Privacy Policy

1. Introduction

Akoji LLC, a Texas limited liability company doing business as VeroPunch (“Company,” “we,” “us,” or “our”), is committed to protecting the privacy of our customers, their employees, and all users of the VeroPunch service. This Privacy Policy explains how we collect, use, store, share, and protect personal information — including biometric data — when you use the VeroPunch application, website, and related services (collectively, the “Service”).

This policy applies to two categories of individuals: (a) business customers and their authorized administrators (“Employers” or “Customers”), and (b) employees whose information is entered into or collected by the Service (“Employees”).

2. Information We Collect

We collect the following categories of information:

Account Information. When a business registers for VeroPunch, we collect business name, administrator name, email address, phone number, and billing information.

Employee Information. Business administrators may enter employee names, employee IDs, roles, departments, and work schedules into the Service.

Biometric Data. The Service uses facial recognition technology to verify employee identity during clock-in and clock-out events. Specifically:

• Facial images are captured by the iPad camera during enrollment and verification.
• Images are processed entirely on-device using Apple's CoreML framework to generate mathematical facial embeddings (numerical vectors).
• By default, facial images are processed in-memory and immediately discarded after the embedding is generated. We do not intentionally store raw facial images in our cloud systems or transmit them for cloud-based facial recognition processing. Images are not written to persistent device storage.
• Facial embeddings are mathematical representations not designed to reconstruct a facial image, and we do not develop or maintain any capability to reconstruct images from embeddings.

Time and Attendance Data. Clock-in and clock-out timestamps, associated employee records, and kiosk location information (consisting of a customer-configured site name or address and a kiosk device identifier). We do not perform continuous GPS tracking of kiosk devices or employees.

Device and Usage Data. Device model, operating system version, app version, crash logs, and general usage metrics to maintain, secure, and improve the Service.

3. Roles and Responsibilities

VeroPunch operates as a data processor (or “service provider” under US state privacy laws) on behalf of the Employer, who is the data controller (or “business”) with respect to Employee personal data — including biometric data.

• Employers are responsible for: (a) determining the purposes and lawful basis for collecting Employee data; (b) ensuring that appropriate consent is obtained before biometric enrollment; (c) providing employees with required notices under applicable law; and (d) complying with all applicable employment and privacy laws in their jurisdiction.
• VeroPunch is responsible for: (a) processing personal data only as directed by the Employer and as necessary to provide the Service; (b) implementing appropriate technical and organizational security measures; (c) assisting Employers in responding to data subject requests; and (d) deleting or returning data upon termination of the Service.

The allocation of responsibilities is further described in our Data Processing Addendum.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and operating the time-tracking Service.
• Verifying employee identity through facial recognition for clock-in and clock-out events.
• Generating time and attendance reports for business administrators.
• Processing payments and managing subscriptions.
• Communicating with you about your account, service updates, and support requests.
• Maintaining, securing, and improving the Service.
• Complying with legal obligations.

Biometric purpose limitation: We use biometric embeddings only to verify identity for timekeeping within the Service. We do not use biometric information for marketing, advertising, surveillance, profiling, or any unrelated purpose. We do not sell, rent, lease, or trade biometric data or any personal information to third parties.

5. Biometric Data Handling

We apply safeguards designed to minimize biometric data collection and reduce risk:

On-Device Processing. All facial recognition processing occurs locally on the iPad device using Apple's CoreML framework. No facial image data is transmitted to VeroPunch servers, external AI services, or any third-party platform for processing.

No Image Storage. Raw facial photographs are processed in-memory on the device to generate a numerical embedding, then immediately discarded. They are not written to device storage, transmitted over the network, or retained in any form.

Mandatory Consent Flow. The Service includes a mandatory electronic consent flow that each Employee must complete before biometric enrollment can proceed. This consent flow is designed to satisfy written consent requirements under applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA) and the Texas Capture or Use of Biometric Identifier Act (CUBI). The Service will not permit biometric enrollment until consent is recorded. Employers operating in jurisdictions with additional consent requirements are responsible for supplementing the in-app consent as necessary. The Service logs the date, time, and content of each consent event.

Purpose Limitation. Biometric embeddings are used solely for verifying the identity of employees during clock-in and clock-out events. They are never used for surveillance, continuous monitoring, marketing, profiling, or any purpose unrelated to time and attendance verification.

Deletion. Biometric embeddings are permanently deleted: (a) within 30 days of an employee being removed from the system by their employer; (b) within 30 days of the employer's subscription being terminated; or (c) upon verified request submitted through the employer or directly to privacy@veropunch.com, processed within 30 days. Employee deletion requests submitted directly may be coordinated with the employer for authorization and recordkeeping compliance. See Section 8 for backup and legal hold exceptions.

No Sale or Disclosure. We do not sell, lease, or otherwise disclose biometric data to any third party, except as required by valid legal process (such as a court order or subpoena).

6. Artificial Intelligence and Machine Learning

VeroPunch uses artificial intelligence and machine learning technology as a core component of its facial recognition system.

How Our AI Works. VeroPunch uses a pre-trained machine learning model to convert facial images into mathematical embeddings and compare them against enrolled employee profiles. The model runs entirely on-device using Apple's CoreML framework. No facial data is sent to external servers or cloud-based AI services for processing.

What the AI Decides. The AI performs one narrow function: determining whether a face presented to the kiosk matches an enrolled employee profile. It produces a similarity score, and the system uses a configurable threshold to determine a match or no-match. The AI does not make employment decisions, performance evaluations, scheduling determinations, or disciplinary recommendations.

No Training on Customer Data. Our facial recognition model is pre-trained before deployment. We do not use customer facial images, employee biometric data, or any Customer Data to train, fine-tune, or improve our machine learning models.

Human Oversight. VeroPunch is a verification tool, not an autonomous decision-maker. Employers retain full control over employment decisions. If the system cannot confidently verify an employee's identity, it provides a fallback mechanism and logs the event for administrator review. No adverse employment action should be taken based solely on an AI match or non-match result.

Accuracy and Limitations. No biometric system is infallible. Environmental factors such as lighting, camera angle, and changes in physical appearance may affect recognition accuracy. The system is designed to err on the side of caution and prompt manual verification when confidence is low.

No Generative AI. VeroPunch does not use generative AI to create, modify, or synthesize facial images or any other content.

7. Data Storage and Security

We use a combination of administrative, technical, and physical safeguards designed to protect your data, which may include:

• Encryption of data in transit and at rest.
• Role-based access controls and audit logging.
• Biometric embeddings receive additional access restrictions and are logically segregated from general Customer Data.
• The kiosk application supports offline operation, storing data securely on-device using encrypted local storage until connectivity is restored.
• Periodic security assessments and incident response procedures.

Specific security controls may vary by system component and provider. No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Data Retention

We retain data according to the following schedule:

• Account and employee profile data: Retained for the duration of the active subscription, plus 30 days after termination to allow for data export.
• Biometric embeddings: Retained only while the employee is active in the system. Deleted within 30 days of employee removal, account termination, or verified deletion request. Deleted from backups within 90 days.
• Time and attendance records: Retained for the subscription term and thereafter as needed for payroll recordkeeping, audits, and dispute resolution, or as configured by the Customer. Note: Applicable labor laws may require employers to retain time and attendance records for specific periods (e.g., 3 years under FLSA). We recommend exporting records before termination.
• Billing records: Retained as required by applicable tax and financial regulations (typically 7 years).
• Device and usage logs: Retained for up to 12 months, then aggregated or deleted.
• Consent records: Retained for at least 5 years after the consent event as evidence of compliance.

Backups and Legal Holds. Deleted data may persist in encrypted backups for up to 90 days and will be removed on the next backup rotation. We may retain information longer if required by law, court order, or to establish, exercise, or defend legal claims.

Upon subscription termination, all Customer Data (including biometric embeddings) is deleted within 30 days of the export window closing, except where longer retention is required by law or where backup timelines apply as described above.

9. Data Sharing

We do not sell, rent, or trade personal information. We may share data only in the following limited circumstances:

Service Providers / Subprocessors. We use trusted third-party providers for cloud hosting, payment processing, email delivery, and crash reporting. These providers are contractually bound to protect your data and may only process it on our behalf for the specific services they provide. We do not authorize subprocessors to use biometric identifiers for their own purposes. We will provide at least 30 days' notice before adding a new subprocessor that processes personal data.

Legal Requirements. We may disclose information if required by law, regulation, valid legal process, or enforceable governmental request.

Business Transfers. In the event of a merger, acquisition, or sale of assets, customer data may be transferred as part of the transaction. We will notify affected customers before their data is subject to a different privacy policy and, where biometric data is involved, will obtain renewed consent if required by applicable law.

10. Your Rights

For Employees: If your employer uses VeroPunch and your personal data (including biometric data) has been collected through the Service, you have the following rights, subject to applicable law:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, including biometric data.
• Portability: Request an export of your data in a machine-readable format.
• Objection: Object to certain processing of your personal information.

You may exercise these rights by contacting your employer's administrator or by contacting us directly at privacy@veropunch.com. Because your employer is the data controller, we may need to coordinate with them before fulfilling certain requests (such as deletion, which may be subject to your employer's recordkeeping obligations). We will respond within 30 days, or as required by applicable law. We will not retaliate against any individual for exercising their privacy rights.

For Employers / Administrators: You may access, export, correct, or delete Employee data and account data through the Service dashboard. For requests that cannot be fulfilled through the dashboard, contact privacy@veropunch.com.

11. State-Specific Disclosures

Texas (CUBI Act). Under the Texas Capture or Use of Biometric Identifier Act, we collect biometric identifiers solely for employee identity verification with informed consent. Biometric data is stored with reasonable care consistent with the protection of other confidential information. We do not sell, lease, or otherwise disclose biometric identifiers without authorization except as required by law.

Illinois (BIPA). If you operate in Illinois, each employee must complete the VeroPunch consent flow — which provides a written release as required under 740 ILCS 14/15(b) — before biometric enrollment. Our publicly available retention and destruction schedule is set forth in Section 8 of this Privacy Policy. We retain biometric data only for the purpose of employee identity verification and destroy it when the initial purpose has been satisfied or within 30 days of the individual's last interaction with the Service, whichever comes first, unless retention is required by law.

California (CCPA/CPRA). California residents have the right to know what personal information is collected, request deletion, correct inaccuracies, and opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA/CPRA. To submit a request, contact privacy@veropunch.com. We will verify your identity before processing and respond within 45 days.

Washington (My Health My Data Act). Biometric data may be considered “consumer health data” under Washington state law. We process such data only with consent and for the purposes described in this policy.

Other States. If you operate in a state with biometric privacy, consumer privacy, or AI transparency laws not listed above, you are responsible for ensuring compliance with those laws. We will assist with reasonable requests related to compliance obligations.

12. International Data Transfers

Our Service infrastructure is located in the United States. If you or your employees are located outside the United States, personal data will be transferred to and processed in the United States. Where required by applicable law (such as the EU GDPR or UK GDPR), we will implement appropriate transfer mechanisms such as Standard Contractual Clauses. For more information, contact privacy@veropunch.com.

13. Children's Privacy

The Service is intended for use by adults in a workplace setting. We do not knowingly collect personal information from individuals under the age of 16, and the Service should not be used to enroll anyone under 16. Our website complies with COPPA and does not knowingly collect information from children under 13. If we learn that we have collected information from an individual under 16, we will promptly delete it. If you believe a minor's information has been collected, please contact privacy@veropunch.com.

14. Cookies and Website Analytics

Our website (veropunch.com) uses only strictly necessary cookies required for site functionality, such as session management. We do not use advertising cookies, third-party tracking cookies, or behavioral analytics cookies as of the date of this policy. If we add analytics tools in the future, we will update this policy and provide appropriate notice and opt-out controls before implementation.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Material changes affecting the handling of biometric data will require renewed consent where required by applicable law. The “Effective Date” at the top indicates when this policy was last revised. Prior versions are available upon request.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Akoji LLC (d/b/a VeroPunch)
Privacy: privacy@veropunch.com
General: hello@veropunch.com
Support: support@veropunch.com
Security: security@veropunch.com