Privacy & Data Protection
How Timenox collects, processes, and protects personal data — and what that means for employers, employees, and global customers.
1. Our Approach to Privacy
Timenox is an attendance management platform operated by Vyqda Technologies Pvt. Ltd., based in India. Our users include employers and employees across India, the EU, the US, and globally.
We believe in being transparent about what data we collect, why we collect it, and how it is protected. This page explains our data handling practices in plain language.
Our position: Timenox is designed to be aligned with GDPR principles and global privacy best practices. We do not claim blanket compliance with every jurisdiction's law — rather, we aim to be transparent, proportionate, and fair in all data handling. We actively assist customers with their own compliance obligations.
2. Data Roles — Who Controls What
Understanding data roles is essential to using Timenox responsibly. Responsibility is divided as follows:
Employer
Data Controller
Decides which employees to add, which features to enable (GPS, photos), and how attendance data is used. Responsible for informing employees and obtaining any required consent.
Timenox (for employee data)
Data Processor
Processes employee attendance data only on the Employer's behalf and under their instructions. Does not use employee data for independent purposes.
Timenox (for account data)
Data Controller
Controls the personal data of Employer Administrators (name, email, company details, billing) for purposes of providing and managing the Service.
For EU and UK customers, a formal Data Processing Agreement (DPA) governs the processor relationship. This DPA is incorporated into the Timenox Terms of Service and can also be executed separately on request.
3. Technology Transparency
Timenox uses several specific technologies to verify attendance. We explain each one clearly so that employers, employees, and data protection authorities understand exactly what happens.
WebAuthn Passkeys (Device-Bound Identity)
No biometric data storedWhen an employee registers a device, a cryptographic key pair is created — the private key stays on the device, and a public credential ID is stored by Timenox. On each check-in, the device signs a challenge to prove identity.
If the device uses a fingerprint or face scan to unlock the passkey, that authentication happens entirely on the device's operating system (e.g., iOS Face ID, Windows Hello). Timenox never receives or stores fingerprint, face, or any biometric data. We receive only a cryptographic confirmation.
Device Fingerprinting
Internal use onlyAs a fallback or complement to WebAuthn, Timenox collects browser and device signals — such as browser type, operating system, screen resolution, language, and timezone — to generate a consistent device identifier.
This fingerprint is used solely within the Timenox platform to verify that check-ins come from a registered device. It is not used to track employees across other websites or shared with advertising networks.
GPS Location Verification
Check-in only — not continuousWhen an Employer enables geofencing, the employee's browser requests location permission at the moment of check-in or check-out. GPS coordinates are captured and checked against the configured boundary.
Location is not collected continuously or in the background. The employee's location is only recorded at the point of the attendance event, and only if the Employer has enabled this feature.
Photo Verification
Optional — disabled by defaultIf enabled by the Employer, employees take a selfie at check-in or check-out. The photo is stored as part of the attendance record and is accessible to the Employer's authorized administrators.
Timenox does not perform facial recognition or biometric analysis on these images. They are stored as plain image files for manual employer review only. Employers are responsible for obtaining any consent required by applicable law before enabling this feature.
4. Data Subject Rights
Under GDPR and similar data protection laws, individuals have the following rights over their personal data:
Right to Access
Request a copy of your personal data and information about how it is processed.
Right to Correction
Request that inaccurate or incomplete personal data be corrected.
Right to Deletion
Request erasure of your personal data, subject to legal retention requirements.
Right to Portability
Receive your data in a structured, machine-readable format for transfer elsewhere.
Right to Restriction
Request that processing of your data be limited in certain circumstances.
Right to Object
Object to processing based on legitimate interests where your situation warrants it.
How to Exercise Your Rights
If you are an employee: Contact your employer (the Data Controller) first. Your employer manages your personal data within Timenox and is the appropriate party to handle your request.
If you are an Employer Administrator (account holder): Contact us directly at support@timenox.com for requests about your account data.
If your employer is unresponsive: Contact us at support@timenox.com and we will assist where we are able to as the Processor. We will respond within 30 days.
5. Legal Basis for Processing
For users in the EEA and UK, the following legal bases apply to Timenox's processing activities:
Contractual Necessity (Art. 6(1)(b))
Processing Employer Administrator account data to deliver and manage the Timenox Service under the Terms of Service.
Legitimate Interests (Art. 6(1)(f))
Security monitoring, fraud prevention, platform performance monitoring, and product improvement using aggregated data.
Legal Obligation (Art. 6(1)(c))
Retaining records as required by applicable tax, corporate, or regulatory law.
Employer's Legal Basis (as Processor)
Processing employee attendance data on behalf of the Employer. The Employer is responsible for establishing and documenting their own legal basis for this processing (typically legitimate interests in workforce management or, where required, employee consent).
6. Security Overview
We implement appropriate technical and organisational measures to protect personal data against unauthorized access, loss, or misuse.
Encryption in Transit
All data between users and Timenox servers is encrypted via TLS (HTTPS).
Encryption at Rest
Data stored on our infrastructure is encrypted using industry-standard algorithms.
Access Controls
Strict role-based access limits Personal Data to authorized personnel only.
Breach Response
Documented incident response procedures with notification protocols for affected employers.
In the event of a security incident affecting personal data, Timenox will notify affected Employers without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
7. Data Retention
We retain personal data for as long as necessary to provide the Service and meet legitimate legal, regulatory, or business obligations — and no longer.
- Employee attendance records — retained while the Employer's account is active, or as required by applicable employment or tax law
- Device and location data — retained as part of the attendance record; deleted when the related employee record is removed
- Photos — retained per Employer configuration; deleted on employee removal or account termination
- Account data — retained while active; up to 30 days post-termination, then deleted unless legally required to retain
Employers may delete employee records at any time via the dashboard. Employers may also request full account data deletion by contacting support@timenox.com.
8. International Data Transfers
Timenox operates from India and uses cloud infrastructure that may involve processing in other jurisdictions. Where personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) — as approved by the European Commission, incorporated into sub-processor agreements where required
- Adequacy decisions — relied upon where applicable for the destination country
- Supplementary measures — applied where the risk profile of a transfer requires additional safeguards
EU and UK customers who require a formally executed Data Processing Agreement with SCCs may request one at support@timenox.com. See also our Data Processing Agreement.
9. Right to Lodge a Complaint
If you are in the EU or UK and believe that your personal data has been processed in a manner inconsistent with applicable data protection law, you have the right to lodge a complaint with your local supervisory authority.
- EU residents may contact their national Data Protection Authority (DPA)
- UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk
We encourage you to contact us first at support@timenox.com so we can attempt to resolve your concern directly.
10. Updates to This Page
We may update this page to reflect changes in our practices, technology, or applicable law. For material changes, Employer Administrators will be notified by email or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.
11. Contact Us
For privacy or data protection inquiries, data subject requests, or to request a DPA:
Privacy & Data Protection
support@timenox.comCompany
Vyqda Technologies Pvt. Ltd.
Location
Agra, Uttar Pradesh 282007
India
Website
https://timenox.com