1 Introduction
AttendanceGM is a business-to-business (B2B) HR and attendance management platform serving organizations in The Gambia. This Privacy Policy describes how AttendanceGM collects, uses, stores, and protects personal data in connection with the use of our platform and website at www.attendancegm.com.
This policy is governed by the Personal Data Protection and Privacy Act, 2025 (PDPP) of The Gambia and is informed by international data protection standards where applicable. By accessing or using AttendanceGM, you agree to the practices described in this policy.
2 Data Controller and Data Processor
Understanding how responsibility is allocated is important in the B2B context:
Your Organization — Data Controller
The subscribing organization determines the purposes and means of processing employee personal data and is responsible for the lawfulness of data collection within its HR operations.
AttendanceGM — Data Processor
AttendanceGM processes personal data only on behalf of, and in accordance with the instructions of, the subscribing organization. We do not use employee data beyond what is required to deliver the agreed services.
Where AttendanceGM acts as a Data Controller in its own right — for example, in relation to internal security logs or business records — the same data protection standards apply.
3 Information We Collect
3.1 Personal Information
Collected during registration and use of the platform:
- Full name, email address, phone number, and home address
- Date of birth
- Username and password (stored securely — never in plain text)
- Organization and employment information
3.2 Attendance & HR Data
To deliver our core services, we collect:
- Employee check-in and check-out records
- Location data — collected only when explicitly enabled by the organization to verify attendance at a designated location. Location is recorded at the point of check-in only and is not continuously tracked.
- Leave requests and leave history
- Payroll-related information, where enabled by the organization
3.3 Technical Data
We collect limited technical data necessary to maintain platform security and performance, including session identifiers, IP addresses (used for security purposes only), and basic device and browser information.
4 Lawful Basis for Processing
AttendanceGM processes personal data on the following lawful grounds:
- Contractual Necessity: Processing is required to fulfil our service agreement, including attendance tracking, leave management, payroll processing, and HR operations.
- Legal Obligation: Processing is required to comply with applicable Gambian law.
- Legitimate Interest: We process limited technical data to maintain platform security and integrity, where this does not override individual privacy rights.
Where any additional processing is required beyond these grounds, we will seek explicit consent from the relevant data subject.
5 Use of Personal Data
We use personal data strictly for the following purposes:
- Verifying user identity and preventing fraudulent submissions
- Generating attendance records, payslips, and leave histories
- Enabling employees to access their own HR records
- Meeting legal, regulatory, and compliance obligations
- Delivering system notifications and account communications
- Maintaining platform security and performance
We do not use personal data for marketing profiling, advertising, or sale to third parties. Data collected for one purpose will not be repurposed for an unrelated purpose without a lawful basis.
6 Data Sharing
Personal data is shared only in the following circumstances:
- Service Providers: Trusted third-party processors supporting core platform operations, engaged under contractual data protection agreements.
- Your Organization: Authorized administrators, HR personnel, and managers within your organization, within the scope determined by the organization as Data Controller.
- Legal Obligations: Where required by Gambian law, court order, or lawful government authority.
- Business Transactions: In the event of a merger, acquisition, or restructuring, with appropriate data protection safeguards and notification to affected parties.
7 Data Retention
- Personal and HR data is retained only for as long as necessary to provide services or meet legal obligations.
- Organization administrators may access, export, or delete records within their authorized scope.
- When an organization closes its account, it is responsible for exporting any required records prior to closure.
- Data that must be retained under Gambian law cannot be deleted during the legally required retention period.
- Individual employees may not directly initiate full account deletion; this must be requested through their organization. Employees may independently exercise other data subject rights — see Section 9.
- Retention and deletion policies apply equally to all backup copies.
8 Data Security
AttendanceGM implements appropriate technical and organizational measures to protect personal data, including:
- Encryption of data in transit and at rest using industry-standard protocols
- Role-based access controls limiting data access to authorized personnel only
- Secure cloud infrastructure with regular integrity-verified backups
- Internal audit logs for data access and modification events
- Staff training on data protection obligations
No system can guarantee absolute security. In the event of a confirmed breach, AttendanceGM will act in accordance with Section 10 of this policy.
9 Data Subject Rights
Under applicable law, individuals whose data is processed have the following rights:
Right to Access
Employees may view their own personal data, attendance history, and leave records directly within the platform at any time without submitting a formal request.
Right to Rectification
Employees may request correction of inaccurate personal data. Corrections are reviewed by the organization's HR or admin team. Unresolved corrections may be escalated to AttendanceGM at info@attendancegm.com.
Right to Erasure
Requests for deletion must be initiated through the employing organization. Certain data may be retained where required by applicable law.
Right to Data Portability
Employees may request a copy of their personal data in a structured, commonly used format. Requests can be made through the organization's administrator or directly to AttendanceGM.
Right to Object
Individuals may object to certain processing of their personal data. AttendanceGM will assess and respond within a reasonable timeframe.
Right to Restriction of Processing
Individuals may request that processing be limited while a dispute is under review. Contact us directly to exercise this right.
Rights such as erasure and portability are typically routed through the organization as Data Controller. Where an organization fails to act on a legitimate request, individuals may contact AttendanceGM directly or escalate to The Gambia Data Protection Commission.
10 Data Breach Notification
In the event of a personal data breach, AttendanceGM will:
- Notify the regulatory authority within the timeframe required by law upon becoming aware of a confirmed breach posing a risk to individual rights.
- Notify affected Organization administrators as soon as practicable after a breach is confirmed.
- Notify affected individuals directly where a breach is likely to result in a high risk to those individuals.
- Contain, investigate, and remediate the breach, providing affected parties with guidance on protective measures.
- Maintain records of all breach events, response actions, and notifications for accountability and regulatory review.
11 International Data Transfers
AttendanceGM is primarily built for organizations in The Gambia and governed by Gambian data protection law. Data may be stored and processed on servers located outside The Gambia. By using our services, you acknowledge this transfer.
All cross-border transfers are assessed for adequacy and governed by appropriate contractual safeguards in accordance with applicable law.
12 Cookies & Session Data
AttendanceGM uses only essential session cookies required for the platform to function. We do not use tracking, advertising, or third-party analytics cookies.
- Session Cookie: A single secure cookie is set upon login to maintain your authenticated session. It contains only an encrypted session identifier and is deleted upon logout or session expiry.
- No cross-site tracking: We do not track user behaviour across other websites or share session data with third parties.
- Cookie management: You may clear cookies through your browser settings at any time; doing so will end your active session.
13 Third-Party Services
AttendanceGM engages a limited number of trusted sub-processors to operate the platform, including providers of cloud infrastructure, payment processing, and document storage. These providers are engaged under contractual data protection agreements.
A current list of sub-processors is available upon written request. All cross-border transfers are assessed and documented in accordance with applicable law.
14 Children's Privacy
AttendanceGM defines a child as any person under the age of 18. The platform is designed for use in organizational employment contexts and is not intended for individuals under 18.
We do not knowingly collect or process personal data from individuals under 18 without verifiable parental or guardian consent. Organizations are responsible for ensuring users registered on their account meet this requirement or that appropriate consent has been obtained.
If we become aware that a minor's data has been collected without appropriate consent, we will promptly take remedial action. To report a concern, contact us at info@attendancegm.com.
15 Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or platform features. The updated version will be posted on this page with a revised date.
For material changes, Organization administrators will be notified in advance via email and in-platform notice. Continued use of AttendanceGM after that date constitutes acceptance of the updated policy.
16 Contact & Data Protection Enquiries
For privacy questions, data subject rights requests, breach reporting, or general enquiries:
If you believe your data protection rights have not been adequately addressed, you may escalate your concern to The Gambia Data Protection Commission.
