Legal

Privacy Policy

Effective date: May 10, 2026 · Operated by: Merrill Digital Systems LLC

GPS data notice: Punchless collects real-time GPS location data from technicians as a core part of its service. By using Punchless, technicians and administrators acknowledge this collection and consent to the practices described below.

1. Who we are

Punchless(“we,” “us,” or “our”) is a GPS-powered automatic timecard platform operated by Merrill Digital Systems LLC. Our service automatically generates timecard entries for field service technicians using GPS geofencing technology, eliminating manual time entry.

Questions about this policy may be directed to hello@getpunchless.com.

2. Information we collect

2.1 GPS and location data

This is the most sensitive data we collect. When a technician has the Punchless mobile app installed and active, we collect:

Real-time GPS coordinates (latitude and longitude)
Timestamps of geofence entry and exit events
Movement data used to infer work status (on site, in transit, at shop)
Historical GPS path data for audit and dispute purposes

Collection method:While Work Mode is active, the app collects GPS location approximately every 45 seconds in the foreground and at reduced frequency in the background via the device's background location service. All location collection stops immediately when the technician disables Work Mode.

2.2 Account and profile information

Full name and email address
Company name and role (manager or technician)
Password (stored as a bcrypt hash - never in plain text)

2.3 Usage and operational data

Timecard entries, job assignments, and approval records
Manager override actions and audit log entries
Notification delivery logs
API access logs (IP address, timestamp, endpoint)

2.4 Device information

Device type and operating system (for push notification delivery)
Push notification tokens

3. How we use your information

We use the data we collect for the following purposes:

Automatic timecard generation: GPS events are processed by our rules engine to draft timecard entries automatically.
Payroll and compliance: Approved timecard data is exported by managers for payroll processing.
Live crew visibility: Managers see current technician locations on the dashboard to coordinate dispatch.
Audit and dispute resolution: Historical GPS path data is retained so managers can verify timecard entries if disputed.
Service notifications: Shift reminders and dispatch messages sent to technicians via push notification.
Service improvement: Aggregate, anonymized data used to improve geofence accuracy and timecard confidence scoring.

We do not sell, rent, or trade personal data. We do not use location data for advertising purposes.

4. Legal basis for processing (where applicable)

Where privacy law requires a legal basis, we process data on the following grounds:

Contractual necessity: Processing required to deliver the Punchless service under the subscription agreement between your employer and Merrill Digital Systems LLC.
Consent: GPS location tracking by technicians. Consent is obtained at app installation and can be withdrawn by uninstalling the app or contacting your employer.
Legitimate interests: Security logging, fraud prevention, and service reliability monitoring.

5. Data sharing and third parties

We share data only in the following limited circumstances:

5.1 Within your organization

Managers and administrators in your company can view GPS data, timecard entries, and location history for all technicians in their account.

5.2 Service providers (subprocessors)

We use the following third-party services that may process your data:

Backend hosting:Railway (railway.app) - API server and database hosted on Railway's cloud infrastructure
Frontend hosting: Vercel, Inc. - hosts the web dashboard and marketing site
Payment processing:Stripe, Inc. - processes subscription billing; handles payment card data under their own PCI-DSS certification. Stripe's privacy policy governs payment data.
Push notifications: Expo Application Services (EAS), Apple APNs, and Google FCM for mobile notification delivery

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

5.3 Legal requirements

We may disclose information if required by law, court order, or to protect the rights and safety of Punchless, our users, or the public.

6. Data retention

GPS location data: Retained for 12 months from collection, then permanently deleted.
Approved timecard records: Retained for 7 years to support payroll audits and legal compliance.
Account data: Retained while the account is active. Deleted within 90 days of account termination upon request.
API logs: Retained for 90 days for security monitoring.

7. Security

We protect your data using industry-standard security controls:

All data in transit encrypted with TLS 1.2+
Database data encrypted at rest (AES-256)
Passwords stored as bcrypt hashes with a minimum cost factor of 12
Role-based access controls - technicians cannot access other technicians' data
JWT authentication with short-lived access tokens and refresh token rotation
API keys stored as hashed values - never retrievable after creation

No system is perfectly secure. If we discover a security breach affecting your data, we will notify you within 72 hours as required by applicable law.

8. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you.
Correction: Request correction of inaccurate data.
Deletion: Request deletion of your personal data (subject to legal retention requirements).
Portability: Request your data in a machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Withdraw consent for GPS tracking at any time (this will prevent the service from generating timecards for you).

To exercise any of these rights, contact hello@getpunchless.com. We will respond within 30 days.

Note: Because Punchlessis a B2B product, many requests should be directed first to your employer (the account administrator), who controls your company's data within our platform.

9. California residents — CCPA rights

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information:

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., legal retention requirements for payroll records).
Right to opt-out of sale: We do not sell personal information. No opt-out is required.
Right to non-discrimination: We will not deny service, charge a different price, or provide a lesser quality of service because you exercised your CCPA rights.

To exercise these rights, contact hello@getpunchless.com. We will acknowledge your request within 10 business days and respond within 45 days.

10. Employee notice (for technicians)

If you are a technician whose employer uses Punchless, your employer has agreed to our Terms of Service on your behalf. Your employer is responsible for informing you that location data is collected and for obtaining any consent required by local labor or employment law. We recommend reviewing this policy and speaking with your employer if you have questions about how your location data is used within your organization.

11. Children

Punchless is a business service not directed at individuals under 18 years of age. We do not knowingly collect data from minors.

12. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to account administrators at least 14 days before taking effect. Continued use of the service after that date constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data requests, or concerns:

Merrill Digital Systems LLC
Privacy Officer
hello@getpunchless.com