BossCheckin is an employee check-in & payroll ecosystem that lives on your own devices. No server to buy, no UPS to babysit, no internet subscription to depend on — and your business data never leaves your phone unless you decide it should.
Others built their products around their servers — so you pay monthly, you depend on their uptime, and your payroll lives in their database. We built BossCheckin the other way around: everything runs on hardware you already own.
The boss's phone is the office: the database, the payroll engine, even the web dashboard all run on it. There's nothing to rack, patch, license or keep on backup power.
POWER CUT? Phones and the kiosk run on batteries — check-ins keep working.
Salaries, check-ins, photos, documents, chat — all stored encrypted on your own devices. We keep no copy. There is no central database of your business to hack, subpoena or leak.
WE COULDN'T READ YOUR PAYROLL EVEN IF WE WANTED TO.
Devices find each other on your WiFi automatically. Want remote workers or reports from the beach? Flip on internet mode — sync travels through a relay as sealed ciphertext. Flip it off; everything still works.
THE RELAY SEES: ciphertext. THE RELAY READS: nothing.
A cloud is just three things: a server that's always on, one home for your data, and sync between devices. You get all three — except the server is the phone in your pocket, not a stranger's datacenter you pay for forever.
Their servers, their copy of your data, their invoice every month.
Your phone, your only copy, one payment and it's yours.
All the convenience of the cloud. None of the rent, none of the public attack surface.
Every check-in is a cryptographically signed, single-use token verified right there on the kiosk — no internet round-trip, no buddy-punching, no photographed QR codes.
WORKS ON ANY DEVICE WITH A CAMERA AND A SCREEN
BEST WITH AN ANDROID 12+ PHONE OR TABLET AS THE KIOSK
You pick the method per kiosk — we recommend NFC. It's faster, can't be photographed, and the kiosk keeps working locked with the screen off; for best compatibility use an Android 12 or newer phone or tablet as the kiosk. Both methods carry the same Ed25519-signed token and both are verified locally — a worker physically present is the only thing that produces a valid check-in. Devices without NFC simply use the QR path.
As far as we know, we're the only attendance app doing phone-to-phone NFC. Elsewhere “NFC” typically means a passive tag stuck on a wall or a badge card on a dedicated reader — a tag marks a place, can be cloned, and proves nothing about who tapped it. With BossCheckin both ends are ordinary phones, and every tap is a live cryptographic exchange: a signed, single-use token. Nothing static, nothing cloneable, no extra hardware to buy.
It can open your door, gate or barrier too. An integration API connects BossCheckin to your existing access hardware — a valid check-in can trigger an electric door, a gate or a parking barrier to open, right there on your premises. Ask us about your hardware →
Your phone quietly runs a tiny encrypted web server. Open its address in any browser on the office WiFi and you get a complete back office — with the internet cable unplugged.
The whole office in a tab. Employees, sites, check-ins, payments, absences, leave, chat, photos, documents, a recycle bin and settings — manageable from a laptop, in bulk.
Reports your accountant will love. Monthly payroll, payments, absences, leave balances — exported as spreadsheet-ready CSV. Give the accountant a restricted account that sees only Reports.
Delegate the busywork. Helper roles keep the boss out of tech support: a Key Manager takes care of workers who change phones — activating the new device so the boss never deals with it — and a Maintenance role instantly sees exactly which kiosk is misbehaving and gets it back online the fastest way.
Bring your own AI — even a fully local one. BossCheckin ships a standard MCP endpoint that runs on your own phone. Point your AI assistant at it: Claude, or a model running entirely on your own computer, offline. Where competitors offer AI at all, it lives in their cloud and reads their copy of your data — to our knowledge, BossCheckin is the only workforce app where AI access involves no vendor cloud at all. Opt-in, read-only, token-protected; chat is never exposed.
| Employee | Days | Status | Net |
|---|---|---|---|
| M. Petrova | 11 | In · 08:02 | €1,480 |
| G. Ivanov | 10 | In · 07:55 | €1,720 |
| S. Dimitrov | 9 | Paid leave | €1,350 |
| E. Koleva | 11 | Out · 17:04 | €1,560 |
| N. Hristov | 8 | In · 08:10 | €1,290 |
Each employee sees their payslip and a live calendar of their check-ins — today's start and finish included, not last month's news.
Three separate spaces: office ↔ worker (the official channel — visible to the office team, kept in the business records), office ↔ office (private manager DMs), and worker ↔ worker — end-to-end private between colleagues: not even the boss can read it, and it never lands in the office backup. Photos + Sent → Delivered → Seen everywhere.
Attach ID or licence scans to an employee with an expiry date. Both you and the worker get reminded before it lapses — not after the fine.
Yearly allowance that grows with tenure, half-day precision, and a three-colour calendar: absence, paid leave, sick — payroll adjusts itself.
Turn a cheap tablet into a dedicated check-in terminal, locked to the job — workers can't exit it, browse, or “accidentally” uninstall it.
Kiosks relay chat between each other over the LAN. Sites with zero coverage? A courier phone physically ferries encrypted data between locations.
Three independent restore paths: backup kiosks, courier phones and your own Google Drive — designate as many backup kiosks and couriers as you like. Lost your phone? A 12-word phrase restores everything.
Deleted records can be restored with one tap. Ex-employees' personal data auto-erases after a period you set — while payroll history stays, as the law requires.
Remote worker? Flip the switch: sync flows through a relay as sealed ciphertext the relay cannot read. Messages and sync each get their own toggle.
The one fair worry about a phone-as-server: what if it's lost, stolen or smashed? That's why your data is constantly mirrored — encrypted — to backups you control. A new phone, a 12-word phrase, and everything comes back.
Backup kiosks, a courier phone, and your own Google Drive — as many as you like. Lose the phone, keep the business.
Security isn't a feature here; it's the architecture. The system assumes networks are hostile and middlemen are nosy — and works anyway.
The database is SQLCipher-encrypted and photos & documents live in an encrypted vault — on the boss's phone, the kiosks and every worker's phone.
Every device-to-device channel is sealed with libsodium (X25519 + XSalsa20-Poly1305). Chat is additionally sealed per message and per photo.
Every record is an Ed25519-signed entry in a tamper-evident chain. If anything is altered, the signatures stop matching — quietly editing the books is not a thing.
The optional relay, the kiosks and Cloudflare forward frames they cannot open. Your payroll decrypts in exactly one place: on your devices.
Identity lives in a 12-word recovery phrase only you hold. We can't reset it, recover it — or be compelled to hand over what we never had.
“Others” being the typical cloud workforce suite: a browser login, a monthly invoice, and a quiet dependency on someone else's servers.
| BossCheckin | Others | |
|---|---|---|
| Where your data lives | On your phone, encryptedSQLCipher + encrypted vault, on hardware you own | In their cloudtheir database, their jurisdiction, their breach |
| Internet goes down | Nothing happensoffline is the default mode, not a degraded one | Check-ins stop“couldn't connect — try again later” |
| Servers & infrastructure | Noneno server, no UPS, no NAS, no IT contractor | Their SaaS + your ITand an onboarding call to set it up |
| Extra hardware to buy | Noneany old Android phone or tablet becomes the kiosk — NFC needs no cards, fobs or readers | Terminals, readers, badgesdedicated clocks, plus a card or fob per employee — replaced every time one is lost |
| Power cut at the site | Keeps workingphones and kiosk run on batteries | Router's dead — so is ithope you kept paper timesheets |
| Setup | Minutesinstall two apps, pair them with a QR code, add your people | An IT projectsales demo, onboarding sessions, configuration backlog |
| Worker onboarding | Scan one QRno email, no password, no account to create — or to reset | Email invites + passwordsand the eternal “forgot my password” parade |
| Who can read your payroll | Only youend-to-end encrypted; the vendor holds nothing | You, the vendor, their cloud providerand anyone who breaches any of them |
| Subscription | None — you pay once per device€10 per employee, one-time activation key; nothing renews, ever | Monthly fee, per user, forevertypically $2–12 per user per month, plus base fees — see the math below |
| Faking a check-in | Cryptographically hardsigned single-use tokens; NFC challenge-response can't be replayed or photographed | Photo of a colleague's QRor sharing a PIN — classic |
| NFC check-in | Phone-to-phone, cryptographica live challenge-response with the worker's phone — the only attendance app we know of that does this | Typically a tag on a wall, or a badge + readera tag marks a place, not a person — and can be cloned |
| Watching your workers | Presence, not surveillancea check-in proves the worker was at the kiosk, that moment — no all-day GPS, no geofences, no face scans | Often all-day GPS trackinggeofences, breadcrumb trails and face checks — on the worker's personal phone and battery |
| Workers' private chat | End-to-end encryptedonly the coworkers in the conversation can read it — not the boss, not the kiosk, not the relay, not even us; never in the office backup | Stored readable on the vendor's serversprivacy from the employer is at best a vendor policy — in some products the owner can export every worker's private messages |
| Connecting an AI | Your AI, no vendor cloudMCP endpoint on your own phone — works even with a fully local model on your own computer | Vendor-cloud AI, at besttheir servers, their copy of your data — even when they let you plug an AI in |
| Remote site with no coverage | Fully supportedoffline kiosks + courier phone syncs by visiting | Unsupportedno signal, no product |
| When a worker leaves | GDPR auto-scrub, built inset a retention period once — personal data of ex-employees erases itself; payroll history stays, as the law requires | Your problemmanual cleanup across their cloud, exports and backups — if anyone remembers |
| If the vendor disappears | App keeps working — it's all localyour data was never hostage | Service off, data export “on request”good luck with that |
That's ≈95% less than a typical cloud suite over three years — and the gap only widens, because one-time keys don't renew. By year five it's ~97%.
BossCheckin: €10 per employee, one-time activation key — a worker's device then serves for years. “Others”: the cheapest adequate paid plan with an attendance kiosk across nine mainstream cloud workforce suites, per-user list prices billed annually (June 2026) — roughly $3–13 per user per month effective (typical ≈$6), base fees included where charged. Some vendors offer free tiers with limits (one kiosk, one location, up to 10 users) — fine until you grow, and your data still lives in their cloud either way.
And this is only the beginning. BossCheckin is in active development — new capabilities ship steadily, so expect this table to keep growing in one direction.
BossCheckin is rolling out now. Tell us about your business and we'll get you set up — it takes two apps and one QR code.