Privacy Policy

Soundial Inc. (“Soundial”, “we”, “us”, or “our”) is the data controller for personal data collected directly through our platform, website, and communications. For personal data processed on behalf of our business customers (e.g. employee payroll records), Soundial acts as a data processor and the customer is the data controller.

We collect the following categories of personal data:

Account & Administrator Data

• Full name, email address, job title
• Login credentials (passwords are stored as one-way hashed values)
• IP address, browser user-agent, and login timestamps
• Two-factor authentication secrets (encrypted at rest)

Employee Data (processed on behalf of customers)

• Full name, date of birth, gender, national identification (TRN, NIS number)
• Home address, contact number, email address
• Employment details: department, position, hire date, contract type
• Payroll data: basic salary, allowances, deductions, net pay, bank account details
• Statutory contribution records: PAYE, NIS, NHT, Education Tax
• Time and attendance records: clock-in/out times, shift assignments, leave balances
• Biometric identifiers: fingerprint templates and facial recognition data (where the customer has enabled biometric clocking)
• GPS location data (where the customer has enabled GPS clock-in/out)
• Documents: employment contracts, identification documents, certificates

Usage & Technical Data

• Pages visited, features used, session duration
• Error logs and performance metrics
• Audit trail of actions taken within the platform

We use personal data for the following purposes:

• Service delivery — processing payroll, generating statutory reports, managing attendance records, and providing all platform features
• Statutory compliance — generating TAJ forms (P4, P24, P45) and supporting remittances to TAJ, NIS, NHT, and Education Tax
• Account management — authenticating users, managing permissions, and communicating service updates
• Security — detecting and preventing fraud, unauthorised access, and abuse; maintaining audit logs
• AI features — where enabled by the customer, using anonymised payroll and attendance patterns to power anomaly detection, forecasting, and compliance monitoring
• Platform improvement — analysing aggregated, anonymised usage data to improve the platform
• Legal obligations — complying with applicable Jamaican laws and responding to lawful requests from government authorities

Where a customer enables biometric clocking (fingerprint or facial recognition), biometric templates are processed and stored in the customer's dedicated tenant database. Biometric data is:

• Collected only with the explicit consent of the employee, as required by Jamaican law
• Used solely for employee identification and attendance verification
• Encrypted at rest using AES-256 encryption
• Never shared with third parties for any commercial purpose
• Deleted upon employee termination or written withdrawal of consent

GPS location data collected through clock-in features is subject to the same restrictions and is only accessible to the authorised administrators of the relevant company account.

We do not sell personal data. We may share personal data with:

• Authorised company administrators — within the customer's account, in accordance with their assigned role and permissions
• Service providers — cloud infrastructure providers (e.g. AWS) and communication providers who process data on our behalf under data processing agreements
• Financial institutions — bank file exports shared with NCB, Scotiabank, JN/CIBC, or ACH networks are generated by the customer and transmitted by or on behalf of the customer
• Tax authorities — where required by law or at the direction of the customer for statutory filings
• Legal and regulatory authorities — where required by a valid court order, subpoena, or applicable law

We retain personal data for as long as a customer account remains active. Following account termination, Customer Data is retained for a period of 90 days to allow data export, after which it is securely deleted from production systems. Anonymised aggregate data and system audit logs may be retained for up to 7 years for legal and regulatory compliance purposes.

Biometric data is deleted within 30 days of employee termination or upon written request.

We employ industry-standard security measures including:

• AES-256 encryption for data at rest
• TLS 1.3 for all data in transit
• Multi-factor authentication (MFA) for platform administrators
• Role-based access controls and least-privilege principles
• Tenant database isolation — each customer's data is stored in a dedicated database
• Automated backups with point-in-time recovery
• IP-based rate limiting and account lockout policies
• Comprehensive audit logging of all data access and changes

Despite these measures, no system is completely secure. In the event of a data breach affecting your personal data, we will notify affected parties as required by the Data Protection Act 2020.

Under Jamaica's Data Protection Act 2020, you (and employees whose data we process) have the following rights:

• Right of access — to obtain a copy of personal data we hold about you
• Right to rectification — to have inaccurate data corrected
• Right to erasure — to request deletion of personal data in certain circumstances
• Right to restrict processing — to limit how we use your data in certain circumstances
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent (e.g. biometric data)

To exercise any of these rights, or to make a complaint, please contact our privacy team at [email protected]. We will respond within 30 days.

Soundial uses essential session cookies necessary for authentication and platform operation. We do not use third-party advertising or tracking cookies. Where analytics are used, data is anonymised and aggregated before processing.

Personal data may be stored or processed on servers located outside of Jamaica (including in the United States via AWS infrastructure). Where such transfers occur, we ensure appropriate safeguards are in place, including standard contractual clauses and data processing agreements with sub-processors.

The Soundial platform is intended for use by businesses and their adult employees. We do not knowingly collect personal data from individuals under 18 years of age in connection with the use of the platform itself.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent in-platform notice at least 14 days before the changes take effect. The current version will always be available at soundial.net/privacy.

For privacy-related enquiries, requests, or complaints:

You also have the right to lodge a complaint with the Office of the Information Commissioner of Jamaica if you believe your data protection rights have been violated.