Last Updated: April 2, 2026
UHere Pte. Ltd. ("UHere," "we," "us," or "our") provides the UHere Account authentication service for QRPunch and related applications. We are committed to protecting your privacy and collecting only the minimum data necessary to provide our services.
This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
Account Information (Required) When you create a UHere Account, we collect: email address (used for account identification, authentication, and account recovery), authentication method (whether you signed in using email/password or OAuth via Google/Microsoft), and account verification status (whether your email has been verified).
Authentication Data For email/password accounts: a bcrypt-encrypted password hash stored locally on your device for offline authentication, and email verification status. For OAuth accounts (Google/Microsoft): OAuth provider identifier, OAuth tokens (temporary, used only for authentication), and provider account linking status.
Technical Data Last Online Sync: timestamp of your last online authentication, used to manage the offline grace period.
We believe in data minimalism. We explicitly do NOT collect: phone numbers, physical addresses, payment information (handled directly by Stripe), browsing history, usage analytics or telemetry, device tracking beyond license activation, biometric data, contact lists or social connections, or location data.
We use your information solely for:
1. Authentication: verifying your identity when you sign in. 2. Account Management: allowing you to manage your account settings. 3. Offline Access: enabling offline authentication for up to 30 days. 4. Security: detecting unauthorized access and protecting your account. 5. Support: responding to your support requests. 6. Legal Compliance: complying with applicable laws and regulations.
Local Storage For offline authentication, some data is stored locally on your device: a bcrypt-encrypted password hash (email/password accounts only) and your email address (for local verification). OAuth accounts (Google/Microsoft) do not store a local password hash and do not support offline authentication.
Your password is NEVER transmitted or stored in plain text.
Cloud Storage Minimal data is stored with our service providers: Firebase Authentication (Google) stores your email, Firebase UID, and authentication state.
Security Measures Password hashing: bcrypt with 12 rounds. CSRF protection: state parameter validation for OAuth flows. Rate limiting: protection against brute-force attacks on the OAuth callback server. Session timeout: automatic logout after inactivity. Secure communication: HTTPS for all external API calls. Local session storage: session data is never transmitted externally.
We do NOT sell, rent, or trade your personal information.
We share data only with: 1. Firebase Authentication (Google): for online authentication. 2. OAuth Providers (Google/Microsoft): only during the OAuth sign-in flow. 3. Legal Authorities: when required by law or to protect our rights. 4. UHere SecurePunch API (internal service): for QR card generation and delivery to employee emails and the SecurePunch mobile app. 5. NTP Servers: for time synchronization (timestamps only, no personal data). 6. Password Recovery Service (UHere): for password reset functionality (email/password accounts only).
All third-party services are bound by their own privacy policies and GDPR compliance.
Active accounts: data retained as long as your account is active. Deleted accounts: admin records preserved for audit trail (email only; authentication data deleted). Session history: retained for security audit purposes.
UHere Account handles only authentication data. Additional data (such as employee records, attendance data, and event entries) is collected and stored by individual applications. Please refer to each application's Privacy Policy:
QRPunch Privacy Policy: https://qrpunch.uhere.co/privacy SecurePunch Privacy Policy: https://securepunch.uhere.co/privacy-policy
You have the right to: - Access: request a copy of your data. - Correction: update incorrect information. - Deletion: delete your UHere Account (admin records preserved for audit). - Export: download your account data. - Object: object to data processing (may limit service functionality). - Withdraw Consent: unlink OAuth providers or delete your account.
To exercise your rights, contact us at: privacy@uhere.co
UHere Account is designed for business use by adults. We do not knowingly collect information from children under 13 (or the applicable age in your jurisdiction). If we discover we have collected such information, we will delete it promptly.
Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place through:
Firebase: Google's global infrastructure with GDPR compliance. Stripe: PCI DSS compliant payment processing. Standard Contractual Clauses: for data transfers outside the EU/EEA.
We may update this Privacy Policy occasionally. Changes will be indicated by an updated "Last Updated" date at the top, in-app notification (for material changes), and email notification (for significant changes).
Continued use after changes constitutes acceptance.
For privacy questions or concerns: Email: privacy@uhere.co Website: https://uhere.co
We comply with: - Singapore Personal Data Protection Act (PDPA): as a Singapore-based company. - General Data Protection Regulation (GDPR): for EU/EEA users. - California Consumer Privacy Act (CCPA): for California users. - Other applicable data protection laws.
Singapore PDPA Compliance As a Singapore company, we adhere to the Personal Data Protection Act 2012: consent (obtained before collecting personal data), purpose limitation (data used only for stated purposes), notification (clear disclosure of collection and use), access and correction rights, accuracy (reasonable steps to ensure data accuracy), protection (reasonable security arrangements), retention limitation (data retained only as long as necessary), transfer limitation (overseas transfers via Firebase and Stripe comply with PDPA), and data breach notification (affected individuals and PDPC notified of significant breaches).
Data Protection Officer: for PDPA-related inquiries, contact dpo@uhere.co
Firebase Authentication (Google) Purpose: online authentication. Data shared: email, Firebase UID, authentication state. Privacy policy: https://firebase.google.com/support/privacy
OAuth Providers Google OAuth: https://policies.google.com/privacy Microsoft OAuth: https://privacy.microsoft.com/privacystatement
UHere SecurePunch API (Internal Service) Purpose: QR card generation and delivery to employee emails and the SecurePunch mobile app. Data shared: employee name, email, card ID, role, company name, secure key. Transmission method: email delivery to employees.
NTP Time Servers Purpose: time synchronization for accurate attendance timestamps. Servers used: pool.ntp.org, time.google.com, time.cloudflare.com, time.windows.com, time.aws.com. Data shared: none (NTP protocol transmits timestamps only). Frequency: sync every 5 minutes.