Privacy Policy for Punch O'Clock

Last Updated: January 23, 2026

Your Privacy Matters: Punch O'Clock is designed with privacy as a core principle. By default, all your data stays on your device. We offer an optional cloud sync feature that requires you to sign in with Apple or Google and explicitly enable sync in settings. You can disable cloud sync at any time, and your data will remain stored locally on your device.

1. Introduction

This Privacy Policy describes how Punch O'Clock ("we", "our", or "the App") handles your information. Punch O'Clock is a time tracking application developed by Baan Software PTE LTD that helps you manage work sessions and projects.

By using Punch O'Clock, you agree to the terms outlined in this Privacy Policy.

2. Information We Collect

2.1 Information Stored Locally on Your Device

Punch O'Clock stores the following information locally on your device only:

Project Information: Names, descriptions, hourly rates, and other details of projects you create
Work Session Data: Start times, end times, breaks, and notes for your work sessions
App Settings: Your preferences and configuration settings within the app
Application State: Information needed to maintain your app experience across sessions

2.2 Information Synced to Cloud (Optional)

If you choose to enable cloud sync by signing in with Apple or Google and enabling the sync toggle in settings, the following information will be synced to Firebase (Google Cloud Platform):

Project Information: Project names, hourly rates, currency, notes, client names, creation dates, and session status
Work Session Data: Start times, end times, breaks, notes, titles, and project associations
App Settings: Your preferences and configuration settings (default period, theme mode, display preferences, etc.)
User Identifier: A unique user ID (UID) provided by Firebase Authentication from your Apple or Google account
Sync Metadata: Timestamps indicating when data was last synced to the cloud

Important: Cloud sync is completely optional and disabled by default. Your data will only be synced to the cloud if you explicitly sign in and enable sync. You can disable cloud sync at any time, and your data will continue to be stored locally on your device.

2.3 Information We Do NOT Collect

Punch O'Clock does NOT collect, transmit, or store:

Email addresses or other personal identification information beyond what is provided by Apple or Google authentication services
Location data
Device identifiers for tracking purposes
Usage analytics or behavioral data
Any information about your contacts or other apps
Financial or payment information

3. How We Use Your Information

Data collected by Punch O'Clock is used solely for:

Displaying your projects and work sessions
Calculating work hours and earnings
Generating session summaries and reports
Maintaining app functionality and user preferences
Providing you with the core features of the time tracking application
Cloud Sync (when enabled): Syncing your data across your devices through Firebase to allow you to access your data from multiple devices

By default, all data remains on your device. Cloud sync only occurs when you explicitly enable it by signing in and turning on the sync toggle in settings.

4. Data Storage and Security

4.1 Local Storage

All your data is stored locally on your device using secure storage mechanisms provided by iOS/Android operating systems. We use the device's built-in security features to protect your information.

4.2 Optional Cloud Storage

If you enable cloud sync, your data will be stored in Google Firebase (Firestore), which is part of Google Cloud Platform. When sync is enabled:

Your data is stored in user-specific collections: users/{userId}/projects, users/{userId}/sessions, and users/{userId}/settings
Data is isolated per user account and can only be accessed by the authenticated user
Firebase uses Google's secure infrastructure with encryption in transit and at rest
Your data is protected by Firebase Authentication and Firestore security rules

By default, cloud sync is disabled. Your data will only be synced to Firebase if you explicitly sign in with Apple or Google and enable the sync toggle in settings. You can disable cloud sync at any time, and your data will remain stored locally on your device.

4.3 Data Security

We implement appropriate technical measures to secure your data:

Local Storage: Data is stored using the platform's secure storage APIs with your device's built-in encryption
Cloud Storage (when enabled): Data is encrypted in transit and at rest using Firebase's security infrastructure
Authentication: Cloud access requires authentication through Apple or Google Sign-in
Access Control: Each user's data is isolated and can only be accessed by the authenticated account
Device Security: Your device's security features (such as encryption and biometric locks) protect your local data

5. Data Sharing and Third Parties

We do not sell or share your data with third parties for marketing or advertising purposes. Punch O'Clock does not contain:

Analytics services (e.g., Google Analytics, Firebase Analytics)
Advertising networks
Social media integrations
Third-party tracking tools

5.1 Third-Party Services

The app uses the following third-party services:

Firebase (Google Cloud Platform): Used for optional cloud sync functionality when enabled by the user. Firebase provides:
- Firebase Authentication: For secure sign-in with Apple and Google accounts
- Cloud Firestore: For storing your synced projects, sessions, and settings data
When cloud sync is enabled, your data is stored in Firebase and is subject to Google's privacy policy for Firebase services. Firebase acts as a data processor, and we act as the data controller. Your data is stored securely and is only accessible to your authenticated account.
Google Fonts: Used for typography - fonts are downloaded from Google's servers but no user data is transmitted
Flutter Framework: The cross-platform framework used to build the app - does not collect user data

6. Authentication

Punch O'Clock offers optional cloud sync that requires authentication. We support the following authentication methods:

Apple Sign-in: Sign in using your Apple ID. Apple provides a unique user identifier (UID) to identify your account. We do not receive your email address or other personal information from Apple unless you explicitly choose to share it.
Google Sign-in: Sign in using your Google account. Google provides a unique user identifier (UID) and may provide a display name. We do not access your email address or other personal information beyond what Google provides for authentication purposes.

Authentication is only required if you choose to enable cloud sync. If you do not enable cloud sync, you can use the app without signing in, and all your data will remain stored locally on your device.

The authentication services (Apple and Google) handle the authentication process and provide us with a unique identifier to associate your cloud data with your account. Your authentication credentials are managed by Apple or Google, not by Punch O'Clock.

7. Children's Privacy

Punch O'Clock does not knowingly collect any information from children under the age of 13. The app is designed for use by working professionals and does not target children. If you are a parent or guardian and believe your child has used this app, please note that no personal information has been collected or transmitted.

8. Your Data Rights

You have complete control over your data, whether stored locally or in the cloud:

Access: You can view all your data within the app at any time, whether stored locally or synced to the cloud
Modification: You can edit or update your projects and sessions through the app interface. Changes are saved locally and, if cloud sync is enabled, synced to the cloud
Local Data Deletion: You can delete individual projects, sessions, or all local data by deleting them in the app or by uninstalling the app from your device
Cloud Data Deletion: If you have enabled cloud sync, you can:
- Disable cloud sync in settings to stop syncing new data to the cloud
- Delete your cloud data by signing out from the app, which will remove your authentication and prevent access to cloud data
- Contact us through the app's "Contact Developer" option to request deletion of your cloud data
Export: Your data can be exported from the app. Local data remains on your device, and cloud data is accessible through your authenticated account

9. Data Retention

Local Data: Your data is retained on your device for as long as you keep the app installed. When you uninstall Punch O'Clock, all locally stored data is automatically removed from your device according to your operating system's standard app removal process.

Cloud Data (when sync is enabled): Your cloud data is retained in Firebase for as long as your account is active and cloud sync is enabled. If you disable cloud sync and sign out, your cloud data will remain in Firebase but will no longer be accessible through the app. You can request deletion of your cloud data by contacting us through the app's "Contact Developer" option.

10. International Data Transfers

If you have not enabled cloud sync, all your data remains on your device and no international data transfers occur.

If you have enabled cloud sync, your data will be stored in Google's Firebase infrastructure, which operates globally. Data may be stored in data centers located in various regions depending on your Firebase project configuration. Google's Firebase services are designed to comply with applicable data protection laws and provide security measures for international data transfers.

By enabling cloud sync, you consent to the transfer of your data to Firebase servers, which may be located outside your country of residence. Firebase uses appropriate safeguards to protect your data in accordance with applicable privacy laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the app or legal requirements. When we make changes:

We will update the "Last Updated" date at the top of this policy
Significant changes will be communicated through the app or app store update notes
Continued use of the app after changes constitutes acceptance of the updated policy

12. Legal Compliance

This Privacy Policy is designed to comply with:

General Data Protection Regulation (GDPR) - European Union
California Consumer Privacy Act (CCPA) - United States
Apple App Store Privacy Requirements
Google Play Store Privacy Requirements
Other applicable privacy and data protection laws

When cloud sync is enabled, your data is stored in Firebase (Google Cloud Platform). In this context, Baan Software PTE LTD acts as the data controller, and Google (Firebase) acts as the data processor. Cloud-synced data is subject to Google's privacy policy for Firebase services in addition to this privacy policy.

13. Permissions

Punch O'Clock may request the following device permissions:

Storage: To save your project and session data locally on your device
Notifications (optional): To remind you about active work sessions (if you enable this feature)

All permissions are used solely for app functionality and not for data collection or tracking purposes.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how Punch O'Clock handles your information, please contact us:

Company: Baan Software PTE LTD
App: Use the "Contact Developer" option in the app's Settings screen

We will respond to your inquiries within a reasonable timeframe.

15. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

Right to Know: You have the right to know what personal information we collect, use, and share. This information is detailed in Section 2 of this privacy policy.
Right to Delete: You can delete your local data by uninstalling the app or deleting data within the app. If you have enabled cloud sync, you can disable it and sign out, or contact us to request deletion of your cloud data.
Right to Opt-Out: Cloud sync is optional and disabled by default. You can opt-out of cloud sync at any time by disabling it in settings.
Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell your personal information. If you have not enabled cloud sync, your data stays entirely on your device and is not shared with any third parties.

16. European Union Users (GDPR)

For users in the European Union, Punch O'Clock complies with GDPR requirements:

Legal Basis: We process data based on your consent and to fulfill our contract with you (providing the app service). Cloud sync requires your explicit consent through sign-in and enabling the sync toggle.
Data Controller: Baan Software PTE LTD acts as the data controller for your data, whether stored locally or in the cloud.
Data Processor: When cloud sync is enabled, Google (Firebase) acts as a data processor, storing your data in Firebase infrastructure. Firebase processes your data only as necessary to provide the cloud sync service.
Right to Access: You can access all your data through the app interface at any time.
Right to Rectification: You can modify your data through the app interface, and changes will be saved locally and synced to the cloud if sync is enabled.
Right to Erasure:
- For local data: Uninstall the app or delete data within the app to permanently delete local data
- For cloud data: Disable cloud sync and sign out, or contact us to request deletion of your cloud data
Right to Data Portability: You can export your data from the app at any time.
Right to Withdraw Consent: You can disable cloud sync at any time in settings, which will stop syncing new data to the cloud.

17. Consent

By using Punch O'Clock, you consent to this Privacy Policy. If you do not agree with this policy, please do not use the app.