Privacy Policy
Your Privacy is Our Priority
We are committed to protecting your privacy and ensuring the security of your personal information. This policy explains how we collect, use, and protect your data.
Data Protection
Bank-level security measures
Encryption
End-to-end data encryption
Transparency
Clear data usage policies
Compliance
GDPR & CCPA compliant
Last updated: November 23, 2025
Mobile App Privacy Policy
This privacy policy applies to our mobile application available on Google Play Store. It explains how we collect, use, store, and protect your data when you use our mobile app.
1. Data Collection Summary
1.1 Personal Information
- • Name (first and last)
- • Email address
- • Phone number
- • Employee ID
- • Date of birth
- • Gender
- • Marital status
- • Nationality
- • Blood group
- • PAN number
- • Identification documents (type, number, issue/expiry dates, document images)
- • Addresses (permanent and temporary)
- • Emergency contact details (name, phone, relationship)
- • Bank account details (bank name, account number, branch, account holder name)
- • Profile photo/avatar
- • Employment information (joining date, employment type, status, profession)
1.2 Location Data (GPS Coordinates)
Check-in location: Latitude and longitude when checking in
Check-out location: Latitude and longitude when checking out
Purpose: Geofence validation for attendance verification
Collection method: Device GPS
Storage: Stored in the Attendance database table
Retention: As long as attendance records are retained
1.3 Attendance Data
- • Check-in/check-out timestamps
- • Attendance dates
- • Attendance status (PRESENT, ABSENT, etc.)
- • Post/location information
- • Shift information
- • GPS coordinates (as above)
1.4 Leave Management Data
- • Leave requests (dates, type, reason)
- • Leave status (PENDING, APPROVED, REJECTED)
- • Multi-day leave information
- • Paid/unpaid leave status
1.5 Assignment Data
- • Post assignments
- • Shift schedules
- • Assignment dates and status
- • Client information
- • Post location details
1.6 Notification Data
- • Push notifications
- • Notification read status
- • Notification timestamps
1.7 Authentication Data
- • JWT access tokens
- • Refresh tokens
- • User credentials (hashed passwords)
- • Token version tracking
2. Purpose of Data Collection
- Employee attendance tracking and verification
- Geofence-based location validation for attendance
- Leave request management
- Assignment and shift management
- Employee profile management
- Communication via notifications
- Security and authentication
- Compliance with employment regulations
3. Data Usage
3.1 Location Data Usage
- • Validate attendance check-in/check-out within designated geofence areas
- • Verify employee presence at assigned work locations
- • Prevent attendance fraud
- • Generate attendance reports
- • Location data is not used for tracking outside of attendance events
3.2 Personal Information Usage
- • Employee identification and profile management
- • Communication (notifications, emails)
- • Payroll processing (bank details)
- • Emergency contact purposes
- • Compliance and verification (identification documents)
3.3 Attendance Data Usage
- • Calculate working hours
- • Generate attendance reports
- • Payroll processing
- • Performance evaluation
- • Compliance reporting
4. Data Storage and Retention
4.1 Storage Location
- • Data is stored on secure cloud servers
- • Database is encrypted at rest
- • All data transfers use HTTPS/TLS encryption
4.2 Retention Period
- • Employee profile data: Retained for the duration of employment and as required by law
- • Attendance records: Retained as per organizational policy and legal requirements (typically 3-7 years)
- • Location data (GPS coordinates): Stored with attendance records, retained for the same period
- • Leave records: Retained for the duration of employment and as required by law
- • Authentication tokens: Stored temporarily, refreshed periodically
4.3 Data Deletion
- • Soft deletion: Records are marked as deleted but retained for audit purposes
- • Hard deletion: Performed after retention period expires or upon explicit user request (subject to legal requirements)
5. Data Sharing and Third Parties
5.1 Data Sharing
- • Data is shared only within the organization (authorized administrators, HR, supervisors)
- • No data is sold to third parties
- • Data may be shared with service providers (cloud hosting, email services) under strict confidentiality agreements
5.2 Third-Party Services
- • Cloud hosting provider (for data storage)
- • Email service provider (for notifications)
- • Push notification services (for mobile notifications)
- • All third-party services are bound by data processing agreements
6. User Rights and Controls
6.1 Access Rights
- • Users can view their own profile information via
/api/mobile/profile - • Users can view their attendance history via
/api/mobile/attendance/history - • Users can view their leave records via
/api/mobile/leaves - • Users can view their assignments via
/api/mobile/assignments
6.2 Data Correction
- • Users can request corrections to their profile information through their organization's HR department
- • Profile updates are subject to organizational approval
6.3 Data Deletion Requests
- • Users can request deletion of their data by contacting their organization's HR department
- • Deletion is subject to legal and organizational retention requirements
- • Some data may be retained for compliance purposes even after account deletion
6.4 Location Data Controls
- • Location data is collected only during check-in/check-out actions
- • Users can choose not to use the mobile check-in feature (alternative methods may be available)
- • Location data cannot be disabled if using mobile attendance features (required for geofence validation)
7. Security Measures
7.1 Authentication and Authorization
- • JWT-based authentication with secure token storage
- • Token versioning to prevent token reuse after logout
- • Role-based access control (RBAC)
- • Mobile routes require MEMBER role authentication
- • All API requests require valid authentication tokens
7.2 Data Encryption
- • All data in transit: HTTPS/TLS encryption
- • All data at rest: Database encryption
- • Passwords: Hashed using secure hashing algorithms (bcrypt)
- • Sensitive data: Additional encryption for financial information
7.3 API Security
- • Rate limiting: All endpoints have rate limits (10-15 requests per 60 seconds)
- • Input validation: All inputs are validated using Joi schemas
- • SQL injection prevention: Using Prisma ORM with parameterized queries
- • XSS prevention: Input sanitization
7.4 Access Controls
- • Users can only access their own data
- • Employee ID validation ensures users cannot access other employees' data
- • Organization-level data isolation
8. Location Data Disclosure (Required for Play Store)
8.1 Location Data Collection
- • We collect precise location data (GPS coordinates) when you check in or check out for work
- • Location data is collected only during active attendance actions
- • Location data is not collected in the background or continuously
8.2 Why We Collect Location Data
- • To verify that you are at your assigned work location when checking in/out
- • To prevent attendance fraud
- • To comply with organizational attendance policies
- • Location data is essential for the app's core functionality (geofence-based attendance)
8.3 Location Data Usage
- • Location data is used solely for attendance verification
- • We do not use location data for advertising or marketing
- • We do not share location data with third parties for their use
- • Location data is stored securely and only accessible to authorized personnel
8.4 Location Data Controls
- • You can disable location permissions, but this will prevent you from using mobile check-in/check-out features
- • Alternative attendance methods may be available through your organization
- • You can view your stored location data as part of your attendance history
9. Permissions Required
9.1 Android Permissions
- • Location (Precise/Fine Location): Required for GPS-based attendance check-in/check-out
- • Internet: Required for API communication
- • Network State: Required for connectivity checks
- • Camera (optional): For document uploads if applicable
- • Storage (optional): For document downloads if applicable
9.2 Permission Justification
Location permission is essential for geofence validation during attendance. Without location permission, mobile attendance features will not function. All permissions are requested only when needed.
10. Compliance
10.1 Data Protection Regulations
- • GDPR (if applicable): We comply with GDPR requirements for EU users
- • Local data protection laws: We comply with applicable local regulations
- • Employment law compliance: Data retention aligns with employment law requirements
10.2 Organizational Compliance
- • Data access is logged for audit purposes
- • Regular security audits are conducted
- • Data breach notification procedures are in place
11. Children's Privacy
This app is intended for employees only. We do not knowingly collect data from individuals under the age of 18. If you are under 18, please do not use this app.
12. Changes to Privacy Policy
We may update this privacy policy periodically. Users will be notified of significant changes via the app or email. Continued use of the app after changes constitutes acceptance.
13. Contact Information
For privacy-related inquiries:
- • Contact your organization's HR department
- • Contact your organization's data protection officer (if applicable)
- • Email: privacy@Stratamax.app
- • Phone: +977-9845900495
- • Address: Kathmandu, Nepal
14. Play Store Specific Declarations
14.1 Data Safety Section
- • Data collected: Personal info, Location, App activity, Device ID
- • Data shared: No data shared with third parties
- • Data security: Data is encrypted in transit and at rest
- • Data deletion: Users can request data deletion through HR department
14.2 Location Data Declaration
"This app collects precise location data for attendance verification purposes only. Location data is collected only when you check in or check out for work and is used solely for geofence validation. We do not track your location continuously or use it for advertising purposes."
14.3 Sensitive Permissions
- • Location (Precise): Required for attendance geofence validation
- Justification: "Location permission is required to verify that employees are at their assigned work locations when checking in or out. This is essential for preventing attendance fraud and ensuring accurate attendance records."
15. API Endpoints Summary
| Endpoint | Method | Data Collected | Purpose |
|---|---|---|---|
/api/mobile/attendance/check-in | POST | GPS coordinates (lat, lng), postId | Record attendance check-in |
/api/mobile/attendance/check-out | POST | GPS coordinates (lat, lng) | Record attendance check-out |
/api/mobile/attendance/me/open | GET | None (returns existing data) | Get current open attendance |
/api/mobile/attendance/history | GET | Query filters (dates, status) | View attendance history |
/api/mobile/assignments | GET | None (returns existing data) | View work assignments |
/api/mobile/profile | GET | None (returns existing data) | View employee profile |
/api/mobile/leaves | GET | Query filters | View leave records |
/api/mobile/leaves | POST | Leave request data (dates, type, reason) | Create leave request |
/api/mobile/leaves/:leaveId | GET | None (returns existing data) | View specific leave record |
/api/mobile/notifications | GET | Query filters (read status) | View notifications |
/api/mobile/notifications/:id/read | PUT | None (updates read status) | Mark notification as read |