Biometric Data Retention Policy

Last updated: 21 May 2026

This Biometric Data Retention Policy ("Policy") explains how 2VM Consulting Limited, trading as PunchIn ("PunchIn", "we", "us" or "our"), retains and permanently destroys biometric data processed through the PunchIn time and attendance service (the "Service"). It should be read together with our Privacy Policy, Terms & Conditions, and Data Processing Agreement.

PunchIn acts as a data processor for customer organisations ("Customers") in respect of employee biometric data. The Customer remains the data controllerand is responsible for determining the lawful basis for processing, informing employees, and meeting UK GDPR obligations. This Policy describes how PunchIn handles retention and deletion on the Customer's instructions and in accordance with our contractual obligations.

1. Scope

This Policy applies to biometric data processed through PunchIn products, including:

  • Facial recognition templates used for time and attendance clocking
  • Fingerprint templates, where fingerprint-based clocking is enabled
  • Voice recognition templates, where voice-based authentication is enabled
  • Temperature readings, where temperature-capable devices are used
  • Optional clock-in photographs, where the Customer has enabled image capture at clocking

PunchIn systems do not store raw fingerprint or facial photographs for identification purposes. Instead, they create a mathematical representation — a template — encoded for security purposes and used solely to verify identity at clock-in and clock-out.

2. What we store

For each enrolled employee, the Service may store:

  • One or more biometric templates linked to the employee record
  • Clocking events (time, date, device, and match result)
  • Enrolment metadata (date enrolled, last updated)
  • Optional clock-in images, only if the Customer has activated that feature

Each Customer operates on a segregated environment. Biometric data from one organisation is not commingled with data belonging to another Customer. Templates are encrypted in transit and at rest.

3. Retention periods

3.1 During active employment

Biometric templates are retained for as long as the employee remains enrolled in the Customer's PunchIn environment and the Customer's subscription to the Service is active. Templates exist solely to enable time and attendance clocking and related reporting.

3.2 After an employee leaves

When an employee leaves the organisation, the Customer should delete the employee record — including the associated biometric template — from the PunchIn back office as soon as retention is no longer required for payroll, dispute resolution, or legal obligations. PunchIn recommends deletion at or shortly after termination, unless a longer period is required by law or documented in the Customer's own retention schedule.

As a guide, Customers should not retain biometric templates longer than necessary. A typical approach is to delete templates when employment ends, retaining only non-biometric attendance records for the period required under employment or tax law.

3.3 Attendance and payroll records

Clocking events and timesheet data (which are not biometric templates) may be retained separately in accordance with the Customer's payroll, Working Time Regulations, and HMRC obligations. Deleting an employee's biometric template does not automatically delete historical attendance records unless the Customer chooses to remove those records as well.

3.4 Optional clock-in photographs

Where the Customer enables photograph capture at clock-in, those images are retained for the same period as the associated clocking record unless deleted earlier by the Customer. Customers should enable this feature only where justified in their Data Protection Impact Assessment and disclosed in their employee privacy notice.

3.5 Subscription cancellation

When a Customer cancels their PunchIn subscription, all data held in the Customer environment — including biometric templates, employee records, and attendance data — is deleted in accordance with our Data Processing Agreement. Deletion is initiated automatically on cancellation of the Service.

4. Permanent destruction

PunchIn will permanently destroy biometric data in the following circumstances:

  • When the Customer deletes an employee record or explicitly removes biometric enrolment data through the PunchIn back office
  • When the Customer instructs PunchIn to destroy specific biometric data and PunchIn confirms the instruction in writing where required
  • When the Customer's subscription to the Service is cancelled and the Customer environment is decommissioned
  • When required by applicable law or a valid instruction from the Customer acting as data controller

"Permanent destruction" means that biometric templates and associated enrolment data are removed from active production systems and are not recoverable through normal application use. Backups containing biometric data are overwritten or deleted in accordance with our standard backup rotation schedule, typically within 30 days of deletion from production systems.

PunchIn does not sell, lease, trade, or otherwise profit from Customer Employee biometric data. We do not use biometric templates for any purpose other than providing the Service to the Customer.

5. Customer responsibilities

As data controller, the Customer is responsible for:

  • Identifying a lawful basis under UK GDPR for processing biometric data
  • Completing a Data Protection Impact Assessment before deployment
  • Informing employees what biometric data is collected, why, and how long it will be retained
  • Deleting biometric templates when they are no longer needed
  • Responding to employee data subject rights requests (access, erasure, objection, and so on)
  • Notifying PunchIn promptly if an employee exercises the right to erasure in respect of biometric data

Employees who wish to understand, access, or request deletion of their data should contact their employer in the first instance. PunchIn will assist the Customer in responding to such requests where instructed and in accordance with our Data Processing Agreement.

6. How to delete biometric data

Customers can permanently destroy employee biometric data through the PunchIn back office by:

  • Deleting the employee record, which removes the associated biometric template
  • Removing biometric enrolment from an employee profile where partial deletion is supported
  • Contacting PunchIn support to request deletion where self-service options are unavailable

Documentation on deleting users is available in our back office documentation.

7. Security

Biometric data is protected using industry-standard technical and organisational measures, including encryption in transit (TLS), encryption at rest, access controls, and segregated customer environments. Further detail is available on our security page.

8. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted on this page with an updated revision date. Continued use of the Service after changes are posted constitutes acceptance of the revised Policy to the extent permitted by applicable law.

9. Contact

Questions about biometric data retention or deletion should be directed to:

info@punch-in.co.uk

Or write to:

152-162 Kemp House
City Road
London EC1V 2NX
United Kingdom

2VM Consulting Limited, company registration number 09944773, trading as PunchIn.