Privacy Policy

Last updated: June 2026

This Privacy Policy explains how iClock (operated by IDA System & Support, Mauritius) (“we”, “us” or “our”) collects, uses, discloses and safeguards your personal information when you use our human-resources, attendance and payroll software-as-a-service platform (the “Service”).

It is written to comply with the Mauritius Data Protection Act 2017 and, where applicable, the EU/UK General Data Protection Regulation (GDPR). By creating an account, submitting an Employee Data Sheet, clocking in or otherwise using the Service, you acknowledge that you have read and understood this Policy.

1. Who is the data controller?

Your employer is the data controller for your employment-related personal data. iClock acts as a data processor on their behalf, processing personal information only as instructed by your employer or as required by law.

For platform-level data (account creation, login, billing, support tickets) iClock acts as the data controller.

2. What information we collect

2.1 Identity and contact data

• Full name, employee ID, date of birth, gender, nationality, national ID or passport number
• Personal and work email addresses, phone numbers, postal address
• Emergency contact names, relationship and phone numbers

2.2 Employment data

• Job title, department, team, employment type, hire date
• Contracted weekly hours, shift schedules, leave balances, leave history
• Attendance records (clock-in/clock-out times, multi-session breaks)
• Position-related notes, file attachments uploaded by HR

2.3 Payroll and financial data

• Basic pay, allowances, commissions, deductions, loan balances
• Bank account number, bank, branch (used solely for salary disbursement)
• Tax-related identifiers (e.g. CSG, PAYE, NSF references for Mauritius payroll)

2.4 Technical and verification data

• Selfie photographs captured at the time of clock-in/out (for attendance verification)
• GPS coordinates at the time of clocking, where the employer enables this feature
• IP address, browser type, device information, page-level usage events
• Cookies and session tokens necessary for authentication

2.5 Communications

• Support requests sent to us by email, WhatsApp or in-app messaging
• Email open events recorded by a 1×1 tracking pixel inside welcome and notification emails (used to confirm receipt only)

3. Why we process your data

We process personal data only for legitimate, documented purposes:

• Performing the employment contract — rostering, payroll, attendance, leave management.
• Legal obligations — compliance with the Mauritius Workers' Rights Act, Income Tax Act, NSF Act, CSG Act, OSH Act and similar regulations.
• Legitimate interests — verifying attendance with selfies/GPS, preventing time-theft and buddy-punching, securing the platform against unauthorised access.
• Consent — for optional features such as receiving WhatsApp notifications.

4. How long we keep data

• Selfie photographs — deleted automatically after 90 days by a nightly cron job. Only the corresponding clock-in/out timestamp is preserved for audit.
• Attendance records — retained for the duration of employment plus 7 years (Mauritius statutory record-keeping period).
• Payroll data — retained for 7 years to satisfy MRA, NSF and CSG audit requirements.
• Account credentials — retained for as long as the account is active; deleted within 30 days of account closure.
• Technical logs — rotated every 90 days unless required for an active security investigation.

5. Who we share data with

We do not sell your data. We share it only with:

• Your employer's authorised personnel — HR, payroll, line managers (scoped by the Roles & Permissions system).
• Sub-processors we rely on to deliver the Service:
  • Hosting — cPanel-managed servers operated by our infrastructure provider in Mauritius.
  • Email delivery — SMTP relay (transactional email).
  • WhatsApp messaging — Green API.
• Public authorities when compelled by a court order, subpoena or other lawful request (e.g. MRA, Police, Employment Relations Tribunal).

Each sub-processor is bound by a written data-processing agreement that meets the standards of the Mauritius Data Protection Act 2017.

6. International transfers

Data is hosted primarily in Mauritius. Some sub-processors (e.g. Green API for WhatsApp) may process metadata outside Mauritius. Where data is transferred to a country without an adequacy decision, we rely on Standard Contractual Clauses or an equivalent safeguard.

7. Your rights

Under the Mauritius DPA 2017 and (where applicable) the GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase data when no longer necessary (subject to statutory retention)
• Restrict or object to certain types of processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time for consent-based processing
• Lodge a complaint with the Mauritius Data Protection Office (dataprotection.govmu.org) or your local supervisory authority

To exercise these rights, contact us at privacy@iclock.mu. We respond within 30 calendar days.

8. Security

We apply reasonable technical and organisational measures including:

• bcrypt password hashing (no plaintext storage)
• HTTPS in transit, enforced by HSTS
• Per-tenant data isolation by company_id in every query
• Role-based access control with permission auditing
• Activity logging for sensitive actions (data exports, password resets, employee approvals)
• 90-day automated purging of biometric verification photographs
• Regular database backups with encrypted storage

9. Cookies

We use only strictly-necessary cookies for session authentication and CSRF protection. We do not use third-party advertising cookies.

10. Children

The Service is not directed at children under 16. If you believe a minor has been registered as an employee in error, contact us and we will delete the account.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced via in-app notification and email at least 14 days before they take effect.

12. Our Data Protection registration

IDA System & Support Ltd is registered as a Data Controller with the Mauritius Data Protection Office under registration number C22579, valid from 01 August 2023 to 31 July 2026. The official certificate, issued by the Data Protection Commissioner, is available below.

Download DPO Controller Certificate (PDF) Reg. C22579

13. Contact