Privacy & Data Protection

Privacy Policy

This policy explains what data Timenox collects, why we collect it, how it is used, and the rights available to you. We have written it in plain language so it is easy to understand.

Last updated: April 27, 2026

1. Who We Are

Timenox is an attendance management platform operated by Vyqda Technologies Private Limited, a company incorporated in India ("Timenox", "we", "us", or "our").

This Privacy Policy applies to:

Employer Administrators — organizations that create accounts and configure the platform
Employees — individuals whose attendance is tracked through the platform on behalf of their employer
Visitors — people who browse timenox.com without creating an account

By using the Timenox platform or website, you acknowledge that you have read and understood this policy.

2. Data Roles — Who Controls What

Understanding data roles is important. Here is how responsibility is divided:

E Employer — Data Controller

The organization that subscribes to Timenox is the Data Controller. They decide which employees to add, what features to enable (GPS, photos), and how attendance data is used.

Employers are responsible for informing their employees about Timenox, obtaining any required consent, and complying with local employment and privacy laws.

T Timenox — Data Processor

Timenox is the Data Processor. We process employee personal data only to provide the Service to the Employer. We do not independently decide how employee data is used.

We do not sell employee data. We do not use it for advertising or profiling purposes unrelated to the attendance service.

For employees: If you have questions about how your employer uses your attendance data, or wish to exercise data subject rights, please contact your employer directly. You may also contact us at support@timenox.com and we will assist where we are able to do so as a processor.

3. Data We Collect

We collect the following categories of personal data, depending on how the Service is configured and used:

3.1 Account and Company Information

Collected from Employer Administrators when creating or managing an account:

Full name and work email address
Company name, type, and registered country
Billing address and payment details (processed via third-party payment providers; we do not store card numbers)
Account login credentials (passwords stored as one-way hashes)
Communication preferences and support history

3.2 Employee Profile Data

Added by the Employer when setting up their workforce in Timenox:

Employee full name and internal ID or employee number
Email address (if used for notifications)
Department, job role, and shift assignment
Employment status (active, inactive)

3.3 Device Identification Data

Collected at the time of attendance check-in or device registration:

WebAuthn credential IDs — a unique, device-generated cryptographic identifier used to bind a check-in to a specific registered device. This is not a fingerprint, face scan, or other biometric.
Device fingerprint signals — browser type and version, operating system, screen resolution, language settings, timezone, and other browser-derived signals used to generate a consistent device identifier
IP address at the time of check-in
User agent string

3.4 Location Data

Collected only if the Employer has enabled location-based attendance:

GPS coordinates (latitude and longitude) at the moment of check-in or check-out
Geofence compliance result (whether the check-in was within the configured boundary)
Location accuracy radius reported by the device

Location is captured only at the point of check-in — not continuously or in the background.

3.5 Photo Data (Optional)

Collected only if the Employer has enabled photo verification:

A selfie photograph taken by the employee at the time of check-in or check-out
Timestamp and attendance event linked to the photo

Photos are used solely for employer-side attendance verification. Timenox does not perform facial recognition or biometric analysis on these images.

3.6 Attendance Records and Logs

Check-in and check-out timestamps
Work mode (Office, Work From Home, Field)
Device and location linkage for each attendance event
Admin-entered manual attendance records (if applicable)
Shift and schedule data

3.7 Platform Usage Data

Collected automatically when the platform is accessed:

Pages and features accessed within the dashboard
Error logs and performance metrics
Session duration and interaction patterns (aggregated)
Referrer URL and browser details for the marketing website

4. Device Identification Technologies

Timenox uses two complementary technologies to tie attendance check-ins to specific, registered devices. This prevents one employee from checking in on behalf of another.

4.1 WebAuthn Passkeys

WebAuthn is a web standard that allows a device to generate a unique cryptographic key pair. During registration, the device creates a private key stored securely on the device and a public credential ID shared with Timenox. On each check-in, the device signs a challenge with the private key.

Timenox never receives or stores fingerprint data, face scan data, or any raw biometric. Device authentication is handled entirely by the user's operating system (e.g., Windows Hello, Apple Face ID, Android biometrics). We only receive confirmation that the device passed its own local authentication.

4.2 Device Fingerprinting

Where WebAuthn is not supported or available, Timenox collects a combination of browser and hardware signals — including browser type, operating system, screen resolution, timezone, and language — to generate a consistent device identifier.

This fingerprint is used only within the Timenox platform to verify that check-ins come from registered devices. It is not used to track individuals across other websites, services, or advertising networks.

Device fingerprints may change when browser versions are updated, privacy settings are changed, or device hardware is modified. Timenox does not guarantee that fingerprinting will be accurate in all circumstances.

5. Biometric Data — Important Clarification

Timenox does not collect, process, or store biometric data.

We do not store fingerprint scans
We do not store retina or iris scans
We do not perform facial recognition on photos
We do not extract biometric templates from any images

When WebAuthn is used, local authentication (e.g., fingerprint or face unlock) happens entirely on the employee's device and is managed by the device operating system. Timenox receives only a cryptographic credential confirmation — not the underlying biometric data.

Photos captured via the optional photo verification feature are stored as image files for employer review. They are not processed through any facial analysis or recognition system by Timenox.

6. How We Use Personal Data

Personal data is used for the following purposes:

Providing the Attendance Service

Processing check-in and check-out events, generating attendance records, powering the dashboard, and enabling report exports.

Device Binding and Fraud Prevention

Using device identification to ensure each attendance event is tied to the correct registered device, preventing proxy attendance or unauthorized check-ins.

Location-Based Attendance Verification

Where enabled by the Employer, validating that the check-in occurred within the configured geographic boundary (geofence).

Visual Identity Verification

Where the photo feature is enabled, storing check-in photographs for the Employer's manual review and verification.

Account Management

Managing Employer accounts, billing, subscription changes, and technical support requests.

Service Improvement

Using aggregated and anonymized usage data to improve platform performance, fix errors, and develop new features. Individual employee data is not used for this purpose.

Security and Platform Integrity

Monitoring for abuse, unauthorized access, and technical threats to the platform.

Legal and Regulatory Compliance

Retaining records as required by applicable law and cooperating with lawful authority requests.

7. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, Timenox processes personal data under the following legal bases:

Processing Activity	Legal Basis
Providing the Service to the Employer	Contractual necessity (Art. 6(1)(b) GDPR)
Processing employee attendance data on behalf of the Employer	Legitimate interests of the Employer (Art. 6(1)(f)); or consent where required
Security, fraud prevention	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))
Photo verification (where enabled)	Employer's legal basis; Timenox processes on instruction

As a Data Processor, Timenox processes employee data on the Employer's documented instructions. Employers are responsible for establishing their own legal basis for processing under applicable law.

8. Data Sharing and Disclosure

We do not sell personal data. We do not share employee data with advertisers.

Data is shared only in the following limited circumstances:

The Employer

Attendance records, device logs, location data, and photos are visible to the Employer's authorized administrators. This is the primary purpose of the Service.

Infrastructure and Cloud Providers

Data is hosted on secure cloud infrastructure. These providers operate as sub-processors and are bound by data protection agreements. They may not use data for their own purposes.

Payment Processors

We use third-party payment processors to handle billing and payments. Timenox does not store full payment card details.

• For customers outside India, payments are processed by Paddle, our Merchant of Record. Paddle issues invoices, collects applicable taxes (VAT/GST), and handles payment processing in accordance with Paddle's Privacy Policy.
• For customers in India, payments are processed through providers such as Razorpay, in accordance with their privacy policy.

These providers may process personal data such as name, email, billing address, and payment information. We share only the information necessary to complete transactions and comply with legal obligations. Timenox subscriptions, trial periods, and refund windows are described in our Refund Policy.

Legal Authorities

We may disclose data when required by a valid court order, government authority, or applicable law. We will, where legally permissible, notify the Employer before complying.

Business Transfers

In the event of a merger, acquisition, or sale of Timenox, data may be transferred to the acquiring entity subject to equivalent data protection obligations. Employers and users will be notified of any such change.

9. Location Data — How It Is Used

Location collection is not enabled by default. It is activated only when the Employer configures geofencing for their workplace.

When location is collected

GPS coordinates are captured only at the moment an employee initiates a check-in or check-out. The platform does not collect location data continuously, passively, or while the browser is closed.

Why it is used

The Employer uses location data to confirm that attendance is being marked from the designated workplace or an approved location. This helps prevent remote or false check-ins.

Accuracy limitations

GPS accuracy varies by device, environment, and network conditions. Location data collected by Timenox may not always reflect precise physical location, particularly indoors or in areas with limited satellite or network coverage. Employers must not rely solely on location data for disciplinary decisions.

Employees are asked for explicit browser-level location permission before any location data is collected.

10. Photo Data — How It Is Used

The photo verification feature is optional and disabled by default. It must be explicitly enabled by the Employer.

When enabled, employees are prompted to take a selfie at the time of check-in or check-out
The photograph is stored as part of the attendance record and is accessible to the Employer's authorized administrators
Timenox does not perform any automated facial analysis, recognition, or biometric processing on these images
Photos are retained in line with the Employer's data retention settings and applicable law

Employers who enable this feature are responsible for informing their employees and, where required by applicable law (such as GDPR, India's DPDP Act, or Illinois BIPA), obtaining explicit consent before collecting employee photographs.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law.

Data Type	Retention Period
Attendance records (timestamps, logs)	As long as the Employer account is active, or as required by local law
Employee profile data	Until removed by the Employer or account termination
Device fingerprints and credential IDs	Until the device is deregistered or employee is removed
Location data	Retained with the attendance log; subject to Employer configuration
Photo verification images	Retained with the attendance log; subject to Employer configuration
Account data after termination	Up to 30 days post-termination, then deleted unless legally required to retain

12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure:

All data in transit is encrypted using TLS (HTTPS)
Data at rest is encrypted using industry-standard encryption algorithms
Access to personal data is restricted to authorized personnel on a need-to-know basis
Administrator accounts are protected by secure authentication
Regular security reviews and vulnerability assessments
Incident response procedures with breach notification protocols

No system is completely immune to security threats. In the event of a data breach that is likely to result in high risk to individuals, we will notify affected Employers without undue delay and, where legally required, notify relevant supervisory authorities.

13. Your Data Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Right to Access

Request a copy of the personal data we hold about you.

Right to Correction

Request that inaccurate or incomplete data be corrected.

Right to Deletion

Request erasure of your personal data, subject to legal retention obligations.

Right to Restriction

Request that we limit how your data is processed in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format (where applicable).

Right to Object

Object to processing based on legitimate interests where your situation warrants it.

Note for employees: Because Timenox processes your data on behalf of your Employer (who is the Data Controller), we recommend directing your data rights requests to your Employer first. If your Employer is unable to assist, contact us at support@timenox.com and we will assist where we can as a processor.

14. International Data Transfers

Timenox is operated from India. Data submitted to the Service may be stored and processed on cloud infrastructure in India and other countries where our infrastructure providers operate.

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with cross-border transfer restrictions, we ensure that any data transfer outside your jurisdiction is governed by appropriate safeguards, which may include:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Other lawful transfer mechanisms recognized under applicable law

Employers requiring specific transfer mechanism documentation (such as a Data Processing Agreement with SCCs) should contact us at support@timenox.com.

15. Cookies and Tracking

Timenox uses cookies and similar technologies for session management, security, and analytics. This includes:

Essential cookies — required for login sessions, security, and core platform functionality
Analytics cookies — used to understand how the platform is used in aggregate (e.g., page visits, feature usage)
Marketing cookies — may be present on the public marketing website (timenox.com) to measure campaign performance

You can manage cookie preferences through your browser settings. For full details, see our Cookie Policy.

16. Children's Privacy

Timenox is an employment management platform intended for use by adults in a professional workplace context. The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe an individual under 18 has been added to the platform, please contact us at support@timenox.com and we will take appropriate action.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes, we will notify Employer Administrators via email or in-app notification at least 14 days before the changes take effect.

The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

18. Account Deletion

You may request deletion of your account and associated personal data at any time by contacting us at:

support@timenox.com

Upon receiving a valid request, we will take reasonable steps to delete or anonymize your personal data, unless retention is required for legal, regulatory, or legitimate business purposes (such as tax records, fraud prevention, or dispute resolution).

If you are an employee whose attendance data is managed by an organization using Timenox, you should contact your employer (the Data Controller) directly for data deletion or access requests. Your employer is responsible for managing your personal data within the platform. You may also contact us and we will direct your request accordingly.

19. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

Privacy / Data Protection