Privacy Policy
At QRAY, your privacy comes first. This policy explains what we collect, how we use it, and how we protect it.
In Short
- βWe never sell your data to third parties
- βWe use no advertising or analytics trackers
- βLocation is read only at clock-in/clock-out β no continuous tracking
- βWe never access contacts, SMS, or calendar
- βWe collect no biometric data
- βAll data is stored encrypted
Data We Collect
Identity Information
- Name
- Email address (optional)
- Phone number (optional)
- Employee or company code used to sign in
Work Information
- Your workplace or location
- Role / job title
- Shift and schedule details
Attendance Records
- Clock-in and clock-out times
- Worked hours and overtime
- Leave and time-off records
Media & Documents
- Profile photo (camera or gallery)
- Time-off request attachments (e.g. notes)
- Support request attachments
Location Data
- Used to verify location at clock-in and clock-out
- Captured only at the moment of a punch
- No continuous background tracking on the standard time clock
Technical Data
- Device type (Android/iOS)
- Push notification token (for reminders and alerts)
App Permissions
Camera Access
- Used to scan the QR code to clock in
- Used to take a profile photo
- Photos are linked to your account
Photo Library Access
- Used to choose a profile photo
- Used to attach documents to time-off and support requests
Location Access
- Used to verify presence at clock-in and clock-out
- Read only at the moment of a punch
- No continuous background tracking on the standard time clock
Notifications
- Shift reminders
- Clock-in and clock-out confirmations
- You can turn these off at any time
Biometric Sign-In (Optional)
- Face ID / fingerprint unlock for fast sign-in
- Biometric data stays on your device
- No biometric data is ever sent to our servers
Data We Do Not Access
Information We Never Collect
- Contacts β not accessed
- SMS or call logs β not accessed
- Calendar β not accessed
- Health and fitness data β not accessed
- Browsing history β not accessed
- Financial information β not accessed
Data Security
How We Protect Data
- All data is encrypted in transit with SSL/TLS
- Passwords are hashed with bcrypt
- Access tokens are stored in secure device storage (Keychain/Keystore)
- Session tokens are rotated regularly
Access Control
- Only authorized managers can access your data
- Each companyβs data is fully isolated from others
- All access is logged and auditable
Third-Party Services
Expo Push Notifications
- Used to deliver notifications
- Only a push token is shared
- No personal data is shared with Expo
Services We Do Not Use
- Google Analytics β not used
- Facebook SDK β not used
- Ad networks β not used
- Selling data β never
Data Retention & Deletion
Retention
- Attendance records: kept as required by labor law (US: typically 3 years under the FLSA; UK: 2 years, with longer holiday-record retention from April 2026)
- Account information: while the account is active
- Session data: cleared on sign-out
Your Right to Deletion
- Your account is deactivated when you leave the workplace
- You can request deletion of your personal data
- Local data on your device is cleared on sign-out
Your Rights Under UK GDPR
Under the UK GDPR and Data Protection Act, you have the following rights regarding your personal data:
- β’Know whether your personal data is being processed
- β’Access the personal data we hold about you
- β’Understand the purpose of processing and how it is used
- β’Know any third parties your data is shared with
- β’Have inaccurate or incomplete data corrected
- β’Request deletion or erasure of your data
- β’Object to or restrict certain processing