This is a demo environment. Data may reset periodically. Visit live site →
Geo Time Tracker
Login

Privacy Policy

Geo Time Tracker

Last updated: 1 November 2025

Jurisdiction & Data Controller

This policy is governed by the laws of the United Kingdom. For the purpose of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

Emerador Ltd
A company registered in England and Wales.
Registered office: 124 City Road, London, EC1V 2NX, United Kingdom.

Registered with the UK Information Commissioner's Office (ICO) for data protection purposes.
ICO registration number: ZC072366.

For privacy-related enquiries, contact us at: privacy@geotimetracker.app

1. About This Policy

This Privacy Policy explains how Geo Time Tracker (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our Service. It applies to all users of the Service, including company administrators, managers, and workers.

This policy should be read alongside our Terms and Conditions and our UK GDPR & Privacy page, which provides further detail on our privacy-first design approach.

2. Personal Data We Collect

We collect the following categories of personal data:

2.1. Account Data

When you create an account or are invited to join a company, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash — we never store plaintext passwords)
  • Role within the company (owner, admin, manager, staff, visitor)
  • Company name and details

2.2. Location Data

When a worker presses “Clock In” or “Clock Out” in the Service, we collect:

  • GPS coordinates (latitude and longitude) at that moment
  • Accuracy reading in metres
  • Timestamp of the event
  • Device metadata (operating system, browser or app version)

We do not collect: continuous GPS location, location history, movement tracking between clock-in events, location during breaks, background location when the app is not in active use, or live location data of any kind.

Location data is collected solely to verify that the worker is within an approved geofenced work location at the moment of clocking in or out.

2.3. Shift and Attendance Data

  • Shift schedules, clock-in/out times, and calculated hours worked
  • Manager approvals and timesheet amendments
  • Audit log entries (who made changes, when, and why)
  • Expense submissions

2.4. Payment Data

We do not collect or store credit card numbers, bank details, or other payment instrument data. All payment processing is handled by our payment provider, Stripe. Stripe collects and processes your payment data under their own privacy policy. We receive only a confirmation of payment status and a Stripe customer identifier.

2.5. Communications Data

If you contact us for support or submit a demo request form, we collect:

  • Name, email address, and company name
  • The content of your message

2.6. Data We Do Not Collect

We do not collect:

  • Biometric data
  • Data from social media profiles (other than the email address used for Google OAuth sign-in)
  • Data about children (the Service is not intended for use by anyone under 18)
  • Marketing or advertising identifiers

3. How We Use Your Data

We use the personal data we collect for the following purposes:

Purpose Lawful Basis (UK GDPR)
Providing and operating the Service (account management, shift tracking, payroll export) Performance of contract (Article 6(1)(b))
Verifying worker attendance via GPS at clock-in/out Legitimate interest (Article 6(1)(f)) — the employer's interest in accurate attendance records for payroll and site safety
Processing payments Performance of contract (Article 6(1)(b))
Retaining payroll records for HMRC / Revenue Ireland compliance Legal obligation (Article 6(1)(c))
Sending service-related communications (security alerts, account notifications, support responses) Legitimate interest (Article 6(1)(f))
Investigating and preventing fraud or misuse of the Service Legitimate interest (Article 6(1)(f))

We do not use your data for marketing, advertising, profiling, or automated decision-making. We do not sell your data to third parties.

4. Data Sharing and Sub-Processors

We share personal data only with the following sub-processors, solely for the purpose of delivering the Service:

Sub-Processor Purpose Data Shared Location
DigitalOcean Data hosting and infrastructure All Service data United Kingdom (London region)
Stripe Payment processing Payment details, email, company name EU/UK (Stripe's infrastructure)
Google OAuth authentication (sign-in with Google) Email address EU/UK (Google's infrastructure)
Ordnance Survey Postcode lookup for work location setup Postcode or address United Kingdom

We will notify customers at least 30 days in advance of engaging any new sub-processor.

We may also share personal data where required by law, regulation, or court order.

5. Data Hosting and International Transfers

All customer data is hosted in data centres located in the United Kingdom (London region) on DigitalOcean infrastructure.

We do not transfer personal data outside the United Kingdom except where necessary for the operation of sub-processors listed in Section 4. Where a sub-processor processes data outside the UK, appropriate safeguards are in place as required by UK GDPR, including the UK International Data Transfer Agreement or equivalent measures.

6. Data Retention

6.1. During active subscription

All data is retained for the duration of your subscription.

Payroll export records are retained for a minimum of 7 years from the date of export, as required by HMRC (United Kingdom) and Revenue (Ireland) record-keeping rules.

Data retention is fixed at 7 years on Starter and Business plans. Enterprise customers can configure custom retention periods (7 to 20 years, or indefinite).

6.2. After cancellation

Following cancellation, you have a 30-day data export window with read-only access.

After the export window closes, non-payroll data is deleted within 30 days. Payroll records are retained for the remainder of the applicable retention period and then deleted.

6.3. Trial accounts

Data created during a free trial is preserved if you subscribe within 90 days of trial expiry. After 90 days without subscription, trial data is permanently deleted.

6.4. Backups

Backup copies follow the same retention schedule as primary data. Erasure requests may take up to 30 days to propagate to all backup systems.

7. Your Rights Under UK GDPR

You have the following rights in respect of your personal data:

  • Right of access — You may request a copy of the personal data we hold about you.
  • Right to rectification — You may request correction of inaccurate or incomplete data.
  • Right to erasure — You may request deletion of your personal data. Where payroll records must be retained for tax compliance, erasure is implemented by anonymisation: your identity is removed and replaced with a cryptographic hash. The record structure is preserved for compliance purposes. All other personal data not required for legal compliance is deleted.
  • Right to data portability — You may export your data at any time during your active subscription using the CSV export functionality within the Service.
  • Right to restrict processing — You may request that we restrict the processing of your data in certain circumstances.
  • Right to object — You may object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.

How to exercise your rights

If you are a company administrator, you can manage most data requests directly within the Service (including data export and GDPR anonymisation).

If you are a worker and wish to exercise your rights, you should contact your employer in the first instance, as they are the data controller. You may also contact us directly at privacy@geotimetracker.app and we will assist in liaising with your employer.

We will respond to all data subject requests within 30 days. If a request is complex, we may extend this by a further 60 days, and we will notify you of the extension and the reason for it.

8. Cookies

We use only strictly necessary cookies required for the Service to function:

Cookie Purpose Duration
sessionid Keeps you logged in during your session Expires when you log out or after inactivity
csrftoken Protects against cross-site request forgery attacks Session

We do not use any analytics, advertising, tracking, or third-party cookies.

Because these cookies are strictly necessary for the operation of the Service, no cookie consent banner is required under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.2 or above)
  • Encryption of data at rest
  • Role-based access controls
  • Per-company data isolation
  • Regular security reviews

Whilst we take reasonable steps to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify the affected customer without undue delay and within 72 hours of becoming aware of the breach. Our notification will include:

  • The nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach

We will cooperate with customers in fulfilling their own breach notification obligations to the ICO and to affected data subjects.

11. Children

The Service is designed for business use and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email to the account owner's registered email address at least 30 days before the changes take effect.

The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact

For privacy-related enquiries, data subject requests, or complaints:

Email: privacy@geotimetracker.app

For general support enquiries:

Email: support@geotimetracker.app

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

This Privacy Policy is governed by the laws of England and Wales.