Privacy Notice

Effective date: February 20, 2026

Scope and Roles

This notice explains how CheckIn collects and uses personal data to deliver attendance, compliance, and security workflows. When your organization uses CheckIn, your employer or site owner is the primary data controller and CheckIn acts as a service provider to process data on their behalf.

What We Collect

We collect the minimum data needed to operate the service:

  • Account data: email, password hash, optional phone number, and profile name.
  • Attendance data: site, action (IN/OUT), timestamp, GPS coordinates, and GPS accuracy.
  • Security data: device identifier, anti-replay tokens, OTP audit events, and hashed IP metadata.
  • Support data: ticket subject, message, and optional contact details.
  • Operational telemetry: limited logs required for reliability and abuse prevention.

How We Use Data

  • Record and verify attendance events.
  • Prevent fraud, spoofing, replay attacks, and automated abuse.
  • Deliver authentication and verification codes.
  • Support customer operations, incident response, and compliance obligations.

Data Retention

Current retention windows are applied to align with audit and compliance needs:

  • OTP verification codes (`OtpVerifications`): valid for 5 minutes and removed after expiry by scheduled cleanup jobs.
  • OTP audit logs (`OtpAuditLogs`): retained for 30 days, then deleted by the retention cleanup script.
  • Primary check events (`CheckEvents`): retained for 6 months, then moved daily to archive storage and removed from the primary table.
  • Archived check events (`CheckEventsArchive`): retained for long-term reporting until a documented purge request or policy update is executed.
  • Security/audit records (`CheckEventSecurityAudit` and related fraud evidence): retained for security investigations and compliance review; deletion is controlled by documented admin procedures.

Sharing and Storage

Data is stored in Microsoft Azure services used to operate the product. We do not sell personal data. We share data only with service providers required to deliver core functionality (for example, cloud hosting, email/SMS delivery, and security monitoring).

Security and Transfers

We use encryption in transit and at rest where available and apply access controls aligned to role-based permissions. Data may be processed in regions where our cloud providers operate.

Your Rights and Contact

For access, correction, or deletion requests, contact your organization administrator first. If additional support is required, use the support page inside the application.