An employee check-in and payroll ecosystem for small and medium businesses, built to run entirely on your own devices. The boss's phone holds the data and computes the payroll; kiosks record check-ins; workers see payslips and chat on their own phones; and a web dashboard (Office Web) is served by the boss's phone to any browser on the same network.
It was built for the Bulgarian market first (Bulgarian payroll conventions and language, with English included) — but the architecture is universal.
Really. There is no server to buy, no cloud account to create, and the system is fully functional with zero internet connectivity. Devices discover each other on your WiFi automatically and sync directly, device-to-device.
Only two online services exist, and neither carries your business data: license activation (used once per device) and the optional internet relay (only if you enable internet mode — and even then it forwards sealed ciphertext it cannot read).
Minimum: one Android phone for the boss. That alone gives you employees, check-in records, payroll, reports and Office Web. Add as you grow:
An iOS worker app is in development.
No — the boss can delegate the chores to helper roles and never do tech support:
The apps are Bulgarian-first with English included. This website is in English.
The worker opens their app and taps Start or Finish. The app renders a short-lived QR code carrying a digitally signed token — who they are, what they intend (start/finish), and when. The kiosk's camera scans it and verifies the signature locally, on the spot. Green means started, red means finished, and the record lands in payroll immediately. No internet is involved at any step.
The worker simply taps their phone on the kiosk (~4 cm range). The kiosk issues a one-time challenge and the worker's phone answers with a signed response bound to that exact challenge — so it cannot be replayed, photographed, or forwarded to a friend.
Two practical perks: it's faster than aiming a camera, and the kiosk works while locked, even with the screen off — a phone in a drawer becomes a check-in terminal. You choose QR or NFC per kiosk; devices without NFC hardware use the QR path.
We recommend NFC wherever the hardware allows it: it's faster (a tap instead of aiming a camera), it can't be photographed or replayed, and the kiosk keeps working locked with its screen off. For best compatibility, use an Android 12 or newer phone or tablet as the NFC kiosk.
Worth knowing: some competitors also say “NFC”, but they typically mean a passive tag stuck on a wall or a badge card on a dedicated reader — a tag identifies a place, can be cloned, and proves nothing about who tapped it. As far as we know, BossCheckin is the only attendance app where both ends are ordinary phones: every check-in is a live, single-use cryptographic exchange between the worker's phone and the kiosk phone.
QR is the universal fallback — it works on any device with a camera and a screen, and you can mix methods per kiosk: NFC at the main entrance, QR at a remote site.
Yes. An integration API lets you connect BossCheckin to an existing access system — an electric door, a gate or a parking barrier — so that a valid, signed check-in triggers it to open. The integration runs on your premises, like everything else. Tell us about your hardware and we'll help you wire it up.
Not realistically. Check-in tokens are signed by the worker's unique device key and verified by the kiosk; NFC adds a challenge-response that requires the actual phone to be physically at the kiosk. A photo or screenshot of a QR expires; a forwarded NFC exchange doesn't validate. The only thing that produces a valid record is the right phone, at the kiosk, at that moment.
Yes — each worker has a live calendar showing today's start/finish as it happens, plus their full month and payslip. Unfinished shifts are flagged, so “I forgot to check out” gets noticed the same day, not at month's end.
On your devices and nowhere else. The boss's phone is the source of truth — an SQLCipher-encrypted database plus an encrypted vault for photos and documents. Kiosks and worker phones hold their own encrypted slices. The developer operates no server that stores your business content.
You restore from your encrypted backups. Three independent options exist: backup kiosks — devices you designate that quietly mirror the encrypted history on your premises, courier phones that carry encrypted backups between your sites, and incremental backups to your own Google Drive. You can designate an unlimited number of backup kiosks and couriers across your locations. On a new phone you enter your 12-word recovery phrase, re-pair, and records, photos and documents come back.
Guard the phrase. It is the cryptographic root of your data. We never see it and cannot reset it — that's precisely why nobody else can read your data either.
No. All device-to-device traffic is sealed end-to-end with libsodium; chat is additionally sealed per message and per photo. The relay and Cloudflare see ciphertext frames with routing metadata (which tenant, what size, when) — never content. Records themselves are Ed25519-signed in an append-only chain, so tampering is detectable.
No. Chat is deliberately split into three separate spaces with different privacy rules:
Workers get a genuinely private space; the business keeps its official paper trail. Both, without compromise.
Worth knowing: a few competing apps also promise that admins can't read workers' private chats — but as a vendor policy, applied to messages stored readable in the vendor's cloud (and in some products the account owner can export every worker's private messages). As far as we know, BossCheckin is the only workforce app where that promise is cryptography, not policy: colleague messages are end-to-end encrypted, so nobody can read them — including us. As of June 2026, none of the leading workforce apps we surveyed offers end-to-end encryption for messages.
It's GDPR-friendly by architecture: data minimisation isn't a policy, it's physics — your employees' data simply never reaches third parties. On top of that:
Kiosks hold encrypted data and run in a locked-down dedicated mode that can't be exited without the owner's PIN. A stolen kiosk can be unpaired by the boss, and the encrypted archive on it is unreadable without the owner's keys.
The boss's phone runs a small embedded HTTPS web server. Any laptop or tablet on the same WiFi opens the phone's local address and gets the full dashboard — the “website” travels a few metres across the room, not across the internet. Unplug the router from the world and it still works.
Pretty much everything, comfortably: manage employees and sites, enter days and payments in bulk, see check-ins, review absences and paid leave, chat with workers (with photos), upload employee documents with expiry dates, build reports, restore from the recycle bin, and tune settings — including GDPR retention.
Yes. Create a restricted account that only sees Reports. The accountant gets monthly payroll, payments, absences and leave-balance reports, with named report templates and one-click CSV export formatted to open cleanly in spreadsheet software.
An opt-in, read-only endpoint (standard MCP protocol) on Office Web. If you enable it and mint an access token, an AI assistant you run can answer questions over the sections you grant — sites, employees, money summaries, leave, reports. It's off by default, token-protected, read-only, and chat messages are never exposed. The app itself sends nothing to any AI provider.
Two things make this different from the “AI features” others advertise. First, where the data lives: a few cloud suites have started shipping MCP endpoints too, but theirs run in the vendor's cloud, against the vendor's copy of your data. BossCheckin's MCP endpoint runs on your own phone — to our knowledge, the only workforce app where AI access involves no vendor cloud at all. Second, because MCP is an open standard, the AI you connect can be fully local — a model running on your own computer — so even your questions about the business never leave the building.
Each site runs its own kiosk(s). When kiosks share a network with the boss's phone they sync directly; kiosks also relay colleague chat between each other. For sites the boss rarely visits, you can enable internet mode — or use a courier phone that physically carries encrypted data between locations. A remote mountain site with zero coverage is a supported scenario, not an error message.
Devices that can't reach each other locally start syncing through a relay server — payslips, chat, the works — as end-to-end sealed frames. Messages and data sync have separate switches, so you can allow chat over the internet while keeping payroll sync strictly local. Check-ins themselves remain a physical act at the kiosk. Flip everything off and you're back to pure LAN, nothing lost.
No. Checking in works at the kiosk with no connectivity at all. Payslips and chat sync whenever the worker's phone shares WiFi with the office. A data plan only matters if you enable internet mode and the worker is away from the office network.
With activation keys: €10 per employee, one-time — a key activates one device, once, and that device then serves for years. There's no monthly fee, because there's no cloud doing your work: a 10-person team costs about €100 total, while a typical cloud suite runs ~$2,160 for the same team over three years — making BossCheckin ≈95% cheaper (see the pricing math on the home page). Moving to a new device requires a new key — keys are bound to device identity as part of the security model. For key packs, get in touch.
A new phone is a new device, so it needs a new activation key (keys are bound to device identity — that's part of the security model). The good news: the boss doesn't have to deal with any of it. The Key Manager role exists exactly for this — a person you trust activates the worker's new phone, and the worker's payslips and calendar re-sync automatically from the office.
The activation is bound to the device's cryptographic identity, which lives in the app's data. That means it is lost on a factory reset or if you clear the app's data — those destroy the identity, and a new key is needed. Simply reinstalling or updating the app does not lose the activation.
Note the distinction: your business data is a separate matter — that comes back from your encrypted backups with the 12-word recovery phrase. The activation key is the one thing a reset consumes, so don't wipe a working device casually.
Install the boss app, activate it, add your employees. Pair a kiosk by scanning a QR code between the two devices. Workers install the worker app and activate with a QR from the boss. From zero to first real check-in is minutes, not a consulting engagement.
In development — the worker app is being ported to iOS, including push-based wake-ups that preserve the end-to-end encryption (the push itself carries no content). The boss and kiosk roles are Android.
Nothing dramatic — it's on your devices, and the app keeps working offline regardless of anyone's servers. Export what you need (reports/CSV), keep your backups, and uninstall when you're done. Your data was never hostage to a subscription.
By design, Office Web is local-network only — it is never exposed to the public internet, which is exactly why there's no web server for a stranger to attack. For most needs you don't need remote panel access at all: workers' payslips and chat already sync from anywhere through the encrypted relay, and you can hand an accountant reports/CSV.
If you specifically want the panel from afar and you're comfortable with a bit of setup, you can run your own VPN (e.g. WireGuard or Tailscale) on the boss's phone and on the device you'll view from. The panel then travels over your private tunnel — nothing is opened to the internet, and the app doesn't even need to know about it. One caveat: a point-to-point tunnel reaches only the device you connect, not the whole office network (an Android device can't route traffic for others). This is an advanced, do-it-yourself option — BossCheckin neither requires nor bundles a VPN.
The app has a temporary kiosk mode you can turn on from the phone for casual use. But a true, permanent kiosk — the kind a worker genuinely can't exit, browse or uninstall — uses Android's Device Owner mode, and that can only be set on a freshly reset device, over a USB cable via ADB (the standard Android adb shell dpm set-device-owner provisioning), not from inside the app. Android deliberately forbids an app from promoting itself to Device Owner once the device has accounts on it — that restriction is a security feature, not a limitation of ours.
In practice: take a cheap spare Android tablet/phone, factory-reset it, connect it to a computer, and provision it as a kiosk with one ADB command (we provide the exact steps on setup). After that it's a sealed, wall-mountable check-in terminal.