Privacy Policy

This Privacy Policy explains what personal data Attendify ("we", "us", "our") collects when you use our website, mobile app, and admin dashboard, why we collect it, how we use and protect it, and what choices you have. By using Attendify, you agree to the practices described here.

1. Who we are

Attendify is an attendance and workforce-management product operated by React Wave Labs, registered in Kuwait. You can reach us at support@reactwavelabs.net or chat with us on WhatsApp.

2. Who is the "data controller" vs "data processor"

Attendify is typically a data processor: your employer (the customer organisation that signs up for Attendify) is the data controller and decides what attendance data is collected, how long it is kept, and who can see it. Attendify processes that data on the employer's behalf.

For our website visitors and account-creation flow, Attendify is the data controller.

3. What we collect

3.1 Account information

• Name, email, phone number, employer, role.
• OTP codes sent to your phone for login (these expire and are not stored long-term).
• Encrypted password hashes (we never see or store your password in plain text).

3.2 Attendance data (provided by your employer)

• Check-in and check-out timestamps.
• GPS coordinates and accuracy at the moment of check-in / check-out.
• Device identifier (used to enforce one-account-per-device).
• Selfie or face-verification photo at check-in (only when your employer enables this feature).
• Leave requests, shift assignments, and approval history.

3.3 Technical data

• IP address, browser type, operating system.
• Server logs of API requests (used for debugging and abuse prevention; typically retained for 30 days).
• Error and crash reports from the mobile app.

3.4 What we do NOT collect

• We do not track your location continuously. Location is only read at the explicit moment of check-in or check-out.
• We do not access your phone's contacts, photos, microphone, or messages.
• We do not sell, rent, or share personal data with third-party advertisers.

4. Why we collect it (legal basis)

• Performance of contract: to provide the Attendify service to your employer and to you.
• Legitimate interest: to keep the service secure, prevent fraud and buddy-punching, and improve the product.
• Legal obligation: to retain records where Kuwait Labor Law or local regulators require it.
• Consent: for any marketing communication, which you can withdraw at any time.

5. How long we keep it

• Active employee records: for as long as the employer remains a customer, plus a grace period agreed in the customer's contract.
• Attendance records: typically 5 years, in line with the records-retention requirement under Kuwait Labor Law.
• Server logs: 30 days.
• Account closed: on customer request, we delete or anonymise personal data within 30 days, except where the law requires us to retain it.

6. Where it is stored

Attendify infrastructure is hosted on cloud servers located in the GCC region. We use industry-standard security measures including TLS encryption in transit, encryption at rest for sensitive fields, role-based access control, multi-tenant data isolation, and an internal audit log of administrative actions.

7. Who we share it with

We do not sell personal data. We share it only with:

• Your employer, since they are the data controller.
• Service providers who help us run Attendify, such as our cloud hosting, transactional email, SMS-OTP and payment-processing partners. They are contractually required to protect data and only process it as instructed.
• Authorities, if compelled by valid legal process under Kuwait law.

8. Your rights

You have the right to:

• Request a copy of the personal data we hold about you.
• Ask us to correct inaccurate data.
• Ask us to delete your data, subject to legal-retention requirements.
• Object to or restrict certain types of processing.
• Withdraw consent for marketing communications.
• Lodge a complaint with the Communication and Information Technology Regulatory Authority (CITRA) of Kuwait, or your local data-protection regulator.

To exercise any of these rights, email support@reactwavelabs.net with the subject line "Data Request". If you are an employee, please first contact your employer's HR, as they are the controller of your attendance data.

9. Security & breach notification

We protect personal data with technical and organisational measures including encrypted transport (TLS), encrypted storage of sensitive fields, two-factor login (OTP + password hash), least-privilege access controls, and continuous logging of administrative actions. No system is perfectly secure, but in the event we discover a personal-data breach that creates a risk to individuals, we will notify the affected customer organisations and the relevant regulator without undue delay, and in any event within 72 hours where required by law.

10. Children

Attendify is a workplace tool. It is not intended for use by anyone under the age of 15. We do not knowingly collect personal data from children. If you believe a child's data has been provided to us, please contact us so we can remove it.

11. Cookies

Our marketing website (attendify.reactwavelabs.net) uses only the minimum cookies required for the site to function and remember your language preference. We do not currently use third-party advertising or analytics cookies. If we ever introduce analytics, we will update this notice and ask for your consent first.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes that affect your rights will be communicated by email and via an in-app notification.

13. Contact

For any privacy question, complaint, or data-rights request, write to support@reactwavelabs.net or chat with us on WhatsApp.