Privacy Policy

Last updated: April 2026

ClockMi ("we", "us", "our") operates the worker attendance tracking platform at clockmi.com. This policy explains how we collect, use, and protect personal data in compliance with Singapore's Personal Data Protection Act (PDPA) 2012.

1

Data We Collect

From Companies (Account Holders)

  • Company name, contact email, phone number, and address
  • Billing information (processed securely via Stripe — we do not store credit card numbers)
  • User account details: name, email, role

From Workers (Check-in Users)

  • Identification number and phone number
  • Name (optional, provided on first check-in)
  • GPS location at check-in and check-out
  • Device information (browser type, screen size, IP address)
  • Check-in photos (only if enabled by the employing company)
  • Check-in and check-out timestamps
2

Purpose of Collection

Worker data is collected solely for the following purposes:

  • Recording check-in and check-out times for attendance tracking
  • Calculating working hours including overtime
  • Verifying physical presence at the job site via GPS
  • Generating attendance reports for the employing company
  • Anti-fraud detection (device fingerprinting, photo verification)

We do not use worker data for marketing, profiling, behavioural analysis, or any purpose beyond attendance management.

3

Consent (PDPA Sections 13-17)

Workers are required to give explicit consent before their first check-in. A consent notice explains what data is collected, why it is needed, and who will have access.

Consent is tracked with a timestamp and version number. If the consent text is updated, workers are prompted to re-consent.

Workers may withdraw consent at any time via the consent revocation page. Withdrawal blocks future check-ins until consent is given again.

4

Your Rights Under PDPA

Right to Access (Section 21)

View your attendance history anytime at /my-hours/. Submit a formal data export request to receive a complete CSV of all data held about you.

Right to Correction (Section 22)

Request corrections to your personal data by contacting your employing company or submitting a data request.

Right to Withdraw Consent

Withdraw your consent at /attendance/revoke-consent/. You will be unable to check in until consent is given again.

Right to Erasure (subject to business-needs carve-out)

Submit a deletion request at /attendance/data-request/. Upon approval we will immediately delete your check-in/out photos, GPS coordinates, IP address, device information, Telegram link, and consent records.

Records we are required to keep: attendance dates, hours, and your identifying number / phone are retained as employment records by your employer to comply with the Singapore Employment Act, IRAS tax record-keeping, and to defend payroll claims. These are eligible for deletion only after the statutory retention window (typically up to 7 years), enforced by automated retention purge.

5

Data Retention (Section 25)

Companies can configure their own data retention period (e.g., 6, 12, or 24 months). Attendance records older than the configured period are automatically deleted by a nightly background task.

The default setting retains data indefinitely until the company configures a retention period.

6

Data Security (Section 24)

We implement industry-standard security measures to protect personal data:

HTTPS with HSTS headers
Secure, HttpOnly, SameSite cookies
Bcrypt password hashing
JWT tokens (15-min access)
IP-based rate limiting & auto-ban
Multi-tenant data isolation
CSRF and XSS protection
API request audit logging
7

Third-Party Services

We use Stripe for payment processing. Stripe's privacy policy applies to billing data. No worker personal data is shared with Stripe or any other third party.

Push notifications are delivered via browser push APIs. Alert messages contain no worker PII (e.g., "Worker checked in outside radius" without identifying details).

8

Cookies

We use only essential cookies:

  • Session cookie — maintains your login state (HttpOnly, Secure)
  • CSRF cookie — prevents cross-site request forgery (HttpOnly, Secure)
  • Language cookie — remembers worker language preference

We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

9

Contact

For questions about this privacy policy or to exercise your PDPA rights, please contact us.