1. Introduction

This Privacy Policy describes how Danti ("we," "us," or "our") collects, uses, and protects information provided by users when using our mobile application. We are committed to protecting your privacy and security. This policy may be updated periodically, and we recommend reviewing it regularly.

2. Information We Collect

2.1 Personal Information

• Name and contact information (email, phone number)
• Demographic data
• Employment information
• Billing and payment information
• Attendance and time tracking data

2.2 Biometric Data

What We Collect:

• Facial recognition data for employee identification and attendance purposes
• One profile photograph stored on our servers
• Temporary facial embeddings created during authentication

Processing Details:

1. Profile Photo: One photograph of your face is captured and stored on our secure servers. This photo is used as your profile image and for generating facial embeddings when needed.
2. Facial Embeddings: When you clock in/out:
   • Your live facial image is captured
   • A temporary facial embedding (encrypted numerical representation) is generated
   • This embedding is compared against the embedding generated from your stored profile photo
   • Both embeddings are permanently deleted immediately after the face matching process is complete
   • No facial embeddings are stored long-term on our servers
3. Original Live Photos: Any live photos captured during clock-in/out are never stored and are discarded immediately after embedding generation.

2.3 Location Data

What We Collect:

• Real-time GPS location data while you are on shift
• Location is collected in the background even when the app is not actively in use

When We Collect:

• Location tracking begins when you start your work shift
• Location tracking continues throughout your shift duration
• Location tracking stops when you end your shift

Retention:

• Location data is automatically deleted once your shift ends
• We do not retain historical location data after shift completion
• Location is used only for verifying attendance at designated work locations

Purpose:

• Verify you are at the designated work location
• Ensure accurate time and attendance tracking
• Prevent fraudulent clock-ins from unauthorized locations

2.4 Technical Data

• Device information (model, operating system version)
• IP address
• App usage data and analytics
• Error logs and diagnostic data

3. How We Use Your Information

We use collected data to:

• Provide, maintain, and improve our services
• Process attendance and payroll
• Verify employee identity and work location
• Send service-related communications
• Analyze app usage and performance
• Comply with legal obligations
• Prevent fraud and ensure security

3.1 Legal Basis for Processing

We process your data based on:

• Your explicit consent (biometric data, location tracking, marketing communications)
• Contractual necessity (employment records, payroll processing)
• Legal obligations (tax reporting, labor law compliance)
• Legitimate business interests (service improvement, security, fraud prevention)

4. Facial Recognition and Biometric Data

4.1 Purpose and Processing

Our app uses facial recognition technology exclusively for employee identification, attendance tracking, and payroll purposes within the same organization.

Detailed Processing Flow:

1. Initial Registration:
   • You provide explicit consent for biometric data collection
   • One profile photograph is captured
   • Photo is encrypted and stored on secure cloud servers
   • This photo serves as your reference image
2. Clock-In/Clock-Out Process:
   • Live facial image is captured through your device camera
   • Temporary facial embedding is generated from live image
   • Temporary facial embedding is generated from your stored profile photo
   • Both embeddings are compared for identity verification
   • Both temporary embeddings are immediately and permanently deleted after comparison
   • Result (match/no match) is recorded for attendance
3. Data Storage:
   • Only your profile photograph remains stored
   • No facial embeddings are stored
   • All embeddings are ephemeral (temporary) and deleted within seconds

4.2 Apple TrueDepth API

For iOS devices, Danti uses Apple's TrueDepth API solely for facial verification during clock-in/clock-out. This data is:

• Processed locally on the device only
• Never stored or transmitted externally
• Discarded immediately after use
• Never leaves your device

4.3 Consent and Rights

Consent Requirements:

• Users must provide explicit, informed, written consent before any facial data is captured
• Consent is obtained through a clear checkbox during registration
• By registering and checking the biometric consent box, you agree to the biometric processing described herein
• Consent is voluntary and can be withdrawn at any time

Your Rights:

• Facial data is never sold, shared with third parties, or used for advertising or profiling
• You may withdraw consent at any time (though this will disable facial recognition features)
• You may request deletion of your biometric data at any time
• Alternative authentication methods (PIN code) are available if you decline biometric consent
• Data is encrypted, access-controlled, and limited to authorized personnel only

4.4 Data Retention

Profile Photograph:

• Retained for the duration of employment
• Deleted within 30 days of:
  • Employment termination
  • User deletion request
  • Account closure
  • Maximum of 3 years from last interaction (whichever comes first)

Facial Embeddings:

• Not stored - created temporarily and deleted immediately after each authentication
• Retention time: Seconds (only during active face matching process)
• No long-term storage of embeddings

4.5 Compliance

4.6 Security Measures for Biometric Data

• End-to-end encryption during transmission
• AES-256 encryption at rest for stored profile photos
• Multi-factor authentication for administrative access
• Regular security audits and penetration testing
• Isolated secure servers for biometric data storage
• Access logs maintained for all biometric data access
• Automatic deletion protocols for temporary embeddings

5. Location Data Collection and Use

5.1 When and Why We Collect Location

Purpose:

• Verify employee presence at designated work locations
• Ensure accurate time and attendance records
• Prevent time theft and fraudulent clock-ins
• Meet employer requirements for location-based attendance

Collection Timing:

• Location tracking begins when you start your work shift
• Continues throughout shift duration, including background mode
• Stops automatically when you end your shift

5.2 Background Location Collection

Why Background Collection:

• To verify you remain at the work location during your shift
• To maintain continuous attendance verification
• To ensure accurate geofencing compliance

Your Control:

• You can see when location is being tracked (status notification)
• Location tracking only occurs during active work shifts
• You can end your shift at any time to stop location tracking

5.3 Location Data Retention

Automatic Deletion:

• Location data is automatically deleted when your shift ends
• No historical location data is retained after shift completion
• We do not build location history or movement patterns

Storage:

• Location data is stored temporarily only during active shifts
• Used in real-time for attendance verification
• Not archived or used for any other purpose

5.4 Location Permissions

To use Danti's attendance features, you must grant:

• iOS: "Always Allow" location permission
• Android: "Allow all the time" location permission

You can revoke these permissions at any time through device settings, but this will disable attendance tracking features.

6. Data Sharing and Third Parties

6.1 Third-Party Services

We integrate with trusted third-party providers:

• Google Play Services - App functionality
• Google Analytics for Firebase - Usage analytics (does not access biometric or location data)
• Cloud service providers - Secure data storage and processing

Link to the privacy policy of the external service providers used by the app:

• Google Play Services
• Google Analytics for Firebase

These third parties may access limited personal information only to perform specific tasks on our behalf and are contractually bound not to disclose or use it for other purposes.

Important: Third parties never have access to:

• Your facial biometric data
• Your location data
• Your facial embeddings

6.2 Data We Do NOT Share

• We do not sell, rent, or trade your personal information
• Facial biometric data is never shared with third parties
• Location data is never shared with third parties (except with your employer)
• Data is not used for advertising or marketing by third parties
• We do not share data with data brokers or analytics companies beyond Firebase

6.3 Data Controller vs Processor

Important Legal Distinction:

Employers using Danti are the data controllers for employee information. Danti acts as a data processor.

This means:

• Your employer determines why and how your data is processed
• Your employer is responsible for obtaining your consent
• Your employer must respond to your data rights requests
• Danti processes data on behalf of your employer according to their instructions

7. International Data Transfers

Your data may be transferred to and stored on servers located outside your country of residence, including in the United States. We ensure appropriate safeguards through:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Standard contractual clauses (SCCs)
• Compliance with applicable data protection laws
• Data processing agreements with cloud providers

8. Data Security

We employ industry-standard security measures to protect your information:

Technical Measures:

• End-to-end encryption for sensitive data (biometric and location)
• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Secure API authentication with tokens
• Automatic session timeout
• Encrypted local storage on device

Organizational Measures:

• Access controls and role-based permissions
• Regular security audits and penetration testing
• Employee training on data protection
• Incident response plan
• Security monitoring and logging
• Annual third-party security assessments

Limitations:

However, no transmission or storage method is 100% secure. We cannot guarantee absolute security. You use the service at your own risk.

9. Data Retention

We retain personal data only as long as necessary for:

• The purposes outlined in this policy
• Legal and regulatory requirements
• Resolution of disputes

Specific Retention Periods:

Data Type	Retention Period
Profile photograph (biometric)	Duration of employment + 30 days (max 3 years)
Facial embeddings	Seconds (deleted immediately after matching)
Location data	Duration of shift only (deleted when shift ends)
Attendance records	As required by labor laws (typically 3-7 years)
Account data	Until account deletion requested
Technical logs	90 days
Payment information	As required by tax laws

10. Your Rights

You have the right to:

• Access your personal data - Request a copy of all data we hold about you
• Correct inaccurate or incomplete data - Update your information at any time
• Delete your data (right to be forgotten) - Request complete deletion of your account and data
• Object to data processing - Object to how we use your data
• Restrict processing - Limit how we use your data
• Export your data (data portability) - Receive your data in a machine-readable format
• Withdraw consent at any time without affecting prior processing
• Opt-out of location tracking (will disable attendance features)

To exercise these rights, contact us at: soporte@dantiapp.com

Response Time: We will respond to requests within 30 days (45 days for complex requests).

10.1 California Residents (CCPA/CPRA)

Under CCPA and CPRA, California residents have additional rights including:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (Note: We do NOT sell personal information)
• Right to limit use of sensitive personal information (biometric and location data)
• Right to correct inaccurate personal information
• Right to non-discrimination for exercising privacy rights

10.2 Illinois Residents (BIPA)

Under BIPA, Illinois residents have specific rights:

• Right to written notice of biometric data collection
• Right to written consent before collection
• Right to know the specific purpose and retention period
• Right to request deletion within 3 years of last interaction
• Right to immediate deletion upon employment termination
• Private right of action - You can sue for BIPA violations ($1,000-$5,000 per violation plus attorneys' fees)

11. Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant authorities as required by law
• Take immediate action to secure systems
• Provide information about the nature of the breach and steps to protect yourself

12. Cookies and Tracking

Danti does not explicitly use cookies in the mobile application but may integrate third-party libraries that do.

Third-Party Cookies:

• Google Analytics for Firebase may use identifiers for analytics
• You can opt-out of analytics through device settings

You can configure your device to limit ad tracking. Rejecting tracking may affect some app functionality.

13. Log Data

In case of app errors, we may collect diagnostic data including:

• IP address
• Device information and operating system version
• App configuration and usage patterns
• Timestamps and error logs
• Crash reports

Purpose: This data is used exclusively for debugging and service improvement.

Retention: Log data is retained for 90 days then automatically deleted.

Privacy: Log data does not contain biometric or location information.

14. Links to Third-Party Sites

Our app may contain links to third-party websites or services not operated by us. We have no control over their content or privacy practices. Please review their privacy policies independently before providing any information.

15. Children's Privacy

Our services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children.

If we discover we have collected data from a child under 13, we will:

• Delete the data immediately
• Notify the parent or guardian if contact information is available
• Terminate the account

If you believe a child has provided us with personal information, please contact us immediately at soporte@dantiapp.com.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our practices
• Legal or regulatory requirements
• New features or services
• User feedback

Notification:

• Changes will be posted on this page with an updated "Last Updated" date
• Material changes will be notified via email or in-app notification
• Continued use of the app after changes constitutes acceptance of the revised policy

17. Contact Us

If you have questions, concerns, or wish to exercise your data rights, please contact us:

Email: soporte@dantiapp.com
Subject Line: "Privacy Request" or "Data Rights Request"
Response Time: We will respond to requests within 30 days (45 days for complex requests)

18. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Colombia and complies with applicable international and U.S. federal and state data protection regulations including:

International:

• General Data Protection Regulation (GDPR) - European Union
• Colombian Law 1581 of 2012
• Mexican LFPDPPP

United States - Federal:

• Federal Trade Commission Act (FTC Act)
• Children's Online Privacy Protection Act (COPPA)

United States - State Laws:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Illinois Biometric Information Privacy Act (BIPA)
• Texas Capture or Use of Biometric Identifier Act (CUBI)
• Washington State Biometric Privacy Laws
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• And other applicable state privacy laws

---

Acknowledgment and Consent

---

Last Updated: October 23, 2025
Version: 2.0

For questions or concerns, contact us at:
soporte@dantiapp.com