Private by design How OnSpots handles your data

Privacy Policy

Last updated: 11 July 2026 OnSpots · onspots.app

OnSpots is a GPS attendance app for small teams, published by YWBi / Yeowubie Interaction. This policy explains what we collect, why, who can see it, and the choices you have. OnSpots is multi-tenant: every company is a separate, isolated tenant, and your company's admins administer your account and records inside the app.

The short version
  • Location is used only at check-in and check-out to verify you're inside the office geofence.
  • Foreground / "when in use" location only — no background tracking.
  • Your data is visible to you and your company's admins — isolated per company.
  • Face ID / biometrics stay on your device — never sent to us.
  • No third-party advertising and no cross-app tracking.
  • We never sell your data.
1

Introduction

OnSpots ("OnSpots", "the app", "we", "us") lets employees check in and out of work with one tap — verified inside the office GPS geofence — and lets admins manage approvals, announcements, offices, and monthly exports, all from a single mobile app. To do that, OnSpots processes a limited set of personal data.

We designed OnSpots to collect only what the attendance service needs. We do not use your data for third-party advertising, we do not track you across other apps or websites, and we do not sell your data. This policy describes the practices of the OnSpots app; the company you work for is responsible for how it manages its own team's attendance.

2

Data We Collect

We collect the following categories of data, all in order to provide the attendance service.

Account information

  • Your name and email address (your email is also your login identifier)
  • Your password, stored only as a salted hash (PBKDF2) — we never store your plaintext password
  • Your preferred language (English, Vietnamese, or Korean)
  • Your role (employee or admin), and your position / job title and job function, if provided
  • The office you are assigned to within your company

Attendance records (created when you check in or out)

  • Check-in and check-out timestamps
  • GPS coordinates (latitude and longitude) captured at check-in and check-out, and the reported location accuracy
  • The distance between your device and the office geofence at check-in / out
  • A "mock GPS" flag indicating whether the operating system reported the location as simulated / spoofed
  • The office associated with the check-in / out, the resulting status (e.g. on time, late), and any note you attach

Requests

  • Remote-work, leave, and early-leave requests you submit — including the dates, the request type, and any reason you provide
  • The review decision (approved / rejected) and any reviewer note

Device & notification data

  • Expo push notification tokens for the devices you sign in on, so we can send you notifications; we also record the device platform and device name to help you identify your devices

Security & audit data

  • An audit log of certain actions (the action, the actor, the target, a timestamp, and the IP address of the request), used for security and to administer the service
  • Session tokens are stored only as hashes for refresh-token rotation and reuse detection

Company information (managed by admins)

  • Company name, brand logo, timezone, work-hours and lateness-grace settings
  • Office details including name, address, GPS coordinates, and geofence radius
  • Announcements posted to the company

We do not intentionally collect special categories of data such as health data, or biometric identifiers stored on our servers. See Location Data below for how location and biometrics are handled.

3

How We Use Your Data

We use the data above only to provide and operate the OnSpots attendance service — that is, for the app's core functionality:

  • To verify that a check-in or check-out happens inside your office's geofence
  • To record attendance and classify it as on time or late against your company's work hours and grace window
  • To let you submit remote / leave / early-leave requests and let admins review them
  • To send you notifications (approvals, announcements, reminders) via push, with in-app history
  • To generate your company's monthly CSV export for payroll — OnSpots supplies raw times only and does not calculate pay
  • To authenticate you, keep your account secure, detect abuse (including spoofed-location check-ins), and maintain an audit trail
  • To send account-related email, such as password-reset messages

We do not use your data for third-party advertising, ad targeting, or cross-app / cross-site tracking, and we do not sell it.

4

Location Data

Location is central to how OnSpots works, so we describe it separately.

  • OnSpots reads your device's precise location only at the moment you check in or check out. It is used to measure your distance from the office geofence and confirm you are on-site.
  • OnSpots uses foreground / "when in use" location only. It does not track your location in the background and does not follow your movements through the day.
  • The location captured at check-in / out is stored as part of your attendance record and is therefore linked to your identity and visible to your company's admins.
  • Approved remote-work days do not require a location check.

Face ID / biometrics

If you enable biometric unlock, your device's Face ID / Touch ID (or Android biometrics) is used only locally on your device to unlock the app. Your biometric data never leaves your device and is never sent to or stored by OnSpots.

5

Sharing & Sub-processors

Who can see your data inside OnSpots

Your attendance records, requests, and profile are visible to you and to the admins of your own company. Because OnSpots is multi-tenant, your data is isolated from every other company using OnSpots — one company cannot see another company's people or records.

Sub-processors

We use the following service providers to run OnSpots. They process data on our behalf, under our instructions, to deliver the service:

  • Cloudflare, Inc. — application hosting (Workers), database (D1), file storage for logos (R2), and transactional email (Cloudflare Email Service). Data is processed on Cloudflare's global network.
  • Expo (Expo push notification service) — delivery of push notifications to your device.

We do not sell your personal data, and we do not share it with third parties for their own marketing or advertising. We may disclose data if required by law, to comply with a valid legal request, or to protect the rights, safety, and security of users and the service.

6

Data Retention & Deletion

  • We keep your account and attendance data while your account and your company remain active, so your attendance history stays available to you and your admins.
  • Account deletion. You can delete your account in the app. When you do, we deactivate your account and "tombstone" your email address so it cannot be reused to identify you, and your records are deactivated. Some information may be retained for a limited period where needed for security, audit, or legal reasons.
  • Company closure. If a company stops using OnSpots and is closed, the organization and its records are deactivated.
  • Audit-log and security records may be retained for a limited period to protect the service.

Within a company, admins also manage employee records and may add, change, or remove them. If you need help deleting your data, contact us (see Contact).

7

Security

We take reasonable measures to protect your data:

  • Passwords are stored only as salted PBKDF2 hashes; we never store plaintext passwords.
  • Sessions use short-lived access tokens plus rotating refresh tokens with reuse detection; refresh tokens are stored only as hashes.
  • Tenant isolation: every record is scoped to its company, and access is determined from your verified session — never from unverified client input — so companies' data stays separated.
  • Traffic to OnSpots is served over HTTPS / TLS.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your information.

8

Your Rights

Depending on where you live, you may have rights to access, correct, or delete your personal data, and to object to or restrict certain processing.

  • Access & correction: you can view and update much of your profile in the app; your company's admins can also correct employee records.
  • Deletion: you can delete your account in the app (see Retention & Deletion), or contact us for help.
  • Requests to us: contact us using the details below to exercise your rights. We may need to verify your identity first.

Because OnSpots is used by your employer, some requests — particularly about attendance records your company keeps — may also need to go through your company's admins, who control that data.

9

Children

OnSpots is a workplace attendance tool and is not directed at children. It is not intended for use by anyone under the age of 13 (or under the minimum age required in your country, such as 14 or 16 where applicable), and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will take appropriate steps to remove it.

10

International Data Transfers

OnSpots is hosted on Cloudflare's global network, and our email and push providers also operate globally. This means your data may be processed on servers in countries other than the one you live in. Wherever it is processed, we apply this Privacy Policy and rely on our providers' safeguards for international data transfers.

11

Changes to This Policy

We may update this Privacy Policy from time to time — for example, when we add features or change providers. When we do, we will revise the "Last updated" date at the top of this page. Significant changes may be communicated in the app. Your continued use of OnSpots after an update means you accept the revised policy.

12

Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Placeholder: the OnSpots team should confirm or replace the contact email before publishing.

Data controller: YWBi / Yeowubie Interaction, publisher of OnSpots. For attendance data held by your employer, your company is also a controller of that data.