Back to Home

Privacy Policy for UHere Account

Last Updated: April 2, 2026

Introduction

UHere Pte. Ltd. ("UHere," "we," "us," or "our") provides the UHere Account authentication service for QRPunch and related applications. We are committed to protecting your privacy and collecting only the minimum data necessary to provide our services.

This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Information We Collect

Account Information (Required) When you create a UHere Account, we collect: email address (used for account identification, authentication, and account recovery), authentication method (whether you signed in using email/password or OAuth via Google/Microsoft), and account verification status (whether your email has been verified).

Authentication Data For email/password accounts: a bcrypt-encrypted password hash stored locally on your device for offline authentication, and email verification status. For OAuth accounts (Google/Microsoft): OAuth provider identifier, OAuth tokens (temporary, used only for authentication), and provider account linking status.

Technical Data Last Online Sync: timestamp of your last online authentication, used to manage the offline grace period.

Data We Do NOT Collect

We believe in data minimalism. We explicitly do NOT collect: phone numbers, physical addresses, payment information (handled directly by Stripe), browsing history, usage analytics or telemetry, device tracking beyond license activation, biometric data, contact lists or social connections, or location data.

How We Use Your Information

We use your information solely for:

1. Authentication: verifying your identity when you sign in. 2. Account Management: allowing you to manage your account settings. 3. Offline Access: enabling offline authentication for up to 30 days. 4. Security: detecting unauthorized access and protecting your account. 5. Support: responding to your support requests. 6. Legal Compliance: complying with applicable laws and regulations.

Data Storage and Security

Local Storage For offline authentication, some data is stored locally on your device: a bcrypt-encrypted password hash (email/password accounts only) and your email address (for local verification). OAuth accounts (Google/Microsoft) do not store a local password hash and do not support offline authentication.

Your password is NEVER transmitted or stored in plain text.

Cloud Storage Minimal data is stored with our service providers: Firebase Authentication (Google) stores your email, Firebase UID, and authentication state.

Security Measures Password hashing: bcrypt with 12 rounds. CSRF protection: state parameter validation for OAuth flows. Rate limiting: protection against brute-force attacks on the OAuth callback server. Session timeout: automatic logout after inactivity. Secure communication: HTTPS for all external API calls. Local session storage: session data is never transmitted externally.

Data Sharing

We do NOT sell, rent, or trade your personal information.

We share data only with: 1. Firebase Authentication (Google): for online authentication. 2. OAuth Providers (Google/Microsoft): only during the OAuth sign-in flow. 3. Legal Authorities: when required by law or to protect our rights. 4. UHere SecurePunch API (internal service): for QR card generation and delivery to employee emails and the SecurePunch mobile app. 5. NTP Servers: for time synchronization (timestamps only, no personal data). 6. Password Recovery Service (UHere): for password reset functionality (email/password accounts only).

All third-party services are bound by their own privacy policies and GDPR compliance.

Data Retention

Active accounts: data retained as long as your account is active. Deleted accounts: admin records preserved for audit trail (email only; authentication data deleted). Session history: retained for security audit purposes.

Application-Specific Data

UHere Account handles only authentication data. Additional data (such as employee records, attendance data, and event entries) is collected and stored by individual applications. Please refer to each application's Privacy Policy:

QRPunch Privacy Policy: https://qrpunch.uhere.co/privacy SecurePunch Privacy Policy: https://securepunch.uhere.co/privacy-policy

Your Rights

You have the right to: - Access: request a copy of your data. - Correction: update incorrect information. - Deletion: delete your UHere Account (admin records preserved for audit). - Export: download your account data. - Object: object to data processing (may limit service functionality). - Withdraw Consent: unlink OAuth providers or delete your account.

To exercise your rights, contact us at: privacy@uhere.co

Children's Privacy

UHere Account is designed for business use by adults. We do not knowingly collect information from children under 13 (or the applicable age in your jurisdiction). If we discover we have collected such information, we will delete it promptly.

International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place through:

Firebase: Google's global infrastructure with GDPR compliance. Stripe: PCI DSS compliant payment processing. Standard Contractual Clauses: for data transfers outside the EU/EEA.

Changes to This Policy

We may update this Privacy Policy occasionally. Changes will be indicated by an updated "Last Updated" date at the top, in-app notification (for material changes), and email notification (for significant changes).

Continued use after changes constitutes acceptance.

Contact Us

For privacy questions or concerns: Email: privacy@uhere.co Website: https://uhere.co

Compliance

We comply with: - Singapore Personal Data Protection Act (PDPA): as a Singapore-based company. - General Data Protection Regulation (GDPR): for EU/EEA users. - California Consumer Privacy Act (CCPA): for California users. - Other applicable data protection laws.

Singapore PDPA Compliance As a Singapore company, we adhere to the Personal Data Protection Act 2012: consent (obtained before collecting personal data), purpose limitation (data used only for stated purposes), notification (clear disclosure of collection and use), access and correction rights, accuracy (reasonable steps to ensure data accuracy), protection (reasonable security arrangements), retention limitation (data retained only as long as necessary), transfer limitation (overseas transfers via Firebase and Stripe comply with PDPA), and data breach notification (affected individuals and PDPC notified of significant breaches).

Data Protection Officer: for PDPA-related inquiries, contact dpo@uhere.co

Third-Party Services

Firebase Authentication (Google) Purpose: online authentication. Data shared: email, Firebase UID, authentication state. Privacy policy: https://firebase.google.com/support/privacy

OAuth Providers Google OAuth: https://policies.google.com/privacy Microsoft OAuth: https://privacy.microsoft.com/privacystatement

UHere SecurePunch API (Internal Service) Purpose: QR card generation and delivery to employee emails and the SecurePunch mobile app. Data shared: employee name, email, card ID, role, company name, secure key. Transmission method: email delivery to employees.

NTP Time Servers Purpose: time synchronization for accurate attendance timestamps. Servers used: pool.ntp.org, time.google.com, time.cloudflare.com, time.windows.com, time.aws.com. Data shared: none (NTP protocol transmits timestamps only). Frequency: sync every 5 minutes.