Privacy Policy
CampusTrack — GPS-Bound Staff Attendance System
Operated by: Sync School Group Education
Last updated: 2026-03-23
This Privacy Policy is issued in compliance with the UAE Personal Data Protection Law (PDPL) —
Federal Decree-Law No. 45 of 2021, and its implementing regulations.
1. Data We Collect
| Category | Data Collected | Purpose |
|---|
| Personal Information | Name, employee ID, email, phone number, date of birth, gender, nationality | Employee identification and HR management |
| Identity Documents | National ID number, passport number, visa details (and expiry dates) | Legal compliance and document management |
| Location Data | GPS coordinates during check-in and check-out | Geo-fence verification to confirm presence at authorized work zones |
| Attendance Data | Check-in/check-out times, session durations, attendance status | Workforce management and payroll processing |
| Device Information | IP address, browser user-agent | Security auditing and session management |
| Emergency Contact | Emergency contact name, phone, relation | Workplace safety |
| Financial Information | Bank name, account number, IBAN | Salary disbursement |
2. Why We Collect This Data (Legal Basis)
- Employment contract performance: Attendance tracking is essential for payroll calculation and workforce management.
- Legitimate interest: GPS geo-fencing ensures employees check in from authorized locations, preventing attendance fraud.
- Legal compliance: UAE Labour Law requires employers to maintain attendance records.
- Consent: GPS location collection requires explicit employee consent before first use.
3. Who Has Access to Your Data
| Role | Access Level |
|---|
| Super Admin | Full access to all employee data across all branches |
| School Admin | Full access to employee data within their branch only |
| Manager | Access to their direct reports' attendance, leaves, and basic profile |
| Employee | Access to their own data only (profile, attendance, leaves) |
Your data is not shared with third parties unless required by law or with your explicit consent.
4. Data Retention
- Active employee data: Retained for the duration of employment plus 2 years after separation.
- Attendance records: Retained for a minimum of 5 years as required by UAE Labour Law.
- GPS location data: Retained with attendance records; not shared or used for tracking outside of attendance purposes.
- Audit logs: Retained for 3 years for security and compliance purposes.
- Anonymized data: Personal data is anonymized upon valid erasure request; anonymized records are retained for business continuity.
5. Your Rights Under UAE PDPL
As a data subject, you have the following rights:
- Right of Access: Request a copy of all personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request anonymization/deletion of your personal data (subject to legal retention obligations).
- Right to Withdraw Consent: Withdraw GPS consent at any time (note: this may affect your ability to check in).
- Right to Data Portability: Request your data in a machine-readable format (JSON export).
- Right to Object: Object to processing of your data for purposes beyond the stated scope.
To exercise any of these rights, contact the Data Protection Officer below, or use the self-service options in the application (Profile → Export My Data).
6. GPS Location — Specific Disclosure
What: Your GPS coordinates are collected only during check-in and check-out events.
Why: To verify that you are within an authorized geo-fenced work zone at the time of attendance recording.
How it is stored: Location data is stored securely in an encrypted database, accessible only by authorized administrators.
Your control: You must provide explicit consent before GPS location is collected. You may withdraw consent via your profile settings; however, attendance check-in/check-out will require manual admin intervention.
7. Data Security Measures
- All PINs are hashed using bcrypt (never stored in plaintext)
- Session tokens with configurable timeout and concurrent session limits
- Account lockout after repeated failed login attempts
- Full audit logging of all data access and modifications
- HTTPS enforcement in production with security headers (HSTS, CSP, X-Frame-Options)
- Role-based access control (RBAC) limiting data exposure per role
8. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the UAE Data Office within 72 hours of becoming aware of a breach, as required by PDPL.
- Notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
- Document the breach, its effects, and remedial actions taken in our internal breach register.
9. Data Protection Officer (DPO)
Name: Not yet designated
Email: Not configured
Phone: Not configured
For any questions, concerns, or requests related to your personal data, please contact the DPO using the details above.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the application or email. Continued use of the system after changes constitutes acceptance of the updated policy.
CampusTrack Attendance System | Compliant with UAE PDPL (Federal Decree-Law No. 45 of 2021)
Powered by CloudSync Technologies LLC