Legal

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what data WhoVisited collects, why, and how you can control it.

Last updated: 2 June 2026

Who We Are

WhoVisited ("we", "our", or "us") operates a cloud-based site attendance and visitor-management platform. Our service is provided to companies ("Customers") who use it to track the attendance of their staff, contractors, and visitors at physical locations.

For the purposes of UK GDPR and EU GDPR, WhoVisited acts as a data processor when processing personal data on behalf of a Customer, and as a data controller for data we collect directly (such as Manager account information and platform usage data). The Customer is the data controller for the attendance and visitor data of their employees and guests.

If you have questions about this policy, contact us at contact@whovisited.com.

Data We Collect

Manager account information

When a Manager registers or is invited to the platform, we collect their full name, work email address, company name, and a hashed password. Managers may also upload a profile photo.

Standard user profiles

Managers create profiles for the people who check in at their sites. Each profile contains a full name, user type (staff, contractor, visitor, or other), and a 6-digit PIN stored as a one-way hash — we never store PINs in plain text. Visitor-type users may additionally have a hosting company, purpose of visit, and vehicle registration number recorded on each check-in.

Attendance records

Every check-in and check-out event creates an attendance log containing: the site, the standard user, a UTC timestamp, the direction (in or out), whether the log was created by the auto-logout scheduler, and any visitor-specific fields captured at the kiosk.

Location data

When a kiosk session uses geolocation to find the nearest site, the app requests your device's precise GPS coordinates via the browser Geolocation API. These coordinates are used solely to find the closest registered site within 1 km and are never transmitted to or stored on our servers. The comparison runs entirely in your browser.

Camera and uploaded files

Managers may upload a logo for their company or individual sites. These images are processed and stored on our secure file storage infrastructure. The camera or file picker is only accessed when you explicitly initiate an upload action.

Device and technical data

We log standard server-side information including your IP address, browser type and version, operating system, referring URL, and the date and time of each request. This data is used for security monitoring, abuse prevention, and service diagnostics.

Device Permissions

Location (Precise)

Used to automatically detect and select the nearest registered site within 1 km when starting a kiosk session. This is entirely optional — sites can always be selected manually from a list. You can deny or revoke location permission at any time in your browser or device settings without affecting core functionality.

Camera

Used to capture images for uploading as a company logo or site logo. The camera is never activated without a direct user action (tapping an upload button). No images are captured passively or in the background.

Storage / File Access

Used to save exported attendance reports (CSV files) to your device and to read image files when you choose to upload a logo. We request only the minimum file-system access necessary for these specific actions.

How We Use Your Data

  • Service delivery: process check-ins and check-outs, maintain attendance records, authenticate users, and operate kiosk sessions.
  • Reporting and exports: generate on-screen attendance lists, CSV exports, and emailed reports on behalf of Managers.
  • Auto-logout notifications: when a site's daily cut-off time is reached, we email the Manager and affected user to confirm the automatic check-out.
  • Security and fraud prevention: monitor for unusual access patterns, enforce PIN validation, and protect accounts.
  • Customer support: respond to support requests submitted through the platform or by email.
  • Legal compliance: retain records and respond to lawful requests as required by applicable law.

We do not use your personal data for advertising, and we do not sell or rent it to any third party.

Legal Basis for Processing (GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): processing Manager account data is necessary to perform our service agreement.
  • Legitimate interests (Art. 6(1)(f)): security monitoring, abuse prevention, and service improvement, provided these interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): precise location access. You can withdraw consent at any time through your browser or OS settings; withdrawal does not affect the lawfulness of earlier processing.
  • Legal obligation (Art. 6(1)(c)): compliance with applicable laws and valid legal process.

For attendance and visitor data processed on a Customer's behalf, the Customer is the data controller and determines the legal basis for that processing (typically legitimate interests or contractual necessity in an employment context).

Data Retention

  • Manager accounts: retained while the account is active. After account closure, data is deleted within 30 days unless a longer retention is required by law.
  • Standard user profiles & attendance logs: retained per the Customer's configuration. The platform default is 2 years from the last entry. Customers may request earlier deletion.
  • Uploaded files (logos, images): retained while the company account is active and deleted within 30 days of account closure.
  • Server logs and technical data: retained for up to 90 days for security and diagnostic purposes.

Sharing & Disclosure

Within your company

Managers can view, filter, and export all attendance data for users and sites within their company. Standard users can see their own check-in history only.

Infrastructure and service providers

We use carefully selected third-party processors for cloud hosting and transactional email. All processors are bound by data processing agreements and handle data only on our instructions.

Legal requirements

We may disclose data where required by law, court order, or valid regulatory request. We will notify affected Customers where legally permitted to do so.

Business transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred. We will provide notice before any such transfer and ensure the recipient is bound by equivalent privacy obligations.

We do not sell, rent, or trade personal data with any third party for marketing purposes.

Security

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
  • Passwords and PINs are stored as secure one-way hashes and are never stored or transmitted in plain text.
  • Authentication uses Laravel Sanctum bearer tokens with ability-scoped permissions. Kiosk tokens are limited to check-in operations and cannot access management features.
  • Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
  • We conduct regular security reviews and promptly address reported vulnerabilities.

Despite these measures, no system is completely secure. We encourage you to use a strong, unique password and to keep your kiosk devices physically secured.

Your Rights

Under UK GDPR and EU GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — revoke consent for location access at any time via your browser or OS settings.

To exercise any of these rights, email contact@whovisited.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK (ico.org.uk) or your local supervisory authority.

Cookies & Local Storage

We use cookies and browser local storage solely to operate the platform:

  • Authentication tokens: Sanctum bearer tokens stored in local storage or secure cookies to maintain your session.
  • CSRF tokens: short-lived cookies to protect form submissions against cross-site request forgery.

We do not use advertising cookies, analytics tracking pixels, or any third-party tracking technologies. There is no cookie consent banner required because we only use strictly necessary session cookies.

Children's Privacy

WhoVisited is a business-to-business service intended for workplace use by adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor's data has been entered into the platform without appropriate authority, please contact us at contact@whovisited.com and we will investigate and delete the data promptly.

International Transfers

Our primary infrastructure is located in the United Kingdom and European Economic Area. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses approved by the relevant supervisory authority — to provide an equivalent level of protection.

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by email to registered Managers and by displaying a prominent notice within the platform. Continued use after the effective date constitutes acceptance of the revised policy. The "Last updated" date at the top of this page always reflects the current version.

Contact Us

For any privacy-related queries, data subject requests, or to contact our Data Protection Officer:

contact@whovisited.com
WhoVisited Ltd, United Kingdom

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the ICO or your national data protection authority.