1. Who We Are
TimePulse is a GPS-based time and attendance management platform operated by:
Elegant Work Group (Pty) Ltd
Registration No: [Your Company Registration Number]
Email: support@timepulse.co.za
Website: timepulse.co.za
We are the Responsible Party as defined under POPIA in respect of personal information collected through the TimePulse platform, website, and mobile applications.
Your employer or the business that manages your TimePulse account may also be a Responsible Party in relation to your employment records. Where your employer uses TimePulse to manage your attendance, they are the primary Responsible Party and we process data on their behalf as an Operator.
2. Information We Collect
2.1 Account & Identity Information
- Full name, email address, phone number
- Employee code, job title, department
- Profile photograph (optional)
- Password (stored as a one-way hash — we never store plaintext passwords)
- Role within your organisation (admin, manager, employee)
2.2 Attendance & Time Records
- Clock-in and clock-out timestamps
- Total hours worked, break minutes, overtime hours
- Shift status and admin notes
- Attendance history and timesheet data
2.3 Location Data (GPS)
- GPS coordinates at the time of clock-in and clock-out
- GPS coordinates captured during activity log start and end events
- Accuracy radius of GPS readings
- Site or client area matched to location
2.4 Biometric Data (Facial Recognition — Pro Plan Only)
- Mathematical facial descriptor vectors derived from face images (128-dimensional floating point arrays)
- A thumbnail photograph captured during enrolment
- A small preview snapshot saved at each facial clock event
- Enrolment date and time
⚠️ Facial descriptor data is classified as special personal information under POPIA Section 26. We only process this data with the explicit, informed consent of the data subject. See Section 9 for full details.
2.5 Activity Log Data
- Activity type, start and end timestamps and locations
- Custom form field responses entered by employees
- Notes captured at activity start and end
- Duration of tracked activities
2.6 Device & Technical Information
- Browser type and version, operating system
- IP address (logged for security and audit purposes)
- Device type (mobile, desktop, tablet)
- Session tokens (stored in browser localStorage)
- App version in use
2.7 Communication Data
- Email address used for system notifications (clock-in alerts, reports)
- Support correspondence sent to us
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Providing the time & attendance service | Identity, attendance, location, activity log |
| Facial recognition clock-in/out | Facial descriptors, snapshots, GPS |
| Generating payroll-ready reports | Attendance, hours, overtime, employee details |
| Sending clock-in/out email alerts to managers | Name, timestamps, location |
| Displaying live employee map to admins | Name, GPS coordinates, clock status |
| Account authentication & session management | Email, password hash, session token |
| Security, fraud prevention & audit logging | IP address, device info, action logs |
| Customer support | Account info, support correspondence |
| Service improvement & platform analytics | Aggregated, anonymised usage statistics |
| Billing & subscription management | Company name, plan status (via PayFast) |
| Sending product announcements | Email address, in-app notification |
4. Legal Basis for Processing
Under POPIA, we process personal information on the following grounds:
- Contractual necessity — processing required to deliver the service you or your employer has contracted for (attendance tracking, reporting, payroll exports)
- Legitimate interests — security, fraud prevention, abuse detection, service performance monitoring
- Legal obligation — complying with South African labour law, SARS, and other applicable legislation
- Consent — for special categories of personal information (biometric/facial data) and optional communications. You may withdraw consent at any time.
Where we rely on consent, we will obtain it explicitly and maintain a record of it. Withdrawal of consent will not affect processing already carried out lawfully prior to withdrawal.
5. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We share data only in the following circumstances:
5.1 Within Your Organisation
Administrators and managers within your company can view employee attendance records, GPS locations, activity logs, and reports as required to operate the service. This is the primary purpose of the platform.
5.2 Service Providers (Operators)
| Provider | Purpose | Data Shared |
|---|---|---|
| PayFast (DPO PayGate) | Payment processing | Company name, subscription status only — no card details pass through our servers |
| Cloud / VPS hosting provider | Database and file hosting | All platform data — hosted under a data processing agreement |
| OpenStreetMap / Nominatim | Map tiles and address lookup | GPS coordinates for map rendering only — no personal identifiers |
| Google Fonts / jsDelivr CDN | Font delivery and JS libraries | Your IP address (standard CDN request) — no personal data |
| SMTP email provider | Transactional emails (alerts, reports) | Recipient email address, notification content |
All service providers are bound by confidentiality obligations and are only permitted to process data for the specified purpose.
5.3 Legal Requirements
We may disclose personal information if required by law, court order, or to protect the rights, property, or safety of TimePulse, our users, or the public — in accordance with POPIA Section 11(1)(c).
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the new entity. You will be notified prior to any such transfer and given the opportunity to request deletion of your data.
6. Data Storage & Security
All TimePulse data is stored on servers located in South Africa or within the Southern African Development Community (SADC) region unless otherwise required. We do not transfer personal information to third countries without appropriate safeguards.
We implement the following security measures:
- All data transmitted over HTTPS/TLS encryption
- Passwords stored using bcrypt hashing (cost factor 12) — never in plaintext
- Session tokens are randomly generated and stored client-side only
- Database access restricted to application servers only
- Audit logging of all administrative actions
- Facial descriptor data stored only in your own company's database record
- Regular security reviews and dependency updates
📍 Facial recognition processing occurs entirely within your browser using the face-api.js library. Raw face images are never transmitted to our servers — only the mathematical descriptor vectors derived from your face.
Despite our best efforts, no system is 100% secure. If you become aware of a security vulnerability or breach, please contact us immediately at support@timepulse.co.za.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data (employees, attendance) | Duration of subscription + 12 months |
| Payroll and timesheet records | 5 years (in line with South African labour law — BCEA) |
| Audit logs and security records | 24 months |
| Facial descriptors and biometric data | Until the employee account is deactivated or data is explicitly cleared by an admin — whichever comes first |
| Email notification logs | 90 days |
| Deleted company data | 30-day recovery window, then permanently deleted |
| Support correspondence | 3 years |
After the applicable retention period, data is permanently deleted or irreversibly anonymised. You may request early deletion — see Section 8.
8. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Right of access — request a copy of the personal information we hold about you
- Right to correction — request that inaccurate or incomplete information be corrected
- Right to deletion — request erasure of your personal information (subject to legal retention requirements)
- Right to object — object to the processing of your personal information on grounds of legitimate interest
- Right to withdraw consent — withdraw consent for biometric processing or marketing at any time
- Right to data portability — request your data in a structured, machine-readable format (CSV/Excel export available in-app)
- Right to complain — lodge a complaint with the Information Regulator of South Africa
To exercise any of these rights, contact us at support@timepulse.co.za with the subject line "POPIA Data Request". We will respond within 30 days as required by law.
🏛️ Information Regulator of South Africa
Website: inforegulator.org.za
Email: inforeg@justice.gov.za
Tel: 010 023 5207
9. Biometric & Facial Recognition Data
🔒 Facial descriptor data is classified as special personal information under POPIA Section 26. Processing this data requires the explicit, specific, and informed consent of the employee.
What we process
When facial recognition is enabled by your employer (Pro plan only), we process:
- Mathematical facial descriptor vectors — these are not photographs but numerical representations derived from your face. They cannot be used to reconstruct your image.
- A thumbnail enrolment photograph stored in your employee record
- A small preview snapshot (<50KB) saved at each clock event for verification purposes
Consent requirement
Before biometric enrolment, employees must provide explicit written consent. Employers are responsible for obtaining and documenting this consent prior to enrolling an employee's face data. Refusing consent will not affect your employment — a standard app-based clock-in method remains available.
On-device processing
Face matching occurs entirely within the browser using face-api.js. Your camera feed and raw face images are never sent to our servers. Only the resulting mathematical descriptors are stored.
Deletion
Facial data is permanently deleted when: (a) an admin clears the data via the employee management screen, (b) the employee account is deactivated, or (c) a deletion request is submitted under Section 8. Deletion is immediate and irreversible.
10. Location & GPS Data
TimePulse collects GPS coordinates at the time of clock-in, clock-out, and activity log events. Location data is used exclusively to:
- Verify the employee's location against registered site/client boundaries
- Display on the live employee map for authorised managers and admins
- Include in attendance reports and payroll exports
- Detect geofence compliance and trigger alerts
Location is captured only at the moment of a clock or activity event. TimePulse does not continuously track your location in the background. No passive location monitoring occurs between events.
GPS permission is required by your device's browser to use clock-in functionality. You may decline, in which case attendance records will be saved without location data.
11. Children's Privacy
TimePulse is a business tool intended for use by adults in an employment context. We do not knowingly collect personal information from persons under the age of 18. If you believe a minor's information has been submitted to our platform, please contact us immediately at support@timepulse.co.za and we will delete it promptly.
12. Cookies & Tracking
TimePulse does not use advertising cookies or cross-site tracking. We use only:
- localStorage (not cookies) — to store your session token and app preferences on your own device. This data never leaves your browser except as part of authenticated API requests to our servers.
- No analytics trackers — we do not use Google Analytics, Meta Pixel, or any third-party analytics on the app.
- No advertising — we serve no ads and have no ad network integrations.
Google Fonts and jsDelivr CDN are loaded by the marketing website (index.html) and may set standard browser caching headers. They do not track personal behaviour.
13. Third-Party Services
The following third-party services are integrated into TimePulse:
- PayFast — payment processing. Subject to PayFast's Privacy Policy. We do not store card numbers.
- OpenStreetMap — map rendering. GPS coordinates are used for display only and are not logged by OpenStreetMap beyond standard server logs.
- face-api.js (MIT) — browser-side facial recognition. Entirely client-side. No data sent to any external service.
- jsDelivr CDN — delivery of open-source JavaScript libraries. Standard CDN request logging applies.
- Google Fonts — font delivery on the marketing website only.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The "Last updated" date at the top of this page will change
- Material changes will be communicated via in-app announcement to all active users
- Continued use of the service after changes constitutes acceptance of the updated policy
We recommend reviewing this page periodically. Previous versions are available on request.
15. Contact & Complaints
For any privacy-related queries, data requests, or concerns:
Elegant Work Group (Pty) Ltd — Information Officer
Email: support@timepulse.co.za
Subject line: "POPIA Privacy Request"
We will acknowledge your request within 5 business days and resolve it within 30 days as required by POPIA.
If you are not satisfied with our response, you have the right to escalate your complaint to the Information Regulator of South Africa:
🏛️ Information Regulator (South Africa)
inforegulator.org.za ·
inforeg@justice.gov.za ·
010 023 5207