Legal

Privacy Policy

Magnus Digital Sdn Bhd (SSM: 1242851-T)  ยท  Effective: 4 June 2026  ยท  punchup@magnusdigital.my

This Privacy Policy explains how Magnus Digital Sdn Bhd ("we", "us", "Punchual") collects, uses, stores, and protects your personal data when you use the Punchual platform. We are committed to protecting privacy in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA) and, for users in the EU/UK, the General Data Protection Regulation (GDPR).

Contents

  1. 1. Who We Are
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. Legal Basis for Processing
  5. 5. Data Retention
  6. 6. Data Sharing & Disclosure
  7. 7. Data Security
  8. 8. Your Rights (PDPA)
  9. 9. Your Rights (GDPR โ€” EU/UK Users)
  10. 10. International Data Transfers
  11. 11. Sensitive Data & Consent
  12. 12. Children's Data
  13. 13. Changes to This Policy
  14. 14. Contact Us

1. Who We Are

OrganisationMagnus Digital Sdn Bhd
SSM No.1242851-T
RoleData Controller & Data Processor
Contactpunchup@magnusdigital.my

Punchual acts as a data controller for our own operations and as a data processor on behalf of companies (our clients) who use Punchual to manage their employees' attendance data. Company administrators are the primary data controllers for their employees' records.

2. Data We Collect

From Company Administrators:

  • Identity data โ€” full name, email address, company name, designation
  • Contact data โ€” email address, phone number (if provided)
  • Billing data โ€” billing email, payment reference numbers (no card details โ€” handled by Stripe)
  • Company data โ€” company name, SSM registration number, address, GPS office location

From Staff Members:

  • Identity data โ€” full name, email address, department, designation
  • Contact data โ€” WhatsApp number (optional)
  • Location data โ€” GPS coordinates at time of punch-in/out, rounded to approximately 1 km precision
  • Biometric-adjacent data โ€” selfie photograph taken at time of punch-in for visual identity verification
  • Attendance data โ€” date/time of attendance, leave records, absence reasons, overtime duration
  • Gamification data โ€” points earned, badges, level, attendance streaks (visible to company colleagues)
  • Device data โ€” language preference (stored locally on device only)

โš ๏ธ Selfie & Location Data

These are collected solely for verifying physical attendance. Selfie images are compressed and stored for a maximum of 90 days. Location coordinates are rounded to reduce precision and stored for 90 days.

3. How We Use Your Data

  • Attendance management โ€” recording, verifying, and reporting employee attendance and overtime
  • Account management โ€” creating and managing your Punchual account
  • Service provision โ€” delivering all features of the platform
  • Billing & payment โ€” processing subscriptions and generating invoices
  • Security & fraud prevention โ€” preventing buddy punching and unauthorised access
  • Leaderboard & gamification โ€” showing staff rankings within your company
  • Service improvement โ€” aggregated, anonymised usage analytics
  • Legal compliance โ€” fulfilling obligations under applicable law
  • Communication โ€” sending service notifications and support responses

4. Legal Basis for Processing

  • Contract performance โ€” processing necessary to provide the service you contracted for
  • Consent โ€” location access and selfie capture require explicit in-app consent, recorded with a timestamp
  • Legitimate interests โ€” fraud prevention, service security, aggregated analytics
  • Legal obligation โ€” where required by Malaysian law or applicable regulations

5. Data Retention

Data TypeRetention Period
Attendance records2 years from date of record
Selfie photographs90 days from capture date
Location data90 days from capture date
Leave records2 years from submission
Account dataDuration of account + 30 days after deletion
Payment records7 years (legal / tax requirement)
Consent recordsRetained indefinitely as proof of compliance

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only with:

  • Firebase / Google LLC (USA) โ€” cloud database, authentication, and hosting. Google is our data processor under a Data Processing Agreement. Data may be stored on Google Cloud infrastructure globally.
  • Stripe Inc. (USA) โ€” payment processing for subscriptions. Stripe processes billing email and payment data under their own privacy policy and PCI-DSS compliance. We do not store full card details.
  • Company administrators โ€” attendance records, leave history, selfie thumbnails, and overtime data are visible to authorised admins within your company only.
  • Company colleagues (leaderboard) โ€” your display name, department, points, badges, and attendance streaks are visible to other staff in your company as part of the gamification leaderboard.
  • Law enforcement โ€” where required by a valid court order or applicable law enforcement authority.

7. Data Security

  • Encryption in transit โ€” all data transmitted via HTTPS/TLS encryption
  • Encryption at rest โ€” all data on Google Cloud (Firebase) is encrypted at rest using AES-256
  • Role-based access controls โ€” staff can only view their own records; admins are scoped to their own company's data only
  • Server-side security rules โ€” Firestore Security Rules enforce access control at database level
  • Authentication โ€” Firebase Authentication with email/password; ID tokens verified server-side on all sensitive operations
  • Secrets management โ€” all API keys and payment credentials stored in Firebase Secret Manager, never in application code

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify affected users and relevant data protection authorities within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 and PDPA best practices.

8. Your Rights (PDPA โ€” Malaysian Users)

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

  • Access (Section 30) โ€” request a copy of your personal data we hold
  • Correction (Section 34) โ€” request correction of inaccurate or incomplete data
  • Withdraw Consent (Section 38) โ€” withdraw consent for data processing at any time (may affect service functionality)
  • Prevent Processing โ€” object to processing that causes unwarranted damage
  • Erasure โ€” request deletion of your personal data, subject to legal retention obligations

To exercise any right, email punchup@magnusdigital.my with subject "PDPA Data Request". We will respond within 21 working days.

You may also lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at www.pdp.gov.my.

9. Your Rights (GDPR โ€” EU/UK Users)

If you are located in the European Union, EEA, or United Kingdom, the following rights apply under GDPR / UK GDPR:

  • Right of Access (Art. 15) โ€” request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16) โ€” request correction of inaccurate data
  • Right to Erasure / "Right to be Forgotten" (Art. 17) โ€” request deletion where there is no overriding legitimate reason to continue processing
  • Right to Restrict Processing (Art. 18) โ€” request that we pause processing in certain circumstances
  • Right to Data Portability (Art. 20) โ€” receive your personal data in a machine-readable format
  • Right to Object (Art. 21) โ€” object to processing based on legitimate interests

Email punchup@magnusdigital.my with subject "GDPR Request". We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority โ€” e.g. the ICO (UK), or your national Data Protection Authority within the EU.

10. International Data Transfers

Your data is processed on Google Cloud (Firebase) infrastructure. Google is certified under the EU-US Data Privacy Framework. Transfers of personal data outside the EEA are protected by Standard Contractual Clauses (SCCs) as required by GDPR.

Stripe Inc. (USA) processes payment data under their own adequacy mechanisms and PCI-DSS compliance framework.

11. Sensitive Data & Consent

Before collecting location data and selfie photographs, we obtain explicit in-app consent. Your consent is recorded with a timestamp.

You may withdraw consent at any time by:

  • Revoking location and camera permissions in your device Settings
  • Emailing punchup@magnusdigital.my to request account deletion and data erasure

Withdrawal of consent may prevent certain features from working (e.g. GPS attendance verification).

12. Children's Data

Punchual is intended for use by adults (18+) in a professional employment context. We do not knowingly collect data from individuals under 18. If you believe a minor's data has been collected, contact us immediately at punchup@magnusdigital.my.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered administrators by email and display an in-app notification for material changes. Continued use of the Service after changes constitutes acceptance of the updated Policy. Previous versions are available on request.

14. Contact Us

CompanyMagnus Digital Sdn Bhd
SSM1242851-T
Emailpunchup@magnusdigital.my
SubjectPrivacy / PDPA / GDPR Inquiry
Response timeWithin 21 working days

This policy is governed by Malaysia's Personal Data Protection Act 2010 (Act 709) and, where applicable, the EU General Data Protection Regulation (GDPR).

Last updated: 4 June 2026  ยท  ยฉ Magnus Digital Sdn Bhd. All rights reserved.

Home Terms of Service Contact