The short version. BossCheckin was deliberately built so that your business data — employees, salaries, check-ins, photos, documents, messages — lives encrypted on your own devices and is processed there. We operate no server that stores or can read your business content. The few online services we do run (license activation, an optional traffic relay) handle only technical and licensing data, never your content. We use no advertising and no analytics SDKs, and we sell nothing about you, because we hold nothing about you to sell.
SECTION 01Who does what (roles)
BossCheckin is a tool used by employers to manage their workforce. Three parties matter:
- The employer (“the owner”, “the boss”) — installs the app, enters and controls all business data. For employee personal data processed in the apps, the employer is the data controller in the sense of the EU General Data Protection Regulation (GDPR).
- Employees (“workers”) — use the worker app on their own phones to check in, view payslips and chat. Questions about how your data is used at work go first to your employer (see Section 9).
- The developer (“we”) — provides the software, the license activation service and the optional relay. We are not a processor of your business content: the architecture denies us access to it. We cannot read, restore, or hand over data we never receive.
SECTION 02Data the apps handle — on your devices
The following categories exist inside the apps, on the employer's and employees' own devices. Listing them here is for transparency; none of them are transmitted to the developer.
| Category | Examples |
|---|---|
| Employee records | Names, phone, email, work site, salary and pay history, worked days/hours, check-in and check-out events, absences, paid leave and sick days, bonuses and deductions, payments, internal manager notes and ratings. |
| Photos | Employee profile photos (set by the employer or uploaded by the worker themselves), receipt/expense photos, photos sent in chat, small colleague-avatar thumbnails distributed to same-site colleagues. |
| Employee documents | Scans or PDFs the employer attaches to an employee (e.g. driving licence, ID), with an expiry date and comment. These are sensitive identity documents and are treated with the strictest retention rules (see Section 8). |
| Messages | Chat between the office and workers, between managers, and between colleagues — text and photos, with delivery/read receipts. These spaces have different visibility: office↔worker chat is part of the business records the employer controls (including backups); colleague (worker↔worker) chat is end-to-end encrypted between the participants only — devices that relay it carry sealed bytes, it is not readable by the employer and is not included in office backups. |
| Technical identifiers | Cryptographic device identities and public keys used for pairing, signing and encryption; license/activation state. |
SECTION 03Where it is stored
- The employer's phone is the source of truth. The database is encrypted at rest with SQLCipher, and photos/documents live in an additionally encrypted, content-addressed vault.
- Kiosks (check-in terminals) hold an encrypted copy of what they need to operate, and optionally an encrypted backup archive if designated as a backup device. Any number of kiosks and courier devices may be designated as backups; their archives are sealed with the owner's keys — a kiosk or courier cannot read the backup it carries.
- Worker phones hold the worker's own data — their payslips, calendar, messages — also in an encrypted database.
- The developer's infrastructure holds none of the above. There is no server-side copy of your business content, full stop.
Every record in the system is digitally signed (Ed25519) in an append-only history, so tampering is detectable by the devices themselves.
SECTION 04How data moves between devices
- Local network (default): devices discover each other on the employer's WiFi/LAN and exchange data directly, sealed end-to-end with libsodium (X25519 key agreement + authenticated encryption). Chat content is additionally sealed per message and per photo.
- Optional internet relay: if the employer enables internet mode, devices that can't reach each other locally connect outbound to
relay.bosscheckin.comand exchange the same sealed frames through it. The relay is a blind forwarder — see Section 5. - Optional Google Drive backup: the employer may enable incremental backups to their own Google Drive account. What is uploaded is the already-encrypted history and vault — Google stores ciphertext.
- Courier device: a phone may physically carry encrypted data between sites with no network at all. The courier device cannot read what it carries.
- Optional access-hardware integration: if the employer connects BossCheckin to an on-premises access system (an electric door, gate or barrier) via the integration API, valid check-in events trigger that local hardware. This is a local integration on the employer's premises — it sends no data to us or to any third party.
SECTION 05What our servers actually see
We operate exactly two production services, and this is the complete list of what they process:
| Service | Processes | Does NOT process |
|---|---|---|
| License activation activation.bosscheckin.com |
License keys, the owner's public key (business identifier), activated device identifiers, timestamps — the minimum needed to issue and account for licenses. Kept for license bookkeeping. | Any business content. No names, no salaries, no messages, no photos. |
| Internet relay (optional) relay.bosscheckin.com |
Transient routing metadata: which tenant (an opaque identifier), which device endpoints are connected, frame sizes and timestamps. Standard connection logs (IP addresses) exist transiently at the network layer. | Content — frames are end-to-end encrypted and the relay has no keys. The relay does not persist your traffic; it forwards and forgets. |
| Automatic TLS certificate (optional) activation.bosscheckin.com |
If the owner turns on the automatic certificate, the phone sends a certificate-signing request (no private key — that never leaves the phone) and the owner's public key, and publishes the phone's local network (LAN) IP address as a public DNS record so browsers on the office network can reach it over real HTTPS. We obtain a standard Let's Encrypt certificate on the owner's behalf. | The private key (stays on the phone), and any business content. The published LAN IP is a private-range address (e.g. 10.x / 192.168.x) that is meaningless outside the office network. |
The automatic certificate is off by default — the manual, self-signed option (you install the certificate once) is always available and exposes nothing externally. Auto mode needs internet only when issuing or renewing (about every two months); day-to-day operation stays offline either way.
A future “wake-up push” feature (so a sleeping phone can be notified to come fetch its encrypted data) will additionally store device push tokens. Push notifications themselves are content-free — they say “wake up”, never what's waiting.
We use no analytics, no advertising SDKs, no crash-reporting that exfiltrates your data, and no trackers — in the apps or on this website.
SECTION 06Device permissions and why they exist
| Permission | Used for |
|---|---|
| Camera | Scanning check-in and pairing QR codes; taking photos the employer chooses to attach (e.g. receipts). Activation scans process the code on-device; no image is collected or stored from scanning. |
| NFC | Tap-to-check-in: the kiosk and the worker's phone exchange a signed, single-use token over a ~4 cm radio link. Entirely offline; nothing is sent to the internet. |
| Location (worker app only) | Used solely to detect a courier hotspot network in the foreground. Location is never tracked in the background, never stored, never shared, and is not used on the employer's app at all. |
| Notifications | Message notifications, document-expiry reminders, and the persistent notification Android requires for long-running connections. |
| Network / WiFi state | Discovering your own devices on the local network and keeping device-to-device connections alive (foreground services of the “connected device” type). |
| Device admin (kiosk only) | Locking a dedicated kiosk device into check-in-terminal mode so it can't be misused. Only on devices the employer explicitly provisions as kiosks. |
SECTION 07Optional AI access (MCP)
The employer may enable a read-only endpoint on their own phone's Office Web server (standard MCP protocol) so that an AI assistant the employer runs can read the business sections the employer explicitly grants (e.g. sites, employees, money summaries, leave, reports). Important properties:
- Off by default. Nothing is exposed unless the employer turns it on and creates an access token.
- Read-only and section-gated. Chat messages are never exposed.
- The app sends nothing to any AI provider. If the employer connects an AI client that forwards data to a provider, that is the employer's own integration outside the app, and the employer is responsible for it.
SECTION 08Retention & deletion
- The employer controls the data lifecycle. Records can be deleted into a recycle bin (restorable) and purged from there.
- Automatic GDPR retention scrub: the employer sets a retention period for former employees. Once a former employee passes that period, their personal data — photo, phone, email, uploaded identity documents, internal notes — is automatically and permanently erased on the employer's devices and the change propagates to kiosks. Payroll history (amounts, worked time) is retained, because payroll law (BG/EU) requires employers to keep it.
- Backups: encrypted backup copies (the employer's Google Drive, designated backup kiosks) may retain earlier snapshots until they are refreshed or deleted by the employer. They remain encrypted with the employer's keys throughout.
- Our servers: activation records are kept as long as needed for license accounting; relay routing metadata is transient.
SECTION 09Your rights (especially if you're an employee)
Under the GDPR you have rights of access, rectification, erasure, restriction, portability and objection regarding your personal data.
If you are an employee whose data is in BossCheckin: your employer is the data controller — exercise your rights with them. We, the developer, cannot access, identify, export or delete your data, because it exists only encrypted on your employer's and your own devices. This is a feature: it means nobody outside your workplace can read it either.
If you believe your rights have been infringed, you may lodge a complaint with your supervisory authority — in Bulgaria, the Commission for Personal Data Protection (КЗЛД).
SECTION 10Third parties — the complete list
| Party | Role | What they can see |
|---|---|---|
| Cloudflare | Network edge for this website and for the optional relay/activation endpoints. | Standard network traffic data (IPs, TLS metadata). Relay traffic through it is end-to-end encrypted ciphertext. |
| Play Store distribution; optional Drive backup (the employer's own account); fonts on this website. | Play: standard install analytics on their side. Drive: encrypted backup blobs only. Fonts: standard web font requests. |
That's the whole list. No data brokers, no advertisers, no “trusted partners”.
SECTION 11This website
bosscheckin.com is a static site. It sets no cookies, runs no analytics, and contains no tracking pixels. It loads fonts from Google Fonts (a standard request to Google's servers) and is served through Cloudflare, which keeps standard transient connection logs. If you email us, we receive what you send us and use it only to reply.
SECTION 12Children
BossCheckin is a workforce-management tool for businesses and is not directed at children. We do not knowingly process children's data.
SECTION 13Changes to this policy
If the apps gain capabilities that change anything described here, this policy will be updated before or together with the release, and the effective date above will change. Substantive changes will be summarised at the top of this page.
SECTION 14Contact
Privacy questions, data requests, or anything unclear:
[email protected]