Privacy Policy · Last updated: March 26, 2026
com.Shahawi.punchai) available on Android and iOS. By using the
app, you agree to the practices described below. If you do not agree, please do not
use the app.
1. Who We Are
PunchIn AI is developed by Shahawi Apps. For privacy-related inquiries, contact us at: privacy@shahawiapps.com
2. Information We Collect
2.1 Data You Provide Directly
Check-in time, check-out time, total worked hours, date, and optional notes for each working day. This data is stored locally on your device in an encrypted SQLite database and is never uploaded to our servers unless you explicitly use optional cloud features (see §2.3).
A local username you create at first launch. No account, email, or password is required to use the core features.
Optional free-text notes attached to individual attendance records. These are stored locally only.
2.2 Data Collected Automatically
A composite device ID derived from your Android Build ID or iOS Vendor Identifier, combined with a locally-generated UUID. This ID is used to enforce the monthly AI feature quota (2 free AI requests per month) and prevent abuse. It is not linked to your name, email, or any personal identifier.
We collect anonymised usage events (e.g., feature screens opened, app launches) via Google Firebase Analytics. No personal data or attendance content is included in these events. You can opt out via your device’s advertising settings.
Crash reports including device model, OS version, and stack trace are automatically sent to Firebase Crashlytics when the app crashes. These reports do not include your attendance data, username, or personal information.
2.3 Optional Cloud Features (requires Google Sign-In)
If you choose to Sign In with Google, we receive your Google display name, email address, and profile photo URL from Google. This is used solely to authenticate AI feature requests and enable cloud backup.
If you use the optional Google Drive backup feature, your attendance data is exported as a JSON file and uploaded to a dedicated folder on your own Google Drive account. We use the
drive.file scope, which means the app
can only access files it created — it cannot read or modify any other files on your
Drive. Backup files remain on your Google Drive and are not stored on our servers.
3. AI Features & Data Sent to Our Server
PunchIn AI includes optional AI-powered features (Smart Insights, Anomaly Detection, Schedule Suggestions, Chat Assistant). These features send a portion of your local attendance data to our AI backend server at https://attend.shahawiapps.com for processing.
What is sent to the AI server:
- Your attendance record dates (e.g., “Saturday 1 March 2025”)
- Check-in and check-out times (e.g., “08:30”, “17:00”)
- Daily total hours (e.g., “08:30”)
- Optional notes (only if you attached them to a record)
- Your preferred language (Arabic or English) for localised responses
- A Firebase authentication token (if signed in) to validate requests
What is NOT sent to the AI server:
- Your real name, email, or phone number
- Your device’s contacts, location, camera, or microphone data
- Any financial information
The AI backend uses HuggingFace Inference to process requests using open-source language models. Your attendance data is sent over HTTPS to HuggingFace’s servers for processing and is not stored permanently. Your data is not shared with any other third-party AI provider such as OpenAI or Google.
4. Permissions Requested
Required to export your attendance data as an Excel/CSV file to your device’s Documents folder. We do not read any files unrelated to the app’s own exports.
Required to show check-in and check-out reminder notifications at times you configure in the Reminders screen. Notifications are never used for advertising.
Required to deliver reminder notifications at the precise times you set, even if the app is in the background.
Required to vibrate the device when a reminder fires and to briefly wake the screen for the notification.
Required to re-schedule your reminders automatically when the device restarts, so your alarms are not lost after a reboot.
Required for optional features: Firebase services (Analytics, Crashlytics, Auth, Database), AI backend requests, and Google AdMob advertisements.
5. Advertising (Google AdMob)
PunchIn AI displays banner advertisements and rewarded video advertisements provided by Google AdMob. AdMob may collect and use data to serve personalised ads based on your interests, including a device advertising ID. You can opt out of personalised ads at any time through your device settings:
- Android: Settings → Google → Ads → Opt out of Ads Personalisation
- iOS: Settings → Privacy → Apple Advertising → Personalised Ads (off)
AdMob’s data practices are governed by Google’s Privacy Policy: https://policies.google.com/privacy.
6. Data Storage & Security
- Local data (attendance records, notes, monthly totals) is stored in an SQLite database within the app’s private storage — inaccessible to other apps without root access.
- Cloud data (Google Drive backups) is stored on your own Google Drive account under your control. Firebase Realtime Database is used for optional cloud features and is protected by Firebase Security Rules requiring authentication.
- AI requests are transmitted over HTTPS (TLS 1.2+) to our server. No attendance data is retained on the server after the response is returned.
- We do not sell, rent, or share your personal data with third parties for marketing purposes.
7. Data Retention
- Local attendance data is retained until you delete it manually within the app or uninstall the application.
- Google Drive backups are retained on your own Google Drive until you delete them manually from the app or from Google Drive directly.
- Analytics and crash reports are retained by Google as per their own retention policies (typically 14 months for Analytics).
- AI request data is not retained after the request completes.
8. Children’s Privacy
PunchIn AI is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through our app, please contact us and we will delete it promptly.
9. Account Deletion
You can delete your account and associated cloud data at any time:
- In-app: Tap the ⋮ menu on any screen → “Delete Account” → confirm. Your Firebase account and all cloud data are deleted immediately.
- Web: Visit our account deletion page to submit a deletion request. Requests are processed within 72 hours.
Account deletion removes your Firebase authentication profile, AI analysis history, and any cloud-synced data. Your local attendance data and Google Drive backups are not affected — they remain on your device and your personal Google Drive respectively.
10. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction or deletion of your data
- Withdraw consent for optional cloud features at any time by signing out
- Export your local attendance data using the built-in Excel export feature
- Delete all your data by clearing app data or uninstalling the app
To exercise these rights or to request deletion of your cloud data, contact: privacy@shahawiapps.com
11. Third-Party Services
The app integrates the following third-party services, each governed by their own privacy policy:
- Google Firebase — Authentication, Realtime Database, Analytics, Crashlytics
- Google AdMob — Advertising
- Google Sign-In — Optional authentication
- Google Drive API — Optional cloud backup (drive.file scope only)
- HuggingFace — AI inference processing
12. Changes to This Policy
We may update this Privacy Policy from time to time. The updated policy will be posted at this URL with a revised “Last updated” date. Continued use of the app after changes constitutes acceptance of the updated policy.
13. Contact Us
For any questions, concerns, or data requests regarding this Privacy Policy: