Basmah — Privacy Policy

Effective date: December 29, 2025

This Privacy Policy explains how Basmah (“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use the Basmah web and mobile apps, APIs, or integrations (the “Service”). Basmah is an attendance management system that uses facial verification, geolocation, and integrations (e.g., ERP systems). This is a product-focused, practical policy — please adapt the retention times, contact details, and legal basis to match your jurisdiction and operational choices, and consult legal counsel before publishing.

1. Short summary (plain English)

  • We collect employee information (name, photo, employee ID), images you upload from the camera, and location data when checking in/out.
  • We use AWS Rekognition to perform face verification and AWS S3 to store employee photos. We also use Google Maps APIs for geocoding/geofencing and third-party analytics and infrastructure providers.
  • You will be asked for explicit consent before facial recognition or location features run.
  • You can request access, correction, deletion, or export of your personal data; contact us at contact@bb4first.com.
  • We do not sell personal data.

2. What personal data we collect

We may collect and process the following categories of personal data:

Identity & account data

  • Name, employee identifier, email, phone, job title, team.

Biometric & image data

  • Employee photos and images captured by the camera.
  • Derivatives used for verification (e.g., face match results, non-reversible face templates / facial feature metadata) — only if your organization enables storing those templates.
  • Note: If you do not store templates and only perform ephemeral comparisons, state that clearly in your configuration.

Location data

  • GPS coordinates, geofence check-in/out points and timestamps when using location features.

Attendance & usage records

  • Timestamps of check-ins/out, device identifiers, IP address, attendance logs, and related metadata.

Device & diagnostic data

  • Device model, OS, app version, logs, crash reports, network & performance metrics.

Third-party & integration data

  • Data sent to/received from ERP systems via webhooks/APIs (attendance exports, employee lists) — only per your integration settings.

Cookies & analytics

  • Cookies and similar technologies for authentication, session management, and product analytics.

3. How and why we use your data (purposes)

We process data to provide and improve the Service, for the following purposes:

  • Identity verification & attendance — using facial recognition to verify employee identity at check-in/out.
  • Location verification & geofencing — to confirm presence at a workplace location.
  • Core service operations — storing attendance history, generating reports, Excel exports.
  • Integrations — sharing attendance data with ERPs or other systems when you (or your admin) authorize an integration.
  • Security & fraud prevention — detect abuse, prevent impersonation.
  • Analytics & improvement — usage analytics, product improvement (aggregate / anonymized where possible).
  • Legal compliance & requests — to comply with legal obligations or respond to lawful requests.

Legal basis: Where applicable, we rely on consent (facial processing & location), contract performance (operating the Service), legitimate interests (security, product improvement) or other legal bases required by local law. For biometrics in jurisdictions that require explicit legal basis, we obtain explicit consent before processing.

4. Facial data, Rekognition & what we store

Third-party processor: We use Amazon Web Services (AWS) Rekognition to perform face detection and matching. AWS acts as a data processor under our instructions.

What we send to AWS Rekognition

  • Employee photos or camera captures (images) for analysis.
  • Identifiers or metadata needed for matching (e.g., employee id).

What we store

  • Employee photos are stored in AWS S3 (encrypted at rest) to enable later verification and historical records.
  • Face templates / embeddings: only stored if your organization’s administrator enables that feature. If you choose not to store templates, images are processed and discarded according to your retention settings (see §6).
  • Match results / logs: we may store the result of a match (e.g., matched employee id, confidence score, timestamp).

Be explicit in the UI / consent flow: The app must present clear language before enabling facial features (see §9 for example consent text).

5. Location (GPS) and geofencing

  • Location data is collected only when the user enables location/check-in features and the app has the required OS-level permissions.
  • Purpose: to verify check-in location and support geofencing.
  • Retention: location points used for attendance are retained as part of the attendance record. Admins may configure retention and export options.

6. Retention and deletion

Retention should be configurable by admins. Suggested default framework to include in your published policy:

  • Active employee photos & attendance records: retained while the employee account is active.
  • After account termination or deactivation: photos and face templates are retained for up to 180 days by default (to allow audits and disputes) and then deleted, unless the customer chooses a different retention schedule or is required to retain by law. Attendance logs and reports may be retained longer for legal or contractual reasons (e.g., payroll).
  • Analytics & logs: aggregated/anonymized data retained as necessary for product improvement; raw logs retained for 90 days by default.

Make sure your actual system settings match any retention claims in the published policy. If you offer admins the ability to export or extend retention (for compliance), document that clearly.

7. Sharing & disclosures

We may share personal data in the following ways:

  • With your organization / admins: attendance, photos, and verification results are accessible to the organization that created the Basmah account.
  • ERP & third-party integrations: when you configure an ERP integration or webhook we will send the relevant attendance/employee data to that system. The receiving ERP may then become a separate data controller — the user organization should ensure appropriate agreements are in place.
  • Service providers: AWS (S3, Rekognition), Google Maps, analytics providers, hosting, email, and other service providers who process data on our behalf. We enter appropriate contracts (Data Processing Agreements) with such providers.
  • Legal obligations: to comply with lawful requests (e.g., court orders).
  • For mergers & acquisitions: in connection with a sale or transfer, always with notice to customers as required by law.

We do not sell personal data. If that changes, we will disclose and provide opt-out mechanisms per applicable law (e.g., CCPA/CPRA).

8. International transfers

We host data on cloud providers that may process or store data in multiple countries. Transfers outside of the user’s country may occur (for example, AWS regions). Where required by law, we use appropriate safeguards (e.g., Standard Contractual Clauses). You can request details about the location and safeguards for your organization’s data.

9. Consent, opt-outs & alternatives

  • Facial recognition & location: we require explicit consent before enabling facial recognition or location-based check-ins. Consent is revocable. If a user withdraws consent, the facial or location-based check-in feature will be disabled for that user; alternative check-in methods (PIN, supervisor approvals, manual entry) should be provided.
  • How to withdraw: In-app settings and the user’s account page will include an option to disable facial features or location; you can also contact contact@bb4first.com to request data deletion or to revoke consent.

Suggested in-app consent text (example):

“Basmah will use your camera and facial recognition to confirm identity at check-in. Your photo will be stored in our secure servers (AWS S3). By tapping ‘Allow’, you consent to this processing and to the use of AWS Rekognition for verification. You can withdraw consent in Settings.”

10. User rights (GDPR / global)

Where applicable under local law, users have rights including:

  • Access to personal data we hold about you.
  • Correction/rectification of inaccurate data.
  • Deletion / “right to be forgotten”.
  • Restriction of processing.
  • Portability (receive a copy in machine-readable format).
  • Withdraw consent and object to processing.
  • Lodge a complaint with a data protection authority.

How to exercise: Contact contact@bb4first.com with a description of your request and proof of identity. We will respond within the timeframe required by law.

11. California (CCPA/CPRA) disclosures (example)

If you are subject to California law, you may include:

  • Categories of personal information collected (see §2).
  • Categories of sources (users, admins, devices, third parties).
  • Purposes of collection (see §3).
  • Right to opt-out of sale (we do not sell personal information).
  • Right to disclosure, deletion, and non-discrimination for exercising rights.

To make a request: email contact@bb4first.com or use the in-app privacy request page.

12. Security measures

We implement industry-standard technical and organizational measures, including:

  • TLS encryption in transit and encryption at rest (S3 server-side encryption).
  • Access control and role-based permissions for admin and staff access.
  • Audit logging, monitoring, and periodic security reviews.
  • Regular vulnerability scanning, patching, and secure development practices.

Important: No system is perfectly secure. We will notify affected users in accordance with applicable laws if we become aware of a data breach.

13. Data retention & admin controls (for customers)

Organizations that purchase Basmah can:

  • Configure retention policies for photos and attendance logs.
  • Export attendance data and photos via APIs/webhooks.
  • Set roles and permissions for viewing biometric / attendance data.
  • Configure whether face templates are stored or only ephemeral matching is used.

We recommend customers document and publish their own data handling practices to employees (e.g., company-specific retention, local legal bases, and internal access policies).

14. Children

Basmah is intended for business/organizational users. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, contact us at contact@bb4first.com and we will take steps to delete it where required by law.

15. Cookies & tracking

We use cookies and similar technologies for:

  • Authentication and session management.
  • Feature preferences and language selection.
  • Analytics and product improvement.

Users can control cookies via browser settings and in-app preferences for tracking where available.

16. Changes to this policy

We may update this Privacy Policy. When we do, we will post the new policy with an updated “Effective date.” For material changes affecting user rights, we will notify account administrators and, where required, obtain fresh consent.

17. Contact & data protection officer

For privacy questions, requests, or to exercise your rights:

Email: contact@bb4first.com
Mail: [Insert company address here]
(Replace or add an official DPO contact if required in your jurisdiction.)

18. Practical next steps (for you — product owner)

  1. Decide and document whether you store face templates/embeddings or only perform ephemeral comparisons. Make the policy wording match the implementation.
  2. Set default retention (e.g., active + 180 days) and allow admin overrides. Document this clearly.
  3. Add explicit consent screens for facial recognition and location in the app with the sample text above. Ensure the OS-level permission dialogs appear as required.
  4. DPA / SCCs — ensure you have Data Processing Agreements with AWS and other processors and include references to those processors in your published privacy policy.
  5. App Store / Play Store compliance — add explicit disclosure in your app store listing and privacy manifest as required by platforms (Google Play / Apple).
  6. Get legal sign-off — have counsel review for GDPR, CCPA, local laws in target markets (Kuwait, South Asia, Egypt, etc.).

19. Sample policy snippet you can paste (short version)

Facial Data & Verification
Basmah uses images you provide to verify identity for attendance. Images are securely stored in Amazon S3 and processed using Amazon Rekognition. We use the results only to confirm identity at check-in and for related audits. By enabling facial verification you consent to this processing. Photos and verification data are retained while the employee account is active and for up to 180 days after deactivation by default. Contact contact@bb4first.com to request deletion or export.

Final note

This draft is intended to be product-accurate and practical, not legal advice. Before publishing, update contact details, retention periods, and the exact description of any biometric templates you store — and have the policy reviewed by legal counsel for the jurisdictions where you operate.