TimeMarkr Comprehensive Privacy Policy

1. Scope and Application

This Policy applies to all personal information we process in connection with the Services, including:

• Information provided by employers ("Customers") who contract with allsoft® to use TimeMarkr for managing their workforce
• Information provided by employees and other end-users ("End Users") of our Customers
• Information collected directly from individuals visiting our Site or interacting with our Apps for informational, support, or marketing purposes

This Policy does not apply to:

• Personal information processed by our Customers independently of TimeMarkr
• Third-party websites or services accessible via links within our Services
• Information collected by our Customers about their employees outside of TimeMarkr

2. Definitions

For clarity throughout this Policy:

• "Personal Information": Any information relating to an identified or identifiable natural person, including but not limited to name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
• "Special Categories of Personal Information": Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data, or data concerning sex life or sexual orientation.
• "Processing": Any operation performed on personal information, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject": The identified or identifiable natural person whose personal information is processed.
• "Consent": Freely given, specific, informed, and unambiguous indication of agreement to process personal information.
• "Contractual Necessity": Processing necessary for the performance of a contract to which the data subject is party or to take steps prior to entering a contract.
• "Legal Obligation": Processing necessary to comply with a legal requirement to which the controller is subject.
• "Legitimate Interests": Processing necessary for the legitimate interests pursued by the controller or third party, except where overridden by the data subject's interests or fundamental rights.

3. Types of Personal Information We Collect

As an HRMS provider specializing in attendance and location tracking, we process various categories of personal information, depending on whether we act as a processor (for Customer data) or controller (for our own operations).

3.1 Information Processed on Behalf of Customers (Employer Data)

When acting as a processor for our Customers, we collect and process the following Personal Information at the Customer's direction and in accordance with our Master Subscription Agreement:

• Full legal name, preferred name, nickname, title, and suffix
• Employee identification number, national identification number (where applicable and lawfully collected), tax identification number, social security number (or equivalent)
• Date of birth, age, gender identity (where voluntarily provided for HR administration)
• Nationality, citizenship, work authorization details, visa status, right-to-work documentation
• Job title, job description, department, division, reporting structure, hire date, rehire date
• Employment type (full-time, part-time, contractual, temporary, seasonal), union membership
• Work location(s), office address, remote work status, designated worksites

• Bank account details (bank name, account number, routing number, branch address, SWIFT/BIC codes) for salary payments
• Salary components: base salary, gross salary, net salary, pay frequency (weekly, bi-weekly, monthly), pay period
• Overtime hours, overtime pay rates, shift differentials, hazard pay
• Bonuses, commissions, incentives, awards, stock options
• Statutory payments: sick leave pay, maternity/paternity/adoption pay, disability benefits, severance
• Reimbursements: travel, mileage, equipment, phone, internet
• Tax withholding information, tax codes, deductions, contributions
• Benefits enrollment: health insurance, vision, life insurance, retirement plans (401(k), provident fund, pension)
• Equity compensation details

• Clock-in and clock-out timestamps (date, time, timezone)
• Break start and end times, meal periods
• Shift details: scheduled shift, actual worked shift, shift type (day, night, split, rotating)
• Location data associated with punches: GPS coordinates, Wi-Fi triangulation data, cell tower proximity, geofence entry/exit events
• Selfie verification: timestamps and metadata associated with employee-submitted selfies for time validation (image data itself is not stored by us; only verification results and metadata)
• Method of punch: web portal and mobile app
• Manual adjustments: supervisor edits, corrections, overrides with reason codes and approver identification
• Leave requests and approvals: vacation, sick leave, personal leave, bereavement, jury duty, military leave, unpaid leave
• Absence records: unauthorized absences, tardiness, early departures, no-show incidents
• Time off in lieu (TOIL) accrual and usage
• Overtime authorization and approval workflow data
• Project/job costing codes, task allocations, activity tracking

• Personal contact details: home address, mailing address, personal email address(es), personal phone number(s) (mobile and landline)
• Work contact details: work email address (if provided by Customer), work phone number, extension
• Emergency contact information: name(s), relationship, phone number(s), email address(es), address
• Dependents information: spouse/partner name, children's names and dates of birth (for benefits administration)

• Device identifier: advertising ID (IDFA/GAID), Android ID
• Operating system: version, type (iOS, Android), architecture
• Hardware characteristics: model, manufacturer, screen resolution, memory capacity
• Network information: IP address, MAC address, Wi-Fi SSID (hashed), cellular carrier name
• Application usage: installation timestamp, last use timestamp, feature usage frequency, crash reports, performance metrics
• Permissions granted: camera, photo library, microphone, location access, notifications, live Background Tracking
• Sensor data usage: accelerometer, gyroscope (for motion detection in certain features)

• Tax declaration details: filing status, number of dependents, claimed deductions
• Statutory compliance data: provident fund contributions, employee state insurance, professional tax, labor welfare fund
• Investments declarations under Section 80C, 80D, etc. (India-specific)
• Form 16 related data, TDS details
• International tax treaty information, certificate of residence

• Task completion timestamps, project time allocation
• Productivity metrics derived from time tracking (where Customer enables such reporting)
• Training completion records, certification dates, expiry tracking
• Disciplinary records: warnings, performance improvement plans (only where Customer directs processing)
• Grievance and investigation records (where Customer directs processing)
• Separation details: resignation date, last working day, exit interview summary, termination reason, rehire eligibility

3.2 Information Collected Directly by Us (Controller Activities)

When we collect information for our own purposes (marketing, support, website operations), we may collect:

• Name, email address, phone number, company name, job title
• Postal address (for direct mail campaigns where permitted)
• Website interaction data: pages viewed, time on site, referral source, search terms used
• Content downloaded: whitepapers, case studies, demo requests, webinar registrations
• Event attendance: virtual or in-person event registrations, attendance records
• Survey responses, feedback, Net Promoter Score (NPS) data
• Social media profiles (publicly available information only)
• Preferences: communication frequency, topic interests, language preferences

• Name, contact information, company details when submitting support tickets
• Conversation transcripts, chat logs, email correspondence with our support team
• Screen recordings or session recordings (with explicit consent) for troubleshooting
• Feedback on product features, usability testing participation
• Technical details: browser type, version, extensions, plugin information

• Essential cookies: session IDs, security tokens, load balancing
• Preference cookies: language selection, theme choice, accessibility settings
• Third-party integrations: LinkedIn Insight Tag, Facebook Pixel, Google Analytics (with appropriate disclosures)

4. How We Collect Personal Information

We collect Personal Information through multiple transparent methods, ensuring individuals are aware of what data is gathered and for what purposes.

4.1 Direct Submission

• Employer Onboarding: Customers provide employee data via secure file upload (SFTP, encrypted email), manual entry through admin portal, or API integration
• Employee Self-Service: End users update their own profiles through the TimeMarkr mobile app or web portal (where permitted by Customer configuration)
• Time Tracking Actions: Data is generated automatically when employees clock in/out, request leave, submit expenses, or perform other system interactions
• Direct Contact: Individuals submit information via our website contact forms, newsletter subscriptions, demo requests, or event registrations
• Support Interactions: Users provide details when seeking technical assistance, billing inquiries, or feature questions
• Surveys and Feedback: Voluntary participation in satisfaction surveys, product feedback sessions, or market research

4.2 Automated Collection

• Time and Attendance Systems: GPS-enabled mobile apps
• Mobile Applications: When installed and used, our Apps collect device information, usage analytics, and permission-based data (location, camera, etc.)
• Web Tracking: Cookies, pixel tags, local storage, and similar technologies monitor website usage (with appropriate notices and consent mechanisms)
• System Logs: Server logs, application logs, error reports, and performance monitoring tools capture technical and usage data
• Integrations: Data received from connected systems (payroll providers, accounting software, access control systems) via secure APIs
• Third-Party Services: Information obtained from service providers we engage (email platforms, cloud hosting, mapping services)

4.3 Collection Notice and Transparency

At the point of collection, we provide clear notices detailing:

• The specific categories of information being collected
• The purposes for which each category will be used
• The legal basis for processing (where applicable under GDPR/other regulations)
• Whether provision of the information is voluntary or required, and consequences of non-provision
• With whom the information may be shared
• Retention periods or criteria used to determine retention
• Contact information for privacy-related inquiries

5. How We Use Personal Information

We use Personal Information only for specified, explicit, and legitimate purposes, compatible with the HRMS context and our contractual obligations. Our use is strictly limited to what is necessary to provide the Services, comply with legal obligations, and protect legitimate interests.

5.1 Processing as a Service Provider (Customer Data)

When processing data on behalf of our Customers, we use Personal Information exclusively to:

• Calculate worked hours, overtime, shift differentials, and pay components accurately
• Generate attendance reports, timesheets, and payroll inputs for Customer processing
• Validate employee identity and prevent time theft through verification, selfie validation, and geofence confirmation
• Manage leave accruals, balances, and approval workflows
• Enable workforce scheduling, shift planning, and coverage management
• Produce compliance reports for labor laws, tax authorities, and regulatory bodies
• Facilitate expense reimbursement processing tied to time and location data
• Support talent management functions integrated with time data (where configured by Customer)
• Provide dashboards and analytics for resource allocation, project costing, and productivity insights
• Enable audit trails for regulatory compliance and internal controls

• Authenticate user access and manage session security
• Troubleshoot technical issues, debug errors, and improve system reliability
• Perform system maintenance, updates, and patches
• Conduct quality assurance testing and user acceptance testing (with anonymized or synthetic data where possible)
• Develop new features and enhance existing ones based on aggregated usage patterns (de-identified data)
• Monitor service availability, performance metrics, and SLA compliance
• Detect and prevent fraudulent activity, system abuse, or security threats

• Send service notifications: system maintenance alerts, feature updates, security advisories
• Provide technical support: respond to inquiries, resolve issues, guide users on functionality
• Conduct Customer satisfaction surveys and feedback collection
• Communicate billing information, invoice details, and subscription management
• Share product roadmaps, release notes, and best practice guides
• Notify Customers of policy changes, terms of service updates, or legal compliance matters

• Assist Customers in meeting obligations under labor laws, tax regulations, and industry-specific requirements
• Provide data for legal proceedings, regulatory investigations, or audits (upon valid legal request)
• Maintain records required by statute (retention periods vary by jurisdiction and record type)
• Support Customer's internal audit controls and SOX compliance efforts
• Facilitate responses to data subject access requests received by Customers

5.2 Processing for Our Own Operations (Controller Data)

When we are the controller, we use Personal Information to:

• Respond to inquiries about our Services, features, and pricing
• Send marketing communications: newsletters, product announcements, event invitations (only with consent or under legitimate interests where permitted)
• Personalize website content and recommend relevant resources
• Measure effectiveness of marketing campaigns and lead generation efforts
• Develop customer profiles and segmentation for targeted offerings
• Conduct market research and competitive analysis
• Enable sales outreach and business development activities

• Provide technical assistance: diagnose issues, guide troubleshooting, escalate to engineering teams
• Manage customer accounts: provisioning, billing inquiries, contract questions
• Collect and act on feedback to improve support quality and responsiveness
• Maintain knowledge base articles, FAQs, and self-help resources
• Conduct training sessions, webinars, and onboarding for new Customers

• Remember user preferences: language, theme, accessibility settings
• Enable secure login and session management
• Facilitate form submissions: contact requests, demo scheduling, whitepaper downloads
• Protect against spam, bots, and abusive behavior
• Analyze website performance: page load times, bounce rates, conversion funnels
• Improve search functionality and content organization

• Fulfill tax obligations, financial reporting requirements, and corporate filings
• Respond to legal requests, subpoenas, or court orders (with appropriate protections)
• Maintain corporate records, board materials, and governance documents
• Manage insurance claims and risk mitigation efforts
• Conduct internal audits and compliance monitoring

6. Location Information

We do not continuously track your location by default. However, if you are using the TimeMarkr Mobile App, your employer may enable location tracking features for timekeeping purposes, which may include:

• Timekeeping-based location verification: Collection of GPS coordinates, Wi-Fi triangulation data, or cell tower information associated specifically with punch-in/punch-out events to verify your presence at an authorized worksite.
• Optional live location tracking: With your explicit consent, you may enable continuous live location sharing for features such as real-time workforce safety monitoring, emergency response, or operational oversight (e.g., for field employees in high-risk environments). This feature is strictly opt-in and can be disabled at any time via device permissions or app settings.

The GDPR legal basis for processing location information for timekeeping is the contractual obligation to your employer to perform the Services. For optional live location tracking, the legal basis is your explicit consent, which you can withdraw at any time.

If you apply for a job at TimeMarkr through the Site, you may provide us with your location information by selecting the "Locate me" button. We use this information to present available jobs near your current location. The GDPR legal basis for processing this information is your explicit consent.

5.1.1 Uses of Location Data

• Timekeeping validation: To confirm that an employee is at an approved worksite when clocking in or out, reducing time theft and ensuring accurate payroll.
• Live location sharing (opt-in): To enable real-time tracking for safety monitoring, emergency response, or operational oversight when explicitly authorized by the employee.
• Geofence alerts: To notify supervisors when an employee enters or exits a designated work area (if enabled by the employer).
• Incident response: To locate employees quickly in case of an emergency or safety incident.
• Aggregated analytics: To improve service features (e.g., identifying common worksite areas) using anonymized and aggregated data.

7. Legal Basis for Processing (GDPR Focus)

For individuals in the European Economic Area (EEA), we process Personal Information only when we have a valid legal basis under Article 6 of the GDPR. The basis depends on the specific processing activity and our role (processor or controller).

7.1 When Acting as Processor (Customer Data)

Our processing of employee data on behalf of Customers is primarily grounded in:

• Processing is necessary for the performance of our contract with the Customer (Master Subscription Agreement)
• The Customer requires this processing to fulfill their obligations to employees (e.g., paying wages, managing time)
• Specific activities: time calculation, payroll input generation, attendance reporting, leave management

• Processing is necessary for the Customer to comply with legal obligations (e.g., tax reporting, labor law compliance)
• We act on the Customer's instructions to enable their compliance
• Specific activities: statutory report generation, tax deduction records, benefits administration for legal mandates

• Where processing supports our legitimate interests in providing a secure, functional service
• Balanced against data subject rights through safeguards, transparency, and limited scope
• Specific activities: fraud detection, system security monitoring, service improvement (using aggregated/de-identified data)
• We conduct Legitimate Interests Assessments (LIAs) for such processing

• Explicit consent is sought for specific processing that falls outside contractual/legal necessity
• Most relevant for: location tracking beyond basic timekeeping (live location sharing), marketing communications from us to employees
• Consent is freely given, specific, informed, and unambiguous; easy to withdraw via privacy settings or direct contact
• We maintain clear records of consent and provide simple withdrawal mechanisms

7.2 When Acting as Controller (Our Own Data)

For information we collect for our own purposes, we rely on:

• Primary basis for marketing communications, cookie usage (non-essential), and data sharing with third parties for advertising
• Obtained via clear opt-in mechanisms, granular controls, and easy withdrawal
• We maintain consent logs and honor withdrawal promptly

• Applied where our interests (or those of third parties) are not overridden by data subject rights
• Examples: fraud prevention, network security, direct marketing to existing customers (soft opt-in), website analytics
• We perform balancing tests and document our rationale

• Necessary to provide requested services: support inquiries, demo fulfillment, contract execution
• Examples: processing support tickets, delivering purchased services, managing customer accounts

• Required to comply with laws: tax obligations, financial reporting, legal holds
• Examples: retaining invoices for tax authorities, preserving data for litigation

8. Special Category Data Processing

As an HRMS handling sensitive workforce data, we may process Special Categories of Personal Information under Article 9 of the GDPR. We do so only when strictly necessary and with appropriate safeguards.

8.1 Health Data

• Where Collected: Sickness absence records, disability accommodations, maternity/paternity leave, occupational health information (only where Customer directs processing)
• Legal Basis:
  • Necessary for obligations and rights in social security and social protection law (Article 9(2)(b))
  • Necessary for preventive or occupational medicine (Article 9(2)(h))
  • Explicit consent for wellness program participation
• Safeguards:
  • Strict access controls limiting visibility to authorized HR and occupational health personnel
  • Separate storage with enhanced encryption
  • Minimization: only necessary data collected (e.g., absence dates, not medical diagnoses)
  • Used solely for administration of leave, accommodations, or benefits

9. Information Sharing and Disclosure

We share Personal Information only in limited, necessary circumstances, and always with appropriate safeguards.

9.1 Sharing with Customers (As Processor)

As a service provider, we share processed data with our Customers:

• Attendance and Time Data: Reports, timesheets, punch details, leave balances
• Payroll Inputs: Gross-to-net calculations, deduction details, bank files
• Compliance Reports: Statutory filings, labor law submissions, audit trails
• Analytics Dashboards: Productivity metrics, workforce insights, trend analysis
• Employee Self-Service Updates: Changes made by employees via the portal/app
• System Logs: Access records, security events (for Customer's internal investigations)

We act solely on the Customer's instructions and do not independently determine sharing purposes.

9.2 Sharing with Service Providers

We engage third parties to assist in delivering the Services. These entities are bound by strict data processing agreements requiring:

• Processing only on our documented instructions
• Implementing equivalent security and confidentiality measures
• Prohibiting use of data for their own purposes
• Assisting with data subject rights requests
• Notifying us of any legal requests or data breaches

We maintain a current Sub-Processor list available upon request and provide notice of changes as required by GDPR.

9.3 Sharing for Legal and Protective Reasons

We may disclose Personal Information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Protect our rights, property, or safety, or that of our users or the public
• Prevent, investigate, or address actual or suspected illegal activities, fraud, or security threats
• Enforce our Terms of Service or this Privacy Policy
• Respond to an emergency involving imminent risk of serious physical harm or death

In such cases, we:

• Limit disclosure to what is strictly necessary
• Notify the affected Customer (when processing their data) unless legally prohibited
• Seek to narrow the scope of requests through legal counsel
• Maintain records of all such disclosures

9.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets:

• Personal Information may be transferred as part of the transaction
• We will notify affected Individuals and Customers via email or prominent website notice
• The acquiring entity must agree to uphold this Privacy Policy or provide equivalent protection
• Individuals retain their rights and may object to the transfer where legally permitted
• We will not sell Personal Information to third parties for marketing purposes

9.5 No Sale of Personal Information

We do not sell Personal Information as defined under the CCPA/CPRA or similar laws. We do not exchange Personal Information for monetary consideration with third parties for their independent use.

10. International Data Transfers

As a HRMS provider with infrastructure spanning multiple regions, we transfer Personal Information across borders. We ensure such transfers comply with Chapter V of the GDPR and equivalent frameworks worldwide.

10.1 Transfer Mechanisms

We rely on one or more of the following safeguards for transfers outside the EEA:

• Transfers to countries deemed by the European Commission to provide adequate protection (e.g., Switzerland, Japan, Canada (commercial orgs), Israel)

• EU-approved model contracts for transfers to processors and controllers in third countries
• We have executed SCCs with all Sub-Processors and Customers located outside the EEA
• Supplemental measures are applied where required by jurisprudence (e.g., Schrems II)

• For transfers within our corporate group (if applicable)

• Used only in limited circumstances: explicit consent, necessary for contract performance, important public interest, legal claims, vital interests, or protection of data subject rights

10.2 Transfer Locations

Our primary infrastructure regions include:

• India: Mumbai, Chennai, Hyderabad, Delhi NCR (AWS, Azure regions) – hosting core application databases and analytics

10.3 Transfer Safeguards

For each transfer, we implement:

• Data Minimization: Transfer only necessary data for the specific purpose
• Encryption: Data in transit protected by TLS 1.2+; data at rest encrypted using AES-256 or equivalent
• Access Controls: Role-based access, just-in-time permissions, and strict authentication
• Processing Limitations: Sub-Processors bound to use data only for specified Services
• Audit Rights: Right to audit Sub-Processor compliance (via reports, certifications, or direct assessment)
• Incident Cooperation: Obligation to assist with breach notifications and regulatory inquiries
• Data Subject Rights Support: Mechanisms to enable exercise of rights despite geographical distance
• Local Law Compliance: Adherence to data localization requirements where applicable (e.g., Russia, China, India's potential future rules)

We conduct Transfer Impact Assessments (TIAs) for high-risk transfers and maintain records of our compliance efforts.

10.4 Transfers from the EEA

When transferring Personal Information from the EEA:

• We verify that the destination country provides adequate protection or that appropriate safeguards are in place
• We inform Customers and employees of such transfers in our privacy notices
• We provide a copy of the safeguards (e.g., SCCs) upon request
• We monitor ongoing suitability of the mechanisms

11. Data Retention and Deletion

We retain Personal Information only as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data type, jurisdiction, and contractual requirements.

11.1 Retention Principles

• Purpose Limitation: Data is retained only for the specific purpose(s) for which it was collected
• Storage Minimization: We regularly review and delete data that is no longer needed
• Legal Compliance: Retention meets or exceeds statutory minimums where applicable
• Customer Instructions: As a processor, we follow Customer-defined retention schedules
• Risk-Based Approach: Higher-risk data (special categories) may have shorter retention where feasible

11.2 Specific Retention Schedules

• Active Employment Data: Retained for the duration of the employee's relationship with the Customer
• Post-Termination:
  • Payroll-related time data: Minimum 3-7 years (varies by jurisdiction for tax and labor law compliance)
  • Non-payroll time data (e.g., productivity metrics): Typically 1-3 years after separation
• Raw punch data: May be archived after 90 days, with aggregated reports retained longer
• Location data associated with punches: Retained with the time record; standalone location tracking data deleted after 24 hours if not used for time validation
• Continuous live location data (opt-in): Retained only for the duration of the active session or as required for the specific safety/operational purpose; automatically deleted when tracking is disabled or after a maximum of 24 hours if not actively used

• Active Employment: Retained for duration of employment
• Post-Termination: Minimum 6-10 years in most jurisdictions for tax audit purposes (aligned with local requirements)
• Tax Documents: Forms equivalent to W-2, 1099, or local wage statements: Minimum 4-7 years

• Active Participation: Retained for duration of plan membership
• Post-Termination: Claims records: Minimum 6 years; enrollment records: Minimum 3 years
• HIPAA-related data (US): 6 years from creation or last effective date

• Active Candidates: Retained for duration of recruitment process (typically 6-12 months)
• Unsuccessful Applicants: Deleted after 6-12 months unless consent obtained for future consideration
• Hired Applicants: Transferred to employee records

• Prospects: Retained until consent withdrawn or engagement ceases (typically 24-36 months of inactivity)
• Customers: Contract data: Minimum 10 years after termination; billing data: Minimum 7 years for tax
• Website Visitors: Analytics data: IP addresses anonymized after 24 hours; behavioral data retained for 26 months

• Support Tickets: Retained for 3-5 years after resolution (for trend analysis and legal protection)
• Email Correspondence: Retained for 3-5 years (aligned with statute of limitations for contracts)
• Chat Logs: Retained for 1-2 years

• Statistical Data: Retained indefinitely for business planning, provided it cannot be used to re-identify individuals
• Research Data: Retained for duration of the research project plus publication period

11.3 Deletion and Anonymization Processes

• Automated Deletion: Scheduled jobs remove data according to retention policies
• Customer-Initiated Deletion: Customers may request deletion of specific employee data (subject to legal hold constraints)
• Data Subject Requests: We facilitate deletion requests in accordance with applicable laws
• Anonymization: Where deletion is not possible due to legal obligations, we irreversibly anonymize data
• Backup Override: Backup tapes are allowed to age out according to our 30-day rotation; we do not extract individual records from backups for deletion
• Verification: We provide deletion certificates or confirmation upon request

11.4 Data Handling After Customer Termination

When a Customer's relationship with us ends:

• Export Option: Customer receives their data in a portable, machine-readable format (e.g., CSV, JSON)
• Deletion Timeline: Automated deletion begins in the next quarterly cycle (within 3 months)
• Hold Period: Data is retained in a secure, inaccessible state during the export window
• Irreversible Deletion: After the hold period, data is permanently deleted from all active systems
• Backup Exceptions: Data may remain in backups until the end of the 30-day rotation cycle
• Audit Logs: Minimal logs may be retained for fraud prevention and legal protection
• Third-Party Data: We instruct Sub-Processors to delete or return Customer data

12. Data Subject Rights

Individuals have rights regarding their Personal Information under various data protection laws. We facilitate the exercise of these rights, recognizing that when we act as a processor, the primary point of contact is typically the Customer (employer).

12.1 Rights Under the GDPR (EEA Individuals)

When we are the controller, or when assisting Customers as processor, Individuals have the right to:

• Obtain confirmation of whether we are processing their Personal Information
• Access their Personal Information and supplementary information
• Receive a copy of their Personal Information undergoing processing

• Have inaccurate Personal Information corrected without undue delay
• Have incomplete Personal Information completed

• Have their Personal Information erased without undue delay where grounds apply (e.g., data no longer necessary, consent withdrawn, objection prevails)

• Obtain restriction of processing where grounds apply (e.g., accuracy contested, unlawful processing, data needed for legal claims)

• Receive their Personal Information in a structured, commonly used, machine-readable format
• Have their Personal Information transmitted directly to another controller where technically feasible

• Object to processing based on legitimate interests or public interest
• Object to processing for direct marketing at any time

• Not be subject to a decision based solely on automated processing (including profiling) that produces legal effects or significantly affects them
• Obtain human intervention, express their point of view, and contest the decision

12.2 Rights Under the CCPA/CPRA (California Residents)

California residents have the right to:

• Know what Personal Information we collect, use, share, or sell
• Delete their Personal Information held by us (with exceptions)
• Opt-out of the sale of their Personal Information (we do not sell data)
• Non-discriminatory treatment for exercising privacy rights
• Correct inaccurate Personal Information
• Limit use and disclosure of sensitive Personal Information

12.3 Rights Under India's DPDPA 2023

Individuals in India have the right to:

• Access confirmation and correction
• Data erasure
• Grievance redressal
• Nominate a person to exercise rights in case of incapacity or death

12.4 How to Exercise Your Rights

The process depends on our role in processing your information:

1. Primary Contact: Submit your request to your employer's HR department, data protection officer, or designated privacy contact
2. Employer Obligation: Your employer must facilitate the request through us as their processor
3. Our Role: We will act on verified instructions from your employer to access, correct, delete, or port your data
4. Verification: Your employer must verify your identity and authority before submitting the request
5. Timeframe: We respond to employer instructions within 30 days (extendable by 60 days for complex requests)
6. Fees: We charge no fee for requests unless they are manifestly unfounded or excessive

1. Contact Method: Send your request to info@allsoft.co or via our web portal at https://www.timemarkr.com/privacy-request
2. Verification: We will verify your identity using reasonable methods (e.g., matching against account information, requesting additional details)
3. Response Timeframe: We respond within 30 days of receipt of a verified request
4. Extension: We may extend the period by 60 days for complex or numerous requests, notifying you within the first 30 days
5. Format: Information provided in a portable, machine-readable format (e.g., JSON, CSV, PDF)
6. Fees: No fee charged unless requests are manifestly unfounded or excessive

• Access Request: We provide a copy of your Personal Information and explain our processing activities
• Rectification Request: We correct inaccuracies and notify relevant third parties where required
• Erasure Request: We delete your data unless retention is required by law, contract, or for legal claims
• Restriction Request: We temporarily limit processing while verifying accuracy or resolving disputes
• Portability Request: We provide your data in a structured, commonly used format
• Objection Request: We stop processing for direct marketing immediately; for other processing, we assess whether compelling legitimate grounds override your interests
• Withdrawal of Consent: We cease processing based on consent as soon as technically feasible