Privacy Policy
Last updated: 1 January 2025
Contents
- Welcome to TimePally
- 1. Roles and Responsibilities
- 2. Information We Collect
- 3. Lawful Basis for Processing
- 4. How We Use Information
- 5. Biometric Data — Special Provisions
- 6. Data Storage & Security
- 7. Data Sharing & Disclosure
- 8. Data Retention
- 9. Subscription & Access Control
- 10. User Rights
- 11. Data Breach Notification
- 12. Data Protection Officer
- 13. Cookies & Tracking
- 14. Children's Privacy
- 15. Compliance with Applicable Laws
- 16. Changes to This Policy
- 17. Contact Information
Welcome to TimePally
TimePally ("we", "our", "us") is a digital time and attendance management platform that helps organisations track workforce attendance using secure Android devices and facial recognition technology. TimePally is operated by TimePally Ltd, a company registered in Nigeria.
We are committed to protecting your privacy and handling personal data responsibly, transparently, and in full compliance with applicable data protection laws.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our services, and the rights available to you.
1. Roles and Responsibilities
TimePally operates as a data processor on behalf of organisations that use our platform. Each organisation ("data controller") is responsible for determining the purposes and means of processing their members' personal data through TimePally.
| Role | Party | Responsibility |
|---|---|---|
| Data Controller | Your Organisation | Determines why and how member data is collected |
| Data Processor | TimePally Ltd | Processes data on behalf of the organisation |
Organisations using TimePally are responsible for:
• Establishing a lawful basis for processing member personal data • Informing members about the use of facial recognition and attendance tracking • Obtaining informed consent where required by applicable law • Providing alternative attendance methods where legally mandated • Ensuring their use of TimePally complies with local employment and data protection laws
2. Information We Collect
We collect only the data necessary to provide our services.
2.1 Organisation & Administrator Information • Organisation name, address, and registration details • Administrator name, email address, and phone number • Login credentials (stored using secure one-way hashing) • Subscription and billing information
2.2 Member Information • Full name and member or staff ID • Assigned location, department, or shift • Employment details (e.g., hire date, employment status)
2.3 Attendance Data • Clock-in and clock-out timestamps • Shift assignments and schedules • Attendance summaries and generated reports • Device used for attendance capture
2.4 Biometric (Facial) Data • Facial biometric templates (mathematical embeddings derived from facial images) • These are numerical representations — not raw facial photographs • Used strictly and exclusively for identity verification during attendance capture
Important: TimePally does not use facial biometric data for surveillance, profiling, marketing, law enforcement, or any purpose outside attendance verification.
2.5 Device & Technical Data • Device identifier (device UID) and binding information • IP addresses and connection logs • Application version and operating system details • Audit and security logs
2.6 Website & Dashboard Data • Browser type and version • Pages visited and session duration • Cookies and analytics data (see Section 13)
3. Lawful Basis for Processing
We process personal data on the following legal grounds under the Nigeria Data Protection Act (NDPA) 2023 and applicable international principles:
| Data Type | Lawful Basis |
|---|---|
| Organisation & admin data | Contract performance |
| Member attendance data | Legitimate interest / Contract |
| Biometric (facial) data | Explicit informed consent |
| Security and audit logs | Legitimate interest / Legal obligation |
| Subscription and billing | Contract performance |
Biometric data is sensitive personal data under Nigerian and international law. Explicit, informed consent is always required before any facial biometric data is collected or processed, regardless of jurisdiction. Organisations must document and retain evidence of this consent.
4. How We Use Information
We use collected information to:
• Verify member identity for attendance recording • Generate attendance records, reports, and analytics • Manage organisations, locations, devices, and user accounts • Secure, authenticate, and authorise attendance devices • Process subscription payments and manage account access • Provide technical support and respond to enquiries • Improve system reliability, performance, and security • Meet legal, regulatory, and audit obligations
We do not sell, rent, lease, or trade personal data to any third party.
5. Biometric Data — Special Provisions
Given the sensitive nature of facial biometric data, we apply heightened protections:
• Facial biometric data is collected only after explicit enrollment by authorised personnel • Facial templates are encrypted in storage and in transit • Raw facial images are not stored on our servers after template generation • Facial data is processed only on authorised, bound devices • Facial biometric data is permanently deleted when an member record is deactivated or deleted by the organisation • We do not transfer facial biometric data to third parties except trusted infrastructure providers operating under strict confidentiality obligations
Consent Responsibility
Organisations deploying TimePally must:
• Obtain clear, documented, informed consent from each member before enrollment • Maintain records of consent for the duration of employment • Provide members with information about how their biometric data is used • Offer a lawful alternative attendance method where consent is withheld or withdrawn
6. Data Storage & Security
We implement strong technical and organisational measures to protect all personal data:
• Encryption in transit: All data transmitted between devices, apps, and servers is encrypted using TLS • Encryption at rest: Stored data including biometric templates is encrypted • Access control: Role-based access ensures data is accessible only to authorised users • Device binding: Attendance devices are cryptographically bound to authorised accounts • Audit logs: All sensitive actions are logged for security and accountability • Offline operation: Attendance devices may store limited data locally for offline use. This data is encrypted locally and synchronised securely when connectivity is restored
While we implement industry-standard security measures, no system is entirely immune to risk. We encourage organisations to maintain strong administrator passwords and report any suspected unauthorised access immediately.
7. Data Sharing & Disclosure
We do not share personal data except in the following circumstances:
• Authorised administrators: Organisation administrators may access data within their own account scope • Trusted service providers: We engage third-party providers (e.g., cloud hosting, payment processing, email delivery) who are bound by strict confidentiality and data processing agreements and may access only the minimum data required • Legal obligations: We may disclose data where required by law, court order, or regulatory authority • Business transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity under equivalent data protection obligations. Affected users will be notified
All third-party service providers are contractually required to protect personal data and use it only for the agreed purpose.
International Data Transfers
Our infrastructure may involve service providers located outside Nigeria. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent protections, in compliance with NDPA 2023 requirements.
8. Data Retention
We do not retain personal data longer than necessary for its stated purpose. Organisations may request earlier deletion in accordance with Section 10 (User Rights).
| Data Type | Retention Period |
|---|---|
| Attendance records | Minimum 2 years, or as required by the organisation or applicable law |
| Biometric (facial) templates | Deleted upon member deactivation or deletion |
| Admin and account data | Duration of subscription + 90 days after closure |
| Security and audit logs | 12 months |
| Billing records | 7 years (legal and tax requirements) |
9. Subscription & Access Control
If a subscription expires or enters a grace period:
• Attendance data remains intact and is not deleted • New attendance capture may be restricted after the grace period ends • Dashboard access may become read-only • Full access is restored immediately upon subscription renewal
Data is never deleted as a consequence of non-payment.
10. User Rights
Subject to applicable law, individuals whose data we process have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of personal data held about you |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of personal data (subject to legal retention obligations) |
| Withdrawal of consent | Withdraw consent for biometric processing at any time |
| Data portability | Request personal data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Restriction | Request restriction of processing in certain circumstances |
How to submit a request: Send your request to privacy@timepally.com with sufficient information to verify your identity. We will respond within 30 days of receiving your request. Complex requests may require an extension of up to an additional 30 days, of which you will be notified.
Note: Certain rights may be exercised directly within the TimePally dashboard by organisation administrators.
11. Data Breach Notification
In the event of a personal data breach:
• We will assess the risk and take immediate containment measures • We will notify affected organisations without undue delay and within 72 hours of becoming aware of a breach that poses a risk to individuals' rights • We will report notifiable breaches to the Nigeria Data Protection Commission (NDPC) as required by law • Organisations will be provided with sufficient information to fulfil their own notification obligations to affected members
12. Data Protection Officer
TimePally has appointed a Data Protection Compliance Officer responsible for overseeing compliance with this policy and applicable data protection law.
For data protection enquiries, contact:
Email: privacy@timepally.com Subject line: Data Protection Enquiry
14. Children's Privacy
TimePally is not intended for use by individuals under the age of 18, or the applicable age of digital consent in the relevant jurisdiction, whichever is higher.
We do not knowingly collect personal data from minors. If we become aware that a minor's data has been collected without appropriate authorisation, we will delete it promptly. Please contact us at privacy@timepally.com if you believe this has occurred.
15. Compliance with Applicable Laws
TimePally is committed to compliance with:
• Nigeria Data Protection Act (NDPA) 2023 • Nigeria Data Protection Regulation (NDPR) • GDPR-aligned international data protection principles • Other applicable local data protection and employment laws
16. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or applicable law.
• For minor changes, we will update the "Last Updated" date at the top of this policy • For material changes (including changes to how biometric data is handled), we will notify affected organisations and administrators by email at least 14 days before the changes take effect • Continued use of TimePally after the effective date of material changes constitutes acceptance of the updated policy
We encourage you to review this policy periodically.
17. Contact Information
For any questions, concerns, or data-related requests, please contact us:
| Company | TimePally Ltd |
| info@timepally.com | |
| Website | https://www.timepally.com |
| Address | Abuja, Nigeria |
For formal data subject requests, please use the subject line: "Data Subject Request"
This Privacy Policy was prepared in accordance with the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR), and internationally recognised data protection principles.
If you have questions, visit our contact page or email privacy@timepally.com.