect only what's necessary to provide our time tracking service. We never sell your data. We use industry-standard security practices to protect your information.

1. Introduction

Punch'd ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time and attendance tracking service ("Service").

By using Punch'd, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

Data Type	Purpose
Account Information	Name, email, phone number, company name - to create and manage your account
Employee Information	Names, email addresses, job roles of employees you add to the system
Payment Information	Credit card details (processed by Stripe) - to process subscription payments
Communication Data	Messages you send us via support channels

2.2 Information Collected Automatically

Data Type	Purpose
Time Entry Data	Clock in/out times, duration - core functionality of the Service
GPS Location Data	Location coordinates when clocking in/out - to verify job site presence
Device Information	Device type, OS version, app version - for troubleshooting and compatibility
Usage Data	Features used, pages visited - to improve our Service

2.3 Biometric Information

Important: If you enable facial verification, we collect and process biometric data (facial geometry). This is sensitive personal information subject to special protections under laws like BIPA, CCPA, and GDPR.

Our facial verification feature:

Stores facial templates (mathematical representations), not actual photos
Uses templates only for identity verification during clock in/out
Does not share biometric data with third parties
Deletes biometric data when an employee is removed or upon request

Employer Responsibilities: If you use facial verification, you are responsible for:

Informing employees about biometric data collection
Obtaining written consent where required by law (e.g., Illinois BIPA)
Providing employees with our Privacy Policy
Complying with all applicable biometric privacy laws

3. How We Use Your Information

We use collected information to:

Provide the Service: Process time entries, verify identity, track locations, generate reports
Manage Your Account: Create accounts, process payments, provide customer support
Improve the Service: Analyze usage patterns, fix bugs, develop new features
Communicate with You: Send service updates, respond to inquiries, send marketing (with consent)
Ensure Security: Detect fraud, prevent abuse, protect our systems
Comply with Law: Meet legal obligations, respond to legal requests

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on:

Contract: Processing necessary to provide the Service you requested
Legitimate Interests: Improving our Service, preventing fraud, marketing to existing customers
Consent: Where you have given explicit consent (e.g., for biometric data, marketing emails)
Legal Obligation: Where we must comply with applicable laws

5. Data Sharing and Disclosure

We do not sell your personal information. We may share information with:

5.1 Service Providers

We work with trusted third parties who help us operate our Service:

Stripe: Payment processing
Amazon Web Services: Cloud hosting and storage
SendGrid: Email delivery
Google Maps: Location services

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

5.2 Business Transfers

If Punch'd is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose information if required by law or in response to valid legal requests (e.g., court orders, subpoenas).

5.4 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

6. Data Retention

We retain your information for as long as necessary to:

Provide the Service (while your account is active)
Comply with legal obligations (e.g., tax records for 7 years)
Resolve disputes and enforce agreements

Retention Periods:

Account data: Duration of account + 30 days after deletion
Time entries: 7 years (for payroll/tax compliance)
Biometric templates: Until employee removal or upon request
Usage logs: 2 years

7. Data Security

We implement robust security measures to protect your data:

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access, multi-factor authentication
Infrastructure: SOC 2 compliant cloud hosting
Monitoring: 24/7 security monitoring and intrusion detection
Regular Audits: Periodic security assessments and penetration testing

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your location, you may have the following rights:

8.1 All Users

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data (subject to legal requirements)
Data Portability: Receive your data in a portable format
Opt-out: Unsubscribe from marketing communications

8.2 EEA/UK Users (GDPR)

Restriction: Request restriction of processing
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time
Lodge Complaint: File a complaint with your supervisory authority

8.3 California Users (CCPA)

Know: Right to know what personal information is collected
Delete: Right to request deletion
Opt-out: Right to opt-out of sale (we don't sell data)
Non-discrimination: Right not to be discriminated against for exercising rights

8.4 Illinois Users (BIPA)

If facial verification is enabled, Illinois residents have rights under the Biometric Information Privacy Act, including the right to:

Be informed about biometric data collection
Provide written consent before collection
Know how biometric data is stored and destroyed

8.5 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

Punch'd is based in the United States. If you access our Service from outside the US, your information may be transferred to and processed in the US, where data protection laws may differ from your jurisdiction.

For EEA/UK users, we ensure appropriate safeguards through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all sub-processors

10. Children's Privacy

Our Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Cookies and Tracking

We use cookies and similar technologies to:

Keep you logged in
Remember your preferences
Analyze usage patterns
Improve our Service

You can control cookies through your browser settings. Disabling cookies may affect Service functionality.

12. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. Please review their privacy policies before providing any information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website
Updating the "Last updated" date
Sending an email notification (for material changes)

Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Address: Punch'd, Inc., [Your Business Address]

For GDPR inquiries, you may also contact our Data Protection Officer at [email protected].

15. Supplemental Notices

15.1 California Privacy Notice

Under the California Consumer Privacy Act (CCPA), California residents have additional rights as described in Section 8.3 above. In the past 12 months, we have collecte