Punch
Get started

Privacy Policy for Punch

Last updated: May 26, 2026

Justyn Gomez (“we,” “us,” “our”) operates the Punch mobile application and the Punch web application (collectively, “the App”). This Privacy Policy explains what information we collect, how we use it, and the rights you have over your data.

1. Information We Collect

When you use Punch, we collect the following categories of personal information:

Account information

  • Email address (required to sign in)
  • Name (display name shown to your team)
  • Phone number (optional, used for account recovery and contact)

Location information

  • At punch-in: Precise location (latitude/longitude) captured at the moment you punch in, used to verify you are within the geofenced work area set by your organization. This only applies when your organization has geofencing enabled.
  • At punch-out (optional, off by default): When your organization’s owner enables the “capture punch-out location” setting in Org Settings, precise location is also captured at the moment you punch out, lunch in, or lunch out for a more accurate shift record. This setting is OFF by default. Your organization’s owner controls whether it is enabled.
  • What we do not do: We do not track your location continuously, in the background, or between punch events. Location is checked only at the punch moments described above.

Identifiers

  • A unique user ID that links your account to your time entries and organization.

Purchase information

  • A record of subscription purchases and renewals. When you subscribe on iOS, the record is provided by Apple; when you subscribe on web at punchapp.io, it’s provided by Stripe. In both cases the payment processor handles your card details directly — we never see your full card number, CVV, or provider-account credentials. We retain only the subscription identifier, plan tier, and billing status needed to grant access to paid features.

Work records

  • Timestamps of each punch-in and punch-out you perform, associated with the location and organization at the time.
  • Time-off requests you file, including the requested date range, an optional reason note, and the review decision (approved, denied, or pending) made by your organization’s manager or owner.

2. How We Use Your Information

We use your information solely to operate Punch, including:

  • Authenticating you and maintaining your account
  • Displaying your time entries and time-off requests to you, your managers, and your organization’s owner
  • Verifying punch-in/out events against your organization’s geofence
  • Processing and validating your subscription through Apple (when purchased on iOS) or Stripe (when purchased on the web at punchapp.io)
  • Communicating with you about your account, service changes, and support requests

We do not use your data for advertising, sell it, share it with data brokers, or use it to build profiles for third-party marketing.

3. How Your Information Is Shared

We share your information only as follows:

  • Within your organization.Your name, time entries, punch-in/out locations, and time-off requests are visible to your organization’s owner and managers. This is the intended behavior of a workforce timekeeping app.
  • With our infrastructure providers. We use Supabase (database and authentication), Apple (iOS in-app purchases, push notifications), and Stripe (web subscriptions) to operate the App. These providers process data on our behalf under contractual obligations.
  • When legally required. We will disclose information if compelled by law, subpoena, or a valid government request.

We do not share your information with advertisers, analytics networks, or third-party marketers.

4. Data Retention

  • Account data is retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where retention is required by law (e.g., tax records related to purchases).
  • Time entriesare retained as long as your organization retains them. Your organization’s owner controls this.
  • Time-off requestsare retained alongside the organization’s time entries and follow the same retention rule.
  • Location pings associated with punch-in/out events are retained alongside the time entry they verify.

5. Your Rights

Depending on where you live, you have rights that may include:

  • Access, Request a copy of the personal data we hold about you.
  • Correction, Ask us to correct inaccurate data.
  • Deletion, Ask us to delete your account and associated personal data.
  • Portability, Receive your data in a machine-readable format.
  • Objection, Object to certain processing activities.

To exercise any of these rights, email us at punchapp.support@gmail.com. We respond within 30 days.

California residentshave additional rights under the CCPA, including the right to know what categories of personal information we collect and the right to opt out of “sale” of personal information. We do not sell personal information.

United Kingdom residents.Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to access the personal data we hold about you, request rectification of inaccurate data, request erasure (the “right to be forgotten”), restrict or object to processing, request data portability, and withdraw consent at any time. To exercise these rights, email punchapp.support@gmail.com. We respond within one month as required by UK GDPR Article 12. If you are unsatisfied with our response, you may file a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.

International data transfers.Punch’s infrastructure (Supabase database hosting, Vercel application hosting) is located in the United States. When you use Punch from the United Kingdom, the European Economic Area, or any other jurisdiction outside the U.S., your personal data is transferred to the United States for processing. We rely on the UK International Data Transfer Agreement (IDTA) and the European Commission’s Standard Contractual Clauses (SCCs) as our lawful basis for these transfers, supplemented by the technical and organisational safeguards described in this policy (encryption in transit and at rest, access controls, audit logging). You may request a copy of the transfer mechanism documentation by emailing punchapp.support@gmail.com.

EEA residents. You have rights under the EU General Data Protection Regulation including the right to lodge a complaint with your local supervisory authority. Contact us at punchapp.support@gmail.com to exercise your rights.

New Zealand residents. Under the Privacy Act 2020, you have the right to access personal information we hold about you, request correction of inaccurate information, and complain if you believe we have breached the Information Privacy Principles. Email punchapp.support@gmail.com to exercise these rights. If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner at privacy.org.nz.

Hong Kong residents. Under the Personal Data (Privacy) Ordinance (Cap. 486), you have the right to ascertain whether we hold personal data about you, access that data, and request correction. Email punchapp.support@gmail.com with the subject line “PDPO request” to exercise these rights. We respond within 40 days as required by the Ordinance. If you are unsatisfied with our response, you may complain to the Office of the Privacy Commissioner for Personal Data (PCPD) at pcpd.org.hk.

Mexico residents.Under the Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”), you have ARCO rights (Access, Rectification, Cancellation, Opposition) over the personal data we hold about you, and the right to revoke any consent you previously gave. To exercise these rights, email punchapp.support@gmail.com with the subject line “ARCO request” and a description of which right you wish to exercise. We respond within the statutory period (typically 20 business days). If you are unsatisfied with our response, you may file a complaint with INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) at inai.org.mx.

Canada residents.Under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), you have the right to access the personal information we hold about you, request correction of inaccurate information, and withdraw consent (subject to legal or contractual restrictions). To exercise these rights, email punchapp.support@gmail.com. You may also file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Quebec residents.Under An Act respecting the protection of personal information in the private sector (commonly “Law 25,” formerly Bill 64), you have all the rights listed above plus the right to data portability in a structured technological format, the right to know when automated decisions are made about you and to request human review of those decisions, and the right to de-indexation of personal information that infringes your rights. You may also contact our designated Privacy Officer (see Section 10 below). If you are unsatisfied with our response, you may file a complaint with the Commission d’accès à l’information du Québec (CAI) at cai.gouv.qc.ca.

6. Security

We protect your information with industry-standard measures, including TLS encryption in transit, encryption at rest, and row-level access controls that prevent users from viewing data outside their own organization. No system is perfectly secure, but we work to reduce risk continuously.

7. Children’s Privacy

Punch is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will delete it.

8. International Data Transfers

Punch is operated from the United States. Our infrastructure providers (Supabase, Apple, Stripe) store and process data in the United States.

If you use Punch from Mexico or Canada (including Quebec), your personal information is transferred to and processed in the United States. By creating an account and using Punch, you consent to this cross-border transfer. We protect your information consistently with the standards described in this Policy regardless of where it is processed, and our infrastructure providers process data on our behalf under contractual obligations that limit them to the purposes described in this Policy.

If you use Punch from elsewhere outside the U.S., the same applies: your information is transferred to and processed in the U.S. under the data-handling commitments in this Policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the App or by email. The “Last updated” date at the top reflects the most recent revision.

10. Contact and Privacy Officer

For privacy questions, data requests (including LFPDPPP ARCO requests, PIPEDA access requests, and Quebec Law 25 rights), or any other concerns:

  • Privacy Officer: Justyn Gomez (designated under Quebec Law 25 and Canadian PIPEDA as the person responsible for the protection of personal information at Punch).
  • Email: punchapp.support@gmail.com
  • Company: Justyn Gomez
  • Mailing address: 160 Tiger Ridge, Venus, TX 76084, United States

We respond to privacy requests within the period required by applicable law (typically 30 days under PIPEDA / GDPR / CCPA; 20 business days under LFPDPPP).