Privacy Policy

Data controller: Frontelio, a Single-Person Limited Liability Company incorporated in the Emirate of Sharjah, United Arab Emirates. Trade Licence No. 527553.

Registered office:Office 1503, 15th Floor, Lake Corniche Street, Al Majaz, Sharjah, UAE — P.O. Box 21017.

Contact: support@frontelio.com · +971 55 566 6037.

Outlet staff, supervisors, managers, technicians and administrators of a Frontelio customer (or a third-party tenant invited to the pilot) who use the Frontelio mobile app or the manager web console.

Customers of those outlets are not users of the App; we do not collect their data through Frontelio.

• Identity: full name, employee code, job title, role, outlet assignment.
• Contact: work email address and/or mobile phone (E.164 format).
• Authentication: hashed password (bcrypt, never stored in plain text), JWT session tokens.
• Attendance:clock-in / clock-out timestamp, the GPS coordinates your phone reports at the moment you tap clock-in, and the resulting distance from your assigned outlet's geofence centre.
• Liveness: the result of an automated face-liveness check (PASS / FAIL / not run) at clock-in. During the pilot this check uses a mock provider; production will use AWS Rekognition Face Liveness or a comparable vendor. The selfie image taken for that check is stored as an evidence file (see section 4).
• Operational evidence: photos, numbers (e.g. cash float count), text notes and yes/no answers you submit when completing checklist items, scanning asset QR codes, recording troubleshooting attempts, or reporting an issue. These items may include incidental images of yourself or colleagues.
• Device: device identifier (anonymous, set by the app at install), Android / iOS version, app version, IP address used to connect to our API.
• Audit log: every state change you make (taking on a work order, overriding an attendance flag, completing a critical task, etc.) is logged with your user ID, the timestamp, and the before/after values.

We do not collect: bank account numbers, credit card details, government ID numbers, biometric face templates (only the pass/fail liveness verdict and the original selfie image), location data outside of clock-in / clock-out events, microphone audio, contacts, SMS, photos from your camera roll that you did not explicitly attach as evidence.

• Performance of contract / your employment. Attendance, checklist completion and shift assignment data are processed because they are part of your role.
• Legitimate interest. Audit logs and evidence files exist so the company can investigate equipment failures, support insurance / warranty claims, and demonstrate compliance to UAE regulators (Food Safety, Civil Defence, Department of Economic Development).
• Legal obligation. Some retention requirements apply under UAE labour and tax law (e.g. attendance records for the period prescribed by the Ministry of Human Resources and Emiratisation).

• Application data (users, shifts, attendance metadata, checklist results, issues, work orders, audit logs): DigitalOcean Managed PostgreSQL 16, region Frankfurt 1 (Germany, EU/EEA).
• Evidence files (selfies, checklist photos, document uploads): DigitalOcean Spaces (S3-compatible object storage), region Frankfurt 1.
• API and dashboard servers: DigitalOcean droplet, region Frankfurt 1.

Cross-border transfer notice (PDPL Article 22). Personal data of UAE residents is therefore transferred outside the UAE. Germany is recognised as having an adequate level of personal data protection under the EU General Data Protection Regulation (GDPR), which the UAE Data Office accepts as an adequate-protection jurisdiction. We will move to an in-UAE deployment (AWS me-central-1, Dubai) if and when this becomes operationally and legally necessary, with no change to the data shape.

• You, for your own records.
• Your supervisor, your outlet manager, and the area / operations manager above them — scoped to your outlet only.
• Your tenant's Company Admin and Auditor roles — full read across the tenant.
• Service providers that operate the infrastructure on our behalf (DigitalOcean for hosting and storage, the chosen face-liveness vendor) under contractual obligations of confidentiality and data protection.
• Government authorities only where compelled by a valid legal order.

We do not sell personal data and we do not share it with advertisers.

• Attendance events and audit logs:retained for the longer of (i) seven (7) years from creation or (ii) the duration of your employment plus two (2) years — whichever is longer. This aligns with UAE labour record-keeping practice.
• Selfie evidence files: 90 days, then automatically deleted by storage lifecycle rules.
• Other checklist evidence photos / files: 2 years.
• User account data: deleted within 30 days of account deactivation, except where retention is legally required.

Under UAE PDPL, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Object to processing on specific grounds.
• Restrict processing, or request deletion, subject to the legal retention obligations above.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the UAE Data Office at uaedataoffice.gov.ae.

To exercise any of these, email support@frontelio.com with the subject “PDPL Request”. We respond within 30 days.

• All traffic is encrypted via TLS 1.2+ (Let's Encrypt).
• Passwords are stored as bcrypt hashes; we never see, store or log your password.
• Access tokens (JWT) are short-lived and bound to your device session.
• The managed database is reachable only from our application servers (firewall-restricted VPC).
• Server-side rate limiting and HTTP security headers (HSTS, X-Frame-Options, etc.) are enabled.

Frontelio is a workplace tool. We do not knowingly collect data from individuals under 18. If you believe we have collected data from a minor, contact us at support@frontelio.com and we will delete it.

Material changes will be communicated by email to each registered user at least 30 days before they take effect. The current version is always available at app.frontelio.com/privacy.