Privacy Policy | UsePonto

1. Introduction

Criarflix Tecnologia Ltda. ("we", "our" or "UsePonto"), registered under CNPJ 62.669.747/0001-94, is the data controller for personal data collected through the UsePonto application and web platform. This Privacy Policy describes how we collect, use, store, share, and protect your personal information.

This policy applies to the use of the UsePonto mobile application (available on Google Play Store and Apple App Store) and the web platform useponto.com.br.

2. Information We Collect

We collect the following types of information to provide and improve our services:

Identification Data

Full name
Email address
Phone number
CPF (Brazilian Individual Taxpayer Registry)
PIS/PASEP (when applicable)

Biometric Data

Front-facing facial image captured by the camera for facial recognition
Biometric template/embedding generated from the facial image for identity verification
Capture date and time and consent date and time for processing face data

Facial biometric data is used exclusively for facial enrollment, identity verification, and integrity of electronic time clock records.

Location Data

Geographic location (GPS) at the time of time clock registration
IP address

Geolocation is collected only at the time of time clock registration, as required by Brazilian labor regulations (Ordinance MTP No. 671/2021).

Device Data

Device model and manufacturer
Operating system and version
Unique device identifier
Browser type (when applicable)

Usage Data

Access and navigation logs
Time clock registration timestamps
Application interactions
Error logs and diagnostics

Face data and biometric data

UsePonto collects a front-facing facial image of the employee and generates a biometric template/embedding from that image for facial comparison. This data is associated with the employee, the contracting company, the capture date and time, and the consent date and time.

The purpose of processing is exclusively to enroll the employee facial profile, verify the employee identity when recording an electronic time clock punch, prevent fraud, and preserve the integrity of work time records. Face data is not used for advertising, marketing, tracking, commercial profiling, or any purpose unrelated to time clock control.

The facial image and biometric template/embedding are stored in UsePonto secure platform infrastructure, with encryption in transit, at-rest encryption for sensitive data, role-based access control, and company-level isolation. This data may be synchronized only with authorized time clock devices of the contracting company to allow facial verification for time clock registration.

Face data is not sold, rented, or shared with third parties for advertising or marketing. Infrastructure, hosting, and operational service providers may process this data only as necessary to operate the platform, under security, confidentiality, and limited-purpose obligations.

Face data is retained while the employee remains linked to the contracting company and while it is necessary to provide the service, support audits, maintain security, comply with legal obligations, and preserve the integrity of labor records. When it is no longer necessary, it may be deleted or anonymized, unless an additional legal retention obligation applies.

3. How We Use Your Information

We use your personal information for the following purposes:

Service Delivery

Identity Verification

Confirm your identity through facial recognition, using facial image and biometric template/embedding, to prevent fraud and ensure the integrity of time clock records.

Legal Compliance

Comply with Brazilian labor regulations (Ordinance MTP No. 671/2021), including generation of AFD (Data Source File) and AEJ (Electronic Work Time File).

Communication

Send notifications about your work time, compliance alerts, and service updates.

Service Improvement

Analyze application usage to identify issues, improve features, and develop new functionality.

Security

Protect against unauthorized access, detect suspicious activity, and prevent fraud.

4. Data Sharing

We may share your information with:

Your Employer

Work time data (entry, exit, break times) is shared with the company where you work for human resources management and payroll purposes.

Service Providers

We use third-party services for data hosting (Hostinger), payment processing, notification delivery, and infrastructure operations. These providers have limited access to data necessary to perform their functions, including biometric data only when strictly necessary to operate and protect the service.

Legal Authorities

We may disclose data when required by law, court order, or request from competent authorities, including labor inspection agencies.

We do not sell, rent, or trade your personal information, face data, or biometric data to third parties for marketing, advertising, or tracking purposes.

5. Data Storage and Security

We implement technical and organizational measures to protect your information:

End-to-end encryption (TLS 1.2 or higher) for data transmission
At-rest encryption for stored sensitive data
Storage in certified data centers located in Brazil
Role-based access control (RBAC)
Immutable audit logs for traceability
Automatic backups with geographic redundancy
Passwords stored with bcrypt hash (minimum cost 10)

Retention Period

Time clock registration data (AFD) is stored for a minimum of 5 (five) years, as required by law. Face data and biometric data are retained while the employee remains linked to the contracting company and while they are necessary to provide the service, support audits, maintain security, comply with legal obligations, and preserve the integrity of labor records. When processing is no longer necessary, the data may be anonymized or deleted, unless an additional legal retention obligation applies.

6. Your Rights (LGPD)

Under the Brazilian General Data Protection Law (Law No. 13,709/2018), you have the following rights:

Access

Request a copy of the personal data we hold about you.

Correction

Request correction of incomplete, inaccurate, or outdated data.

Deletion

Request deletion of your personal data, when applicable and there is no legal retention obligation.

Portability

Request transfer of your data to another service provider.

Consent Revocation

Revoke your consent at any time, when processing is based on consent.

Opposition

Object to data processing in certain circumstances.

Information

Be informed about entities with whom we share your data.

To exercise any of these rights, contact us at contato@useponto.com.br. We will respond to your request within 15 (fifteen) business days.

7. Children's Privacy

UsePonto is intended for users over 18 years of age. We do not intentionally collect personal information from minors. If we become aware that we have collected data from a minor, we will take steps to delete such information as soon as possible.

Use of the system by minor apprentices (from 14 years old) must be authorized by the employer and legal guardian.

8. Cookies and Similar Technologies

We use cookies and similar technologies to:

Keep you logged into the service
Remember your preferences (language, theme)
Analyze service usage for improvements
Ensure session security

You can manage your cookie preferences in your browser settings. Note that disabling certain cookies may affect service functionality.

9. Changes to This Policy

We may update this Privacy Policy periodically. When we make significant changes, we will notify you by email or through a notice in the application before the changes take effect.

We recommend that you review this policy regularly to stay informed about how we protect your information.

10. Contact

If you have questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us:

Criarflix Tecnologia Ltda.

CNPJ: 62.669.747/0001-94

Email: contato@useponto.com.br

We will respond to all requests within 15 (fifteen) business days.