Contents
1. Introduction
Akoto Verify ("we", "our", "us") provides a facial recognition-based employee attendance and time tracking system. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our services.
This policy applies to company administrators (HR/employers), employees using the system, and website visitors.
2. Data Controller
For companies using Akoto Verify, the employer (company) is the Data Controller for employee data. Akoto Verify acts as a Data Processor on behalf of the employer.
3. Data We Collect
3.1 Employee Data
| Data Type | Purpose | Legal Basis |
|---|---|---|
| First name, Last name | Employee identification | Legitimate interest / Contract |
| Employee photo | Facial recognition authentication | Consent / Legitimate interest |
| Facial encoding (128D vector) | Biometric authentication | Explicit consent |
| Clock-in/Clock-out times | Attendance tracking | Contract / Legitimate interest |
3.2 Location Data (Optional)
When geolocation tracking is enabled by the employer:
Note: Geolocation is disabled by default. Employers must provide GDPR consent when enabling this feature.
4. Biometric Data (Special Category)
Facial recognition data constitutes special category data under GDPR Article 9. We process this data based on:
- Explicit consent from employees (provided during onboarding)
- Employment law obligations (where applicable)
- Legitimate interests of the employer for workplace security
Biometric Data Safeguards
- Facial encodings stored as 128-dimensional numerical vectors, not images
- Original photos stored securely, accessible only to authorized HR personnel
- Biometric matching occurs server-side with encrypted transmission
5. How We Use Data
Primary Purposes
- Authentication: Verify employee identity via facial recognition
- Time Tracking: Record clock-in/clock-out times and calculate hours worked
- Attendance Management: Track late arrivals, overtime, and undertime
- Reporting: Generate timesheet reports for HR/payroll
- Security: Detect and prevent spoofing/fraud attempts
6. Data Storage & Security
- Encryption: All sensitive data encrypted at rest
- Isolation: Each company's data stored in separate database tables
- Access Control: Role-based access (HR can only access their company's data)
- Password Hashing: HR passwords hashed with SHA-256
- AES-256-GCM Encryption: Session tokens encrypted with 256-bit keys
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Employee records | Until deleted by HR |
| Clock-in/out logs | Company policy (recommended: 2-7 years) |
| Security incidents | 90 days (recommended) |
| Session data | Until logout or expiry |
8. Data Sharing
We Do NOT Share Data With:
- Third-party advertisers
- Marketing companies
- Data brokers
- Social media platforms
9. Your Rights (GDPR)
- Right of Access: View your own work logs via the self-service portal
- Right to Rectification: Request corrections through HR
- Right to Erasure: HR can permanently delete employee records
- Right to Restrict Processing: Request HR to restrict certain processing
- Right to Data Portability: Timesheet reports available in Excel and CSV
- Right to Object: Object to processing through your employer
10. Cookies & Local Storage
| Cookie/Key | Purpose | Duration |
|---|---|---|
| admin_session | Admin authentication | 30 minutes |
| employee_session | Employee authentication | 12 hours |
| theme | Dark/light mode preference | Persistent |
11. Contact Information
For privacy inquiries or data subject requests, please contact your employer (Data Controller) or reach out to us:
Email: akotoverify@gmail.com
For complaints, you may also contact your local Data Protection Authority.