Privacy Policy

Last updated: March 2026

1. Who We Are

FaceAttend is a biometric attendance SaaS product developed and operated by Ainebyona Abubaker, based in Uganda. We provide face recognition attendance solutions to universities and educational institutions.

Contact: admin@faceattend.app

2. Data We Collect

We collect the following categories of personal data:

• Biometric data — facial images and facial embeddings (mathematical representations of faces) used for identity verification
• Student identification data — student ID numbers and full names
• Attendance records — timestamps, verification status, and confidence scores
• Administrator account data — name, email address, phone number, and institution affiliation
• Usage data — login timestamps and system activity logs

3. How We Collect Data

Data is collected through:

• The FaceAttend Android application — when administrators capture student face photos during enrollment
• The institution registration form at faceattend.app — when universities sign up
• Automatic system logs generated during use of the service

4. Legal Basis for Processing

We process personal data on the following legal grounds under the Uganda Data Protection and Privacy Act, 2019:

• Consent — institutions and their administrators provide explicit consent during registration
• Legitimate interest — attendance management is a core administrative function of educational institutions
• Contractual necessity — processing is necessary to deliver the service agreed upon

Institutions are responsible for obtaining consent from students before enrolling their biometric data into the system.

5. How We Use Your Data

• To verify student identity during attendance sessions
• To generate and display attendance reports to authorized administrators
• To manage user accounts and institution profiles
• To send account-related emails including invitations and password resets
• To maintain system security and prevent fraud or spoofing

6. Data Storage and Security

Your data is stored using the following infrastructure:

• Supabase — database and file storage (servers located in the European Union)
• Railway — application hosting (servers located in the United States)

We implement the following security measures:

• All data is encrypted in transit using HTTPS/TLS
• Face images are stored in private buckets — not publicly accessible
• Access to face images requires time-limited signed URLs
• All API endpoints require authenticated JWT tokens
• Institution data is fully isolated — no data crosses institution boundaries
• Anti-spoofing liveness detection prevents unauthorized access attempts

As required by the Uganda PDPA, we ensure that any cross-border transfer of data to service providers in the EU and USA is governed by adequate data protection agreements.

7. Data Retention

• Biometric data (face images) — retained for the duration of the institution's active subscription. Deleted upon account termination or upon request.
• Attendance records — retained for up to 3 years to support institutional reporting needs
• Account data — retained for the duration of the account and up to 90 days after termination

8. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is only shared with:

• Supabase — for database and storage services
• Railway — for application hosting
• Zoho — for transactional email delivery
• Law enforcement or regulatory bodies — only when required by Ugandan law

9. Your Rights

Under the Uganda Data Protection and Privacy Act, 2019, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data
• Objection — object to processing of your data
• Withdrawal of consent — withdraw consent at any time
• Data portability — receive your data in a portable format

To exercise any of these rights, contact us at admin@faceattend.app. We will respond within 21 days.

10. Biometric Data — Special Notice

Facial images and facial embeddings are classified as sensitive personal data under Uganda's PDPA. We treat this data with the highest level of care:

• Biometric data is never sold or shared with any third party
• Face images are stored in private, access-controlled storage
• Facial embeddings (mathematical vectors) are stored separately from identity data
• Institutions must obtain informed consent from students before enrollment
• Students may request deletion of their biometric data at any time through their institution administrator

11. Data Breach Notification

In the event of a data breach that poses a risk to the rights and freedoms of data subjects, we will notify the Personal Data Protection Office (PDPO) of Uganda and affected institutions within 72 hours of becoming aware of the breach, as required by the Uganda PDPA.

12. Children's Data

FaceAttend is intended for use by universities and higher education institutions where students are typically adults (18+). We do not knowingly collect data from persons under 18. If an institution enrolls a student under 18, the institution is responsible for obtaining parental consent.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered institutions by email of any material changes. The updated policy will always be available at faceattend.app/privacy.

14. Contact and Complaints

For privacy-related queries or complaints, contact us at:

• Email: admin@faceattend.app
• Website: faceattend.app

You also have the right to lodge a complaint with the Personal Data Protection Office (PDPO) of Uganda at pdpo.go.ug.