Punchly

Privacy Policy

Last updated 11 July 2026

This Privacy Policy explains how Punchly, an early-access service operated by Viktoras Chorunas ("Punchly", "we", "us"), collects and uses personal data when you use the Punchly website and time-tracking service (the "Service"). We are the "data controller" for the personal data described in this policy, except where we act as a processor on behalf of our business customers (see "Employee data" below).

Who we are

Punchly is an independent, early-access project operated by an individual (sole trader), not a registered company. For the purposes of UK data protection law, the operator named below is the data controller for the personal data described in this policy.

The data we collect

Depending on how you use the Service, we collect:

  • Account data — your name, email address, and password (stored hashed) when you register an account.
  • Company & workplace data — the business name, workplaces, and settings you configure.
  • Employee data you enter — the names, PINs, QR badge identifiers, and (optionally) clock-in photos of the staff you add, plus their clock-in and clock-out records.
  • Usage & technical data — IP address, device and browser information, and network details used to operate the Service and to flag potentially fraudulent clock-ins.
  • Cookies — see our Cookie Policy.

Employee data — when we act as a processor

When you (a business customer) add your staff and record their working time, you are the data controller for that employee data and Punchly acts as your data processor, handling it only on your instructions to provide the Service. You are responsible for having a lawful basis to process your staff's data and for informing them about it. A separate Data Processing Agreement governs this relationship — see our Terms of Service.

Clock-in photos

If you enable clock-in photos, images of your staff are captured at each punch and stored securely, viewable only by the owning company. Photographs of identifiable individuals are personal data and, where used to confirm identity, may be treated as sensitive. As the controller of this data, you must ensure you have an appropriate lawful basis and have informed your staff before enabling this feature.

How we use personal data and our lawful bases

  • To provide and operate the Service — performance of a contract.
  • To secure the Service and detect fraudulent or off-site clock-ins — legitimate interests.
  • To communicate with you about your account and important changes — performance of a contract / legitimate interests.
  • To comply with our legal obligations — legal obligation.
  • For optional analytics to improve the Service — consent, where required.

Sharing and sub-processors

We do not sell personal data. We share it only with service providers that help us run the Service, under appropriate safeguards, including our website hosting provider, our transactional email provider, and Umami (privacy-friendly, cookieless analytics). We may also disclose data where required by law.

International transfers

Where personal data is transferred outside the UK, we rely on appropriate safeguards such as UK adequacy regulations or the International Data Transfer Agreement.

Retention

We keep personal data for as long as your account is active and as needed to provide the Service. When your account is closed we delete or anonymise it within 12 months, unless a longer period is required by law.

Security

We use technical and organisational measures to protect personal data, including encryption in transit, hashed passwords, and access controls that scope company data to its owner. No system is perfectly secure, but we work to protect your information.

Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. To exercise these rights, contact us at [email protected]. If your data is held by a business customer (as controller), please contact them directly. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

Children

The Service is not directed at children and is intended for use by businesses and their staff.

Changes to this policy

We may update this policy from time to time. Material changes will be notified through the Service or by email. The "last updated" date above shows the current version.