GDPR Compliance

This page describes how iClock — operated by IDA System & Support Ltd — meets the requirements of the European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Mauritius Data Protection Act 2017 (which is GDPR-aligned).

1. Lawful basis for processing

For every category of personal data we process, we rely on at least one lawful basis under GDPR Article 6:

• Article 6(1)(b) — Performance of a contract: rostering, payroll, leave, attendance for users employed by our Customers.
• Article 6(1)(c) — Legal obligation: payroll record-keeping and tax reporting required by Mauritius statutes.
• Article 6(1)(f) — Legitimate interests: attendance verification (selfie + GPS), platform security, fraud prevention.
• Article 6(1)(a) — Consent: optional WhatsApp notifications, marketing communications.

Where we rely on legitimate interests, we have performed a balancing test (Article 6(1)(f) LIA) and have concluded that the interests do not override the rights of data subjects.

2. Roles — controller and processor

For employee data inside a Customer's tenant, the Customer is the data controller and we act as a data processor in line with GDPR Article 28. We sign a Data Processing Agreement (DPA) with every Customer on request, covering:

• Subject matter, duration, nature and purpose of processing
• Categories of data subjects and types of personal data
• Obligations and rights of the controller
• List of approved sub-processors and the right to object to changes
• Confidentiality, security, and data-breach notification commitments
• Assistance with data-subject rights and DPIAs
• Return or deletion of data on termination

For platform-level data (account creation, billing, support requests), IDA System & Support Ltd is the data controller, registered with the Mauritius Data Protection Office under registration C22579.

3. Sub-processors

The following sub-processors may process personal data on our behalf:

4. Data subject rights

Every data subject (employee, manager, admin) has the rights granted by GDPR Articles 15–22 and the equivalent provisions of the Mauritius DPA 2017. We assist Customers in fulfilling these requests free of charge:

• Right of access (Art. 15) — we provide a complete export within 30 days.
• Right to rectification (Art. 16) — admins can correct any field directly; otherwise we do it on request.
• Right to erasure / right to be forgotten (Art. 17) — we delete or anonymise data, subject to statutory retention obligations.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — we provide CSV/Excel exports.
• Right to object (Art. 21) — especially to legitimate-interest processing.
• Right not to be subject to automated decision-making (Art. 22) — we do not perform fully-automated decisions about employees.

To exercise any right, email privacy@iclock.mu. We respond within 30 calendar days.

5. Security measures (Article 32)

We implement risk-appropriate technical and organisational measures:

• Encryption in transit (HTTPS/TLS 1.2+ enforced by HSTS).
• Bcrypt password hashing — passwords are never stored in plaintext.
• Multi-tenant isolation enforced at every database query by company_id.
• Role- and permission-based access control with audit logging of every administrative action.
• Automated 90-day deletion of selfie verification photographs (data minimisation).
• Daily encrypted database backups, retained for 30 days.
• Regular dependency updates and security patches.
• Incident-response plan with notification of breaches within 72 hours where required.

6. International transfers

Data is hosted primarily in Mauritius. Where data is transferred outside Mauritius (e.g. to Green API for WhatsApp delivery), we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, or
• An adequacy decision recognised by the supervisory authority, or
• Explicit consent for the specific transfer (where lawful).

7. Data Protection Impact Assessments (DPIAs)

For high-risk processing — in particular biometric verification through selfie capture and GPS-based clocking — we have performed an internal DPIA covering:

• Necessity and proportionality of the processing
• Risks to data subjects and mitigations applied
• Retention limits (90 days for selfies)
• Opt-out paths for data subjects

Customers can request a redacted copy of the DPIA template to use as a starting point for their own assessment.

8. Personal-data breach notification

If we become aware of a personal-data breach, we will:

• Notify affected Customers without undue delay and at the latest within 72 hours.
• Provide details of the breach, categories and number of data subjects, likely consequences and the measures taken or proposed.
• Cooperate with the Customer in any onward notification to data subjects or supervisory authorities.
• Notify the Mauritius Data Protection Office where required by sections 25–26 of the DPA 2017.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a minor's data has been recorded by mistake, contact us and we will delete it.

10. Records of Processing Activities (Art. 30)

We maintain a Record of Processing Activities (RoPA) describing each processing operation, the categories of data, retention periods, recipients and security measures. The RoPA is available for audit on request from your Mauritius Data Protection Office.

11. Complaints & supervisory authority

If you believe that our processing of your personal data breaches GDPR or the Mauritius DPA 2017, you have the right to lodge a complaint with:

• The Mauritius Data Protection Office — if you are located in or your data is processed in Mauritius.
• Your local EU/EEA supervisory authority — if you are an EU/EEA data subject.

12. Contact