GDPR COMPLIANCE

GDPR Compliance

Last updated: July 11, 2026

1. Our commitment

ClockTrue is operated by Examin AI Inc., 447 Broadway, 2nd Floor, #2874, New York, NY 10013, United States. ClockTrue processes attendance and biometric data for workforces in the EU and beyond, so the General Data Protection Regulation (GDPR) is central to how the product is designed and operated. This page summarizes how we support your GDPR obligations. It complements our Privacy Policy and Terms of Service.

2. Controller and processor roles

When your company uses ClockTrue for its employees, your company is the data controller and Examin AI acts as a data processor under Article 28 GDPR. We process employee data only on your documented instructions. For data we collect directly, such as website visits and administrator accounts, Examin AI is the controller.

3. Data Processing Agreement

We offer a Data Processing Agreement (DPA) that incorporates the requirements of Article 28 GDPR, including confidentiality commitments, security measures, subprocessor rules, and audit support. Write to contact@examin.ai to receive and sign the DPA.

4. Legal bases and biometric data

Biometric data used to identify a person is a special category of personal data under Article 9 GDPR. As controller, you must establish a valid basis before enrolling employees, typically explicit consent under Article 9(2)(a) or a provision of national employment law. ClockTrue supports this with informed, consent-based enrollment and the ability to remove or re-enroll an employee at any time.

5. Data subject rights

We support controllers in answering requests under Articles 15 to 21: access, rectification, erasure, restriction, portability, and objection. Attendance data can be exported in machine-readable formats, and an employee's biometric template can be deleted at any time. Employees should address requests to their employer first; we assist promptly.

6. Privacy by design and minimization

ClockTrue follows Article 25 by default: faces are stored as encrypted mathematical templates rather than photographs, matching happens on the clocking device, retention periods are configurable, and reports contain only the data HR actually needs.

7. Security

In line with Article 32 we use encryption in transit and at rest, role-based access controls, logging, and periodic security reviews. Biometric templates receive our highest level of protection.

8. Subprocessors

We use a small number of vetted subprocessors, such as cloud hosting providers, bound by contracts that impose equivalent data protection obligations. A current list is available on request, and we give notice before adding or replacing subprocessors.

9. International transfers

Examin AI is based in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Article 46, in particular the European Commission's Standard Contractual Clauses.

10. Breach notification

If a personal data breach affects your data, we notify you without undue delay and provide the information you need to meet your own obligations under Articles 33 and 34.

11. Retention and deletion

We keep personal data only as long as your retention settings and instructions require. On termination of the contract, data is available for export for 30 days and then deleted or anonymized, unless the law requires otherwise.

12. Questions and complaints

For GDPR questions, write to contact@examin.ai or call +40 750 270 818. You can also lodge a complaint with your local supervisory authority; for Romania that is ANSPDCP (dataprotection.ro).