Introduction

This notice explains how OLi Technologies Inc. processes personal data in the OLi HR mobile and web applications used by employers and their employees.

For most processing, the employer is the Personal Information Controller and OLi acts as the Personal Information Processor under the Data Privacy Act of 2012.

OLi acts as a Controller only for limited activities such as account security, service analytics without tracking for ads, billing of the employer account, and support.

Processing follows the Data Privacy Act of 2012 and its IRR, guided by transparency, legitimate purpose, proportionality, data minimization, and retention limits.

We do not use personal data for advertising. We do not track users across apps or websites. We do not sell personal data.

Face data is used only for identity verification at attendance events. When enabled by the employer, the app captures a facial image and generates a biometric template on secure servers to compare with prior enrollments in order to confirm that the person clocking in or out is the correct employee and that the capture is live through liveness detection.

We collect express, recorded consent from each employee user before any face data is captured. Consent can be withdrawn at any time inside the app or by contacting the employer or OLi. If consent is withdrawn, the employer may offer a non-biometric alternative for attendance such as PIN with photo or supervisor verification.

Default retention periods are as follows unless the employer configures a shorter period or a longer period is required by law:

Upon expiry of retention periods, personal data is securely deleted or irreversibly anonymized.

We do not disclose personal data to advertisers or data brokers. We disclose data only:

A current list of sub-processors is available on request.

Cross border storage and access occur under contractual safeguards, encryption in transit and at rest, access control, and data subject consent where required by law. OLi ensures that transfers maintain a level of protection consistent with Philippine law.

We maintain organizational, physical, and technical safeguards consistent with NPC guidance:

Under the Data Privacy Act, users have rights to be informed, to object, to access, to rectification, to erasure or blocking, to data portability, and to damages for violations of their rights. Requests can be sent to the employer administrator or to OLi at [privacy email]. We will assist the employer in fulfilling requests within the timelines required by law. Certain requests may be limited by employment law, record keeping rules, or security needs.

The service is intended for working age individuals engaged by an employer. If an employer enrolls a minor, the employer is responsible for obtaining the required consent from the parent or legal guardian before any processing including face data.

Attendance verification uses automated comparisons to assist HR. Employment decisions such as pay, penalties, or suspension are not made solely by automated means inside OLi HR.

If a personal data breach occurs that is likely to result in serious harm, OLi will notify the employer without undue delay and will assist the employer in notifying the National Privacy Commission and affected data subjects consistent with NPC rules. OLi maintains an incident response plan and post-incident review process.

Data Protection Officer:

John Louie Castro

louie@oli.com.ph

0917 851 683

UB 111 Paseo De Roxas Bldg., Paseo De Roxas San Lorenzo, Makati City

We may update this notice to reflect changes in the service or legal requirements. We will notify employer clients and update the effective date. Continued use of the service after the effective date means the employer and users acknowledge the updated notice.

The app requests the following mobile permissions only when needed for core features and only while in use:

The app does not use IDFA, SKAdNetwork, or similar advertising identifiers. The app does not implement cross app tracking. Analytics are limited to service reliability and security and are not used for advertising.

The app collects facial images captured at the moment of attendance and generates a biometric template for one-to-one verification with the employee’s enrolled profile. Liveness detection is performed to reduce spoofing.

Face data is used only to verify that the person clocking in or out is the correct employee so that attendance and payroll records are accurate.

Face data is not shared with advertisers, brokers, or unrelated third parties. It is accessible only to the employer’s authorized administrators and to OLi as processor for support and security.

Face data is stored in encrypted form on OLi’s secure cloud infrastructure in [AWS Singapore region] and is accessed from the Philippines for support when needed.

Face data is retained while the employee account is active and is deleted within thirty days after deactivation unless a longer period is legally required. Backups roll off according to secure backup retention schedules.

Processing is based on the employer’s legitimate interests in workforce management and the user’s explicit consent. Users can withdraw consent at any time through the app or by contacting the employer or OLi. A non-biometric alternative for attendance will be offered by the employer where feasible.

Encryption in transit and at rest, access controls, audit logging, and liveness detection are implemented. Biometric templates are segregated from other data and protected by strict access policies.

Questions about face data can be sent to [privacy email] or the Data Protection Officer listed above.

OLi HR does not track users across apps or websites and does not use advertising identifiers. Face data is used only for identity verification at attendance events within the employer’s HR system. We therefore set Tracking to No in App Privacy. We do not use App Tracking Transparency because we do not track for advertising or cross app purposes.