PunchlessBack to home

Legal

Privacy Policy

Effective date: May 10, 2026 ·  Operated by: Merrill Digital Systems LLC

GPS data notice: Punchless collects real-time GPS location data from technicians as a core part of its service. By using Punchless, technicians and administrators acknowledge this collection and consent to the practices described below.

1. Who we are

Punchless(“we,” “us,” or “our”) is a GPS-powered automatic timecard platform operated by Merrill Digital Systems LLC. Our service automatically generates timecard entries for field service technicians using GPS geofencing technology, eliminating manual time entry.

Questions about this policy may be directed to privacy@assumptionengine.com.

2. Information we collect

2.1 GPS and location data

This is the most sensitive data we collect. When a technician has the Punchless mobile app installed and active, we collect:

  • Real-time GPS coordinates (latitude and longitude)
  • Timestamps of geofence entry and exit events
  • Movement data used to infer work status (on site, in transit, at shop)
  • Historical GPS path data for audit and dispute purposes

Collection method: We use geofence triggers rather than continuous polling. The app wakes to record a location event when a device enters or exits a defined job site or shop radius. Continuous background tracking is only active while the app is in the foreground.

2.2 Account and profile information

  • Full name and email address
  • Company name and role (manager or technician)
  • Password (stored as a bcrypt hash — never in plain text)

2.3 Usage and operational data

  • Timecard entries, job assignments, and approval records
  • Manager override actions and audit log entries
  • Notification delivery logs
  • API access logs (IP address, timestamp, endpoint)

2.4 Device information

  • Device type and operating system (for push notification delivery)
  • Push notification tokens

3. How we use your information

We use the data we collect for the following purposes:

  • Automatic timecard generation: GPS events are processed by our rules engine to draft timecard entries automatically.
  • Payroll and compliance: Approved timecard data is exported by managers for payroll processing.
  • Live crew visibility: Managers see current technician locations on the dashboard to coordinate dispatch.
  • Audit and dispute resolution: Historical GPS path data is retained so managers can verify timecard entries if disputed.
  • Service notifications: Shift reminders and dispatch messages sent to technicians via push notification.
  • Service improvement: Aggregate, anonymized data used to improve geofence accuracy and timecard confidence scoring.

We do not sell, rent, or trade personal data. We do not use location data for advertising purposes.

4. Legal basis for processing (where applicable)

Where privacy law requires a legal basis, we process data on the following grounds:

  • Contractual necessity: Processing required to deliver the Punchless service under the subscription agreement between your employer and Merrill Digital Systems LLC.
  • Consent: GPS location tracking by technicians. Consent is obtained at app installation and can be withdrawn by uninstalling the app or contacting your employer.
  • Legitimate interests: Security logging, fraud prevention, and service reliability monitoring.

5. Data sharing and third parties

We share data only in the following limited circumstances:

5.1 Within your organization

Managers and administrators in your company can view GPS data, timecard entries, and location history for all technicians in their account.

5.2 Service providers

We use the following third-party services that may process your data:

  • Cloud hosting: Amazon Web Services (AWS) — data stored in US-East regions
  • Geocoding: Nominatim/OpenStreetMap (default) or Google Maps API (if configured by your company)
  • Push notifications: Apple APNs and Google FCM for mobile notification delivery

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

5.3 Legal requirements

We may disclose information if required by law, court order, or to protect the rights and safety of Punchless, our users, or the public.

6. Data retention

  • GPS location data: Retained for 12 months from collection, then permanently deleted.
  • Approved timecard records: Retained for 7 years to support payroll audits and legal compliance.
  • Account data: Retained while the account is active. Deleted within 90 days of account termination upon request.
  • API logs: Retained for 90 days for security monitoring.

7. Security

We protect your data using industry-standard security controls:

  • All data in transit encrypted with TLS 1.2+
  • Database data encrypted at rest (AES-256)
  • Passwords stored as bcrypt hashes with a minimum cost factor of 12
  • Role-based access controls — technicians cannot access other technicians' data
  • JWT authentication with short-lived access tokens and refresh token rotation
  • API keys stored as hashed values — never retrievable after creation

No system is perfectly secure. If we discover a security breach affecting your data, we will notify you within 72 hours as required by applicable law.

8. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data (subject to legal retention requirements).
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent for GPS tracking at any time (this will prevent the service from generating timecards for you).

To exercise any of these rights, contact privacy@assumptionengine.com. We will respond within 30 days.

Note: Because Punchlessis a B2B product, many requests should be directed first to your employer (the account administrator), who controls your company's data within our platform.

9. Employee notice (for technicians)

If you are a technician whose employer uses Punchless, your employer has agreed to our Terms of Service on your behalf. Your employer is responsible for informing you that location data is collected and for obtaining any consent required by local labor or employment law. We recommend reviewing this policy and speaking with your employer if you have questions about how your location data is used within your organization.

10. Children

Punchless is a business service not directed at individuals under 18 years of age. We do not knowingly collect data from minors.

11. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to account administrators at least 14 days before taking effect. Continued use of the service after that date constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or concerns:

Merrill Digital Systems LLC
Privacy Officer
privacy@assumptionengine.com

© 2026 Merrill Digital Systems LLC. All rights reserved.

Terms of ServicePrivacy PolicyHome