Skip to content

New: HelloTime now integrates with HelloBooks — sync clients, hours, invoices and payroll.

Security & biometric architecture at HelloTime

Face matching in HelloTime Attend happens on the worker's device. Biometric templates are generated locally, stored encrypted on the device, and compared on the device. They never leave the phone.

Last updated: May 23, 2026

1. On-device biometric matching

When a worker enrolls a face in HelloTime Attend, the mobile app generates a numeric face-template embedding directly on the device using a TensorFlow Lite (TFLite) model bundled inside the app binary. The raw selfie used at enrollment is not retained.

  • The embedding is stored in an SQLCipher-encrypted local database on the device — never copied to our servers.
  • At every clock-in, the app captures a new selfie, generates a fresh embedding on-device, and compares it against the stored embedding on-device. Only the pass / fail result and a hashed proof are transmitted to our backend.
  • No biometric data — no raw selfie, no embedding, no face vector — is ever uploaded to HelloTime servers in normal operation.

2. Why this design

  • Privacy first. A central biometric store is the single highest-impact target a payroll app can have. We don't operate one, so there is nothing for an attacker to exfiltrate. This aligns directly with the data-minimisation principles in the India Digital Personal Data Protection Act (DPDP), the Illinois Biometric Information Privacy Act (BIPA), and the EU GDPR.
  • Works offline. Field workers on construction sites, remote clinics or rural routes clock in without a connection. The match runs locally; the resulting punch is queued and replayed when the device returns to network.
  • Faster. No round-trip to a verification service means clock-in completes in sub-second time even on low-end Android devices.
  • Smaller infrastructure footprint. No GPU inference cluster, no biometric warehouse, no per-employee storage scaling. Lower cost translates directly into lower per-seat pricing.

3. What this means for fraud risk

We want to be straightforward about the trade-off: because the face match runs on the worker's own device, HelloTime does not server-side-verify the face. A determined buddy-punching attempt cannot be defended by face matching alone. This is a deliberate architectural choice for a 2026-08-10 GA, not an oversight.

The surrounding controls that do run on the server, and that together substantially raise the cost of attendance fraud, are:

  • Geofence enforcement. A clock-in is rejected server-side if the device's GPS coordinates fall outside the site polygon configured by the employer.
  • Server-stamped time. Every punch is stamped with a backend-recorded timestamp alongside the client-claimed time. Drift between the two is logged and visible to managers, which makes a tampered client clock immediately auditable.
  • Manager regularization with audit trail. Any edit to a punch — by a worker or a manager — is recorded with actor, before/after values, and a reason. Approvers see the full history.
  • Anomaly detection on punch patterns. Repeated clock-ins from the same device for different workers, impossible travel between punches, and abnormal frequency are flagged for admin review.
  • PIN fallback under manager policy. If the on-device face check fails, the worker can clock in with a PIN only when the employer's policy allows it. PIN usage is logged separately so admins can spot the pattern.

4. What HelloTime stores about you

From a HelloTime Attend worker, our backend stores:

  • Profile data — name, work email, role, manager assignment.
  • Attendance records — clock-in / clock-out timestamps (both client-claimed and server-recorded), latitude / longitude at the moment of the punch, and an optional selfie URL pointing to an encrypted blob in our storage account. The selfie is the visual proof your manager can review; it is not used for face matching.
  • Leave and timesheet records — requests, approvals, comments.
  • Crucially: no face templates and no biometric embeddings ever reach the backend. If you uninstall the HelloTime Attend app, the on-device embedding is destroyed with it.

5. Data location & retention

The HelloTime backend runs on a single-region production deployment, with Postgres as the system of record for attendance and timesheets and MongoDB for org configuration, behind a private network and TLS-terminated public endpoints. Encrypted selfie blobs sit in object storage in the same region.

Attendance records are retained for the duration of your employment relationship plus any statutory period your jurisdiction requires (typically 3 years under Indian labour law and the US FLSA, longer in regulated industries). Deleting your account from Settings → Delete Account purges your personal data within 90 days, subject to records your employer is legally obligated to retain.

6. Compliance posture

Because no biometric template leaves the device, the compliance footprint for HelloTime Attend is materially smaller than for a server-side biometric service:

  • India DPDP Act, 2023. See our DPDP notice for the Data Fiduciary, Data Principal rights and grievance officer details.
  • EU GDPR. See our GDPR page for data subject rights and our Data Processing Addendum for enterprise legal teams.
  • Illinois BIPA & US state biometric laws. Because the face template is created and stored on the worker's own device and is not collected, possessed or stored by HelloTime, the BIPA / Texas CUBI / Washington H.B. 1493 obligations that attach to a third-party biometric processor do not apply to the HelloTime backend. Employers using HelloTime Attend are still contractually required to obtain written employee consent before enabling face check-in.

Our legal templates for biometric, geolocation and attendance notices are reviewed in marketing-strategy/hellotime/legal-policy-templates/. Final legal review by external counsel is ongoing for the 2026-08-10 GA.

7. Enterprise biometrics roadmap

Server-side biometric verification — a CompreFace-based verification service that runs the face match inside our infrastructure — is on the v2 roadmap, targeted at regulated industries and very large factory deployments that explicitly require it. It is not a launch dependency for 2026-08-10 GA. We will publish the architecture, the storage and retention model and the legal addendum here before that feature ships.

8. Contact

Security questions, vulnerability reports or enterprise security reviews: email [email protected] with the subject "Security". HelloTime is operated by Meru Fintech.