1. Data Controller vs. Data Processor

Under GDPR and DPDP, your employer is the Data Controller who determines the purposes and means of processing your personal data. Attenzo acts as the Data Processor, providing the software and infrastructure to process data on behalf of your employer in accordance with their instructions.

2. Legal Basis for Processing

The processing of your data by Attenzo is based on the legal grounds established by your employer, which typically include:

• **Performance of a Contract**: To track your hours and calculate payroll.
• **Consent**: For the processing of biometric descriptors (where required by local law).
• **Legitimate Interests**: To prevent fraud and ensure workplace security.

3. Data Subject Rights

We are committed to helping your employer fulfill your rights under data protection laws. You may have the right to:

• **Access**: Request a copy of the data we process about you.
• **Rectification**: Request correction of inaccurate data.
• **Erasure**: Request deletion of your data when no longer needed.
• **Portability**: Receive your data in a structured, machine-readable format.

To exercise these rights, please contact your employer's HR or data protection officer.

4. Data Minimization

We enforce data minimization principles by only collecting and processing the data strictly necessary for attendance and payroll verification. We do not store raw photos, and location data is only captured at the moment of check-in/out.