FaceID
RUEN

Privacy Policy

Privacy Policy

Application: FaceID
Company: LLC "Khizmatrasoni Nav", JDMM
Effective Date: April 11, 2026
Last Updated: April 11, 2026

1. General Provisions

1.1. This Privacy Policy (hereinafter — "Policy") describes what personal data is collected and processed when using the mobile and web application FaceId (hereinafter — "Application"), developed by LLC "Khizmatrasoni Nav" (hereinafter — "Company", "Developer").

1.1.1. The Company is the developer and licensor of FaceId software. The Company does not collect, store, or process personal data of end users (employees) on its servers. The Application is deployed on the infrastructure of the client organization (hereinafter — "Client", "Employer"), which independently acts as the personal data operator of its employees.

1.2. The Company is registered and operates in the Republic of Tajikistan, Dushanbe city. The Company is a resident of IT Park of the Republic of Tajikistan.

1.3. By using the Application, you (hereinafter — "User", "you") confirm that you have read this Policy and consent to the processing of your personal data in accordance with the stated terms.

1.4. Personal data processing is carried out in accordance with the legislation of the Republic of Tajikistan, particularly the Law of the Republic of Tajikistan "On Personal Data".

2. Developer and Data Operator

2.1. Application Developer

Name: LLC "Khizmatrasoni Nav", JDMM
Address: Republic of Tajikistan, Dushanbe
Email: info@hizmatrason.tj
Phone: +992 97 777 73 48
Website: hizmatrason.tj
Telegram: @hizmatrason_bot

The Company develops, licenses, and provides technical support for the Application. The Company is not the operator of end users' personal data.

2.2. Personal Data Operator

The personal data operator is the Client (Employer) — the organization that purchased the FaceId license and deployed the system on its own servers. It is the Client who determines the purposes and means of data processing, manages employee accounts, and is responsible for compliance with personal data legislation.

3. Purpose of the Application

FaceId is a white-label time tracking and employee access control system provided to client organizations (hereinafter — "Client", "Employer") for deployment on their own infrastructure. The Application provides the following functions:

  • Recording employee arrivals and departures (check-in / check-out) with face biometric and geolocation verification;
  • Attendance tracking tied to workplaces (sites/points);
  • Employee location monitoring during working hours (when activated by the employer);
  • Integration with automation systems (iiko) for HR data synchronization and working hours calculation;
  • Integration with Hikvision access control terminals;
  • Notifications via Telegram bot;
  • Administrative panel for managing employees, schedules, and reports.

Important: FaceId is delivered as a white-label solution. The Company develops and licenses the software but does not store or process personal data of end organizations' employees on its servers. All data is stored and processed on the Client (Employer) servers. The Client independently acts as the personal data operator of its employees.

4. What Personal Data the Application Processes

Below are the categories of data that the Application collects and processes on the Client (Employer) servers. The Developer Company does not have access to this data.

4.1. Identification Data

  • First and last name;
  • Login (username);
  • Employee card number (if available);
  • Role in the system (Administrator, Operator, User, etc.);
  • Profile photo.

4.2. Biometric Data

  • Face photograph — images taken by the device camera during registration, check-in, and check-out;
  • Face descriptor — a numerical vector (128 values) calculated from the face photograph for employee identification. The descriptor does not allow reconstruction of the face image and is used exclusively for matching.

4.3. Location Data

  • Check-in / check-out coordinates — latitude and longitude at the time of arrival/departure recording;
  • Background geolocation — when the employee monitoring feature is enabled, the system collects GPS coordinates (latitude, longitude, accuracy) at intervals set by the employer (default — every 5 minutes). Collection occurs in the background, including when the application is minimized.

4.4. Attendance Data

  • Date and time of arrival / departure;
  • Photos at check-in and check-out;
  • Association with workplace (site) and device;
  • Verification status.

4.5. Work Schedule Data

  • Schedule type, dates, shift start and end times;
  • Department and position;
  • Data synchronized from the iiko system (when connected).

4.6. Telegram Account Data (when linked)

  • Chat identifier (Chat ID);
  • Telegram username;
  • Name specified in Telegram profile;
  • Notification settings (which events trigger notifications).

4.7. Technical Data

  • Authentication tokens (JWT tokens for API access);
  • Device information from which access was made;
  • Connection logs (terminal synchronization logs).

5. Purposes of Personal Data Processing

The Application processes personal data exclusively for the following purposes, determined by the Client (Employer):

Purpose Legal Basis
User authentication and authorization Performance of contract with employer
Time tracking and attendance recording Legitimate interest of employer, labor legislation
Employee face identification (biometrics) Data subject consent
Location monitoring during working hours Data subject consent, legitimate interest of employer
HR data synchronization with iiko Performance of contract with employer
Sending notifications via Telegram Data subject consent
Access control via Hikvision terminals Legitimate interest of employer
Report generation and analytics Legitimate interest of employer
Security and protection against unauthorized access Legitimate interest

6. Mobile Application Permissions

For proper operation, the Application requests the following device permissions:

Permission Purpose
Camera Taking face photographs during check-in / check-out and descriptor registration
Precise location (GPS) Determining coordinates during check-in / check-out to confirm presence at workplace
Approximate location Backup method for determining coordinates when GPS is unavailable
Background location Collecting coordinates in background mode (only when monitoring is enabled by employer)
Internet Transmitting data to server
Network state Determining internet connection availability for managing data send queue

Important: Permission for background location is requested only when the employee monitoring feature is enabled by the employer. You can revoke this permission in device settings at any time.

7. Data Collection Methods

All data listed below is sent to the Client (Employer) server, not to the Developer Company's servers.

7.1. Direct input — data you provide when using the Application (photos, check-in).

7.2. Automatic collection — GPS data collected by the background service on the Android device at configured intervals.

7.3. Synchronization with external systems:

  • Hikvision terminals — the Client's server polls access control terminals and receives employee passage events (photo, time);
  • iiko system — bidirectional synchronization: import of employee, schedule, and position data; export of attendance data.

7.4. Local queue on device — when there is no internet connection, location data is stored locally on the device (SharedPreferences) and automatically sent to the Client's server when the connection is restored.

8. Personal Data Storage

8.1. Server Storage

  • FaceId is a white-label solution: all data is stored on the Client (Employer) servers, not on the Company's servers;
  • Personal data is stored in a PostgreSQL database deployed on the Client's infrastructure;
  • Photos (profile, check-in / check-out, descriptors) are stored in the Client's server file system;
  • The Client is responsible for the physical and network security of the servers;
  • The Company does not have permanent access to the Client's data, except for technical support cases at the Client's request.

8.2. Device Storage

  • Authentication tokens are stored in the browser's localStorage (web version) and SharedPreferences (Android);
  • Geolocation data queue when offline is stored in the device's SharedPreferences;
  • Data on the device is deleted when the Application is uninstalled.

8.3. Retention Periods

  • Personal data is retained for the duration of the employment relationship between the User (employee) and the employer;
  • After an employee's dismissal, the account is deactivated (soft deletion). Data may be retained for the period required to comply with the labor legislation of the Republic of Tajikistan;
  • Refresh tokens automatically expire 30 days after issuance;
  • The User or employer may request data deletion in accordance with Section 11.

9. Disclosure of Data to Third Parties

9.1. The Developer Company does not receive, sell, rent, or transfer users' personal data to third parties, as it does not have access to data stored on the Client's servers.

9.2. Since FaceId is a white-label solution, the Company does not receive or store personal data of the Client's employees. The Client (Employer) acts as the personal data operator.

9.3. During operation of the system by the Client, data may be shared with the following parties:

Recipient Basis What Data
Employer (client organization) Is the data operator All data is stored on their servers
iiko (when integration is connected) Agreement between Employer and iiko Employee ID, attendance data, working hours
Telegram (when account is linked) User consent Attendance notifications (text messages via bot)
LLC "Khizmatrasoni Nav" Technical support agreement Access to data only at Client's request for troubleshooting, in limited scope
Government authorities Legal requirement To the extent provided by the legislation of the server's host country

9.4. Data is stored on servers located in the territory determined by the Client (Employer). The Client is responsible for compliance with cross-border data transfer requirements.

10. Personal Data Protection

The Application implements the following organizational and technical data protection measures at the software level:

  • Authentication: system access is through JWT tokens with limited validity;
  • Password hashing: passwords are stored as BCrypt hashes and cannot be recovered;
  • Role-based access (RBAC): access differentiation by roles — regular users see only their data; administrators and operators have access within their authority;
  • Device access control: ability to restrict employee access to specific terminals;
  • Connection encryption: data exchange between client and server is via HTTPS (TLS) protocol;
  • Automatic session expiration: access and refresh tokens have limited validity;
  • Logging: synchronization logs are maintained for anomaly detection.

11. User Rights

Users have the following rights regarding their personal data:

  • Right to information — to know what data is processed and for what purposes;
  • Right of access — to request a copy of their personal data;
  • Right to correction — to request correction of inaccurate data;
  • Right to deletion — to request deletion of personal data (to the extent permitted by labor legislation requirements);
  • Right to restrict processing — to request restriction of data processing;
  • Right to withdraw consent — to revoke consent to biometric or location data processing.

To exercise these rights, contact the employer (data operator) or the Company at: info@hizmatrason.tj.

12. Biometric Data Processing

12.1. The Application uses face biometric technology for employee identification during check-in, check-out, and access control.

12.2. Biometric data processing is performed exclusively with the consent of the data subject, obtained and registered by the Client (Employer).

12.3. Face descriptors (numerical vectors) are used solely for identity verification and cannot be used to reconstruct the face image.

12.4. The User has the right to withdraw consent to biometric data processing by contacting the employer.

13. Location Tracking

13.1. The Application collects geolocation data for two purposes:

  • During check-in / check-out — to confirm the employee's presence at the workplace (collecting coordinates once at the time of recording);
  • Background monitoring — continuous collection of GPS coordinates during working hours (only when activated by the employer).

13.2. When this feature is activated:

  • The Application requests a separate permission for background location access;
  • GPS coordinates are collected at configurable intervals (default — every 5 minutes);
  • Data is sent to the Client's server in batches;
  • When there is no internet, data is stored locally and sent when the connection is restored.

13.3. Location data is accessible to:

  • The employee themselves — history of own movements;
  • Administrators and operators — for monitoring during working hours.

13.4. The User can stop location data collection by revoking the corresponding permission in device settings.

14. Cookies and Local Storage

14.1. The web version of the Application uses browser localStorage to store:

  • Access token (accessToken);
  • Refresh token (refreshToken);
  • Technical settings (server URL, kiosk sound mode).

14.2. The Application does not use third-party tracking cookies and does not integrate advertising or analytics SDKs from third parties.

15. Children

The FaceId application is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor's data has been submitted to the system, please immediately contact us at info@hizmatrason.tj, and we will take measures to delete it.

16. Changes to the Privacy Policy

16.1. The Company reserves the right to make changes to this Policy.

16.2. The updated version of the Policy is published in the Application and/or on the Company's website with the date of the last update.

16.3. Continued use of the Application after the publication of changes constitutes your agreement to the updated Policy.

16.4. In case of significant changes (expansion of processed data list, new processing purposes), we will notify you through the Application or via available communication channels.

17. Contact Information

For any questions related to personal data processing, you can contact us:

LLC "Khizmatrasoni Nav"
Republic of Tajikistan, Dushanbe
Resident of IT Park of the Republic of Tajikistan

© 2026 LLC "Khizmatrasoni Nav". All rights reserved.