This policy explains what personal data the Stockey ESS mobile application collects, why it is collected, how it is used, and what rights you have over your data. Please read it carefully before using the app.
1. Who We Are
Stockey ESS is an Employee Self-Service application operated by your employer through the Stockey platform. The application is provided to you by your organisation to manage your attendance, payroll information, leave requests, and work schedule.
Your employer (the organisation that deployed Stockey ESS) is the data controller responsible for how your personal data is processed. The Stockey platform acts as a data processor on behalf of your employer.
2. Data We Collect
2.1 Account & Identity Information
- Full name
- Email address
- Phone number
- National ID number (stored encrypted)
- Job title and branch assignment
- Employment start date
- Profile photo (avatar), if uploaded
2.2 Attendance Data
- Check-in and check-out timestamps
- GPS coordinates at the moment of check-in and check-out
- Selfie photos taken at check-in and check-out
- Break start and end times
- Late arrivals, early departures, and overtime minutes
2.3 Payroll & Financial Data
- Monthly base salary (stored encrypted)
- Salary additions and deductions per pay period
- Net pay amounts
- Payslip records
2.4 Leave & Requests
- Leave requests (type, dates, status)
- Leave balances per leave type
- Overtime requests
- Attendance correction requests
2.5 Device & Technical Data
- Device identifier (UUID generated by your device)
- Device platform (Android or iOS)
- FCM push notification token
- App version
- Last active timestamp
3. Why We Collect It
We only collect data that is strictly necessary to deliver the service. The legal basis for processing your data is the performance of your employment contract and your employer's legitimate business interests in operating a workforce management system.
- Attendance verification: GPS and selfie data confirm that check-ins happen at authorised locations.
- Payroll calculation: Attendance records, overtime, and leave directly determine your pay each period.
- Leave management: Leave balances and requests are required to manage your entitlements correctly.
- Push notifications: Device tokens are used only to send you work-related alerts (leave decisions, payslip availability, shift changes).
4. How We Use Your Data
- Calculating and processing your payroll each pay period
- Generating and providing your payslips
- Tracking and approving your leave requests
- Verifying your location during check-in to enforce workplace attendance policies
- Sending you push notifications about decisions that affect your employment (leave approvals, salary updates, shift changes)
- Generating attendance and payroll reports for your employer's HR team
- Maintaining an audit trail of HR actions for compliance purposes
We do not use your data for advertising, profiling for marketing purposes, or any purpose unrelated to your employment.
5. Data Sharing
Your personal data is only shared in the following circumstances:
- Your employer's HR team: Authorised HR managers and administrators can view your attendance records, payroll data, and requests as part of their duties.
- Firebase (Google): Push notification tokens are transmitted to Google Firebase Cloud Messaging solely to deliver work notifications to your device. Google processes this data under their own privacy policy.
- Hosting infrastructure: Your data is stored on servers provided by our hosting provider. They act as a data processor under a data processing agreement.
We do not sell, rent, or trade your personal data to any third party.
6. Data Retention
- Attendance records: Retained for the duration of your employment and for a period of up to 5 years after termination for legal and audit purposes.
- Payslips: Retained for a minimum of 5 years to comply with labour and tax regulations.
- Selfie photos: Retained for the same period as attendance records.
- Device tokens: Deleted automatically when your account is deactivated, when the app is uninstalled, or when Firebase reports the token as invalid.
- Leave requests: Retained for the duration of your employment and 3 years after termination.
7. Security
We take the security of your personal data seriously and implement the following measures:
- All data is transmitted over HTTPS (TLS encryption).
- Sensitive fields including your salary and national ID are encrypted at rest in the database.
- Access to HR data is restricted by a role-based permission system — staff can only see data appropriate to their role.
- Authentication tokens expire and are revoked on logout.
- The Firebase service account credential used for push notifications is stored securely on the server and is never exposed to the client.
No system is completely secure. If you suspect unauthorised access to your account, contact your HR department immediately.
8. Your Rights
Depending on applicable data protection law, you may have the following rights regarding your personal data:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can request correction of inaccurate data. For attendance or payroll corrections, use the in-app correction request feature.
- Right to erasure: You may request deletion of your data, subject to our legal obligations to retain certain records.
- Right to object: You may object to certain types of processing.
- Right to data portability: You may request your data in a structured, machine-readable format.
To exercise these rights, contact your HR department. Requests will be handled within 30 days.
9. Location Data
The app requests access to your device's precise GPS location only at the moment you tap Check In or Check Out. Location is not tracked continuously or in the background.
Your coordinates are compared against the geographic boundaries of your assigned work branches to verify that you are on-site. The coordinates are stored alongside your attendance record and are accessible to your employer's HR team.
You may deny location permission in your device settings, but this will prevent you from checking in or out through the app.
10. Camera & Photos
The app requests access to your device's camera to take a selfie photo at check-in and check-out. These photos are used for identity verification as part of your employer's attendance policy.
Photos are uploaded securely to the server and stored alongside your attendance record. They are accessible to authorised HR staff. Photos are not used for facial recognition or biometric identification — they are stored as plain images for manual review if required.
11. Push Notifications
The app registers your device with Google Firebase Cloud Messaging (FCM) to receive push notifications. Your FCM device token is stored on our servers and is used exclusively to send you work-related alerts, including:
- Leave request approved or rejected
- Overtime request approved or rejected
- Shift assignment or removal
- Payslip availability
- Attendance record corrections
You can disable push notifications at any time in your device settings. This will not affect your ability to use the app, but you will need to check the app manually for updates.
12. Children's Privacy
Stockey ESS is an employee application intended solely for adults in an employment relationship. We do not knowingly collect data from anyone under the age of 18. If you believe a minor's data has been processed incorrectly, please contact your HR department.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page. Significant changes will be communicated through the app or via your HR team. Continued use of the app after changes are posted constitutes your acceptance of the updated policy.