Privacy Policy

Data Retention Policies

Free Users (No Account Required):

All data automatically expires within 24 hours maximum with complete cleanup:

• Attendee data: 24-hour automatic expiration
• Sheet metadata: 24-hour automatic expiration
• Session tokens: 24-hour automatic expiration
• Encrypted data: Complete automatic cleanup

Sheeter+ Registered Users:

Enhanced retention for registered accounts with full control:

• Account profile: Persistent until account deletion
• Attendance sheets: Saved and manageable for 30 days, then automatically deleted
• Checker checklists: Persistent until manually deleted by user
• User credentials: Secure PBKDF2 encrypted storage
• JWT tokens: Configurable expiration with secure refresh
• Immediate deletion: Available anytime through account settings

User-Controlled Data Management

You have complete control over your data with multiple deletion options:

Free Users:

• "Stop Attendance" button: Immediately deletes all event data
• "Delete Sheet" button: Permanently removes sheet and all associated data
• Browser close: Automatic cleanup when you close the browser tab
• Individual attendee deletion: Remove specific attendees from your sheet

Registered Users (Additional Controls):

• Account deletion: Complete removal of profile, sheets, checklists, and attendance records
• Data export: Download all your data in structured JSON format before deletion
• Username management: Change your username with real-time availability checking
• Password changes: Update your password with current password verification
• Session management: Logout from all devices with token invalidation
• Checklist management: Individual checklist and item deletion controls

Comprehensive Security & Encryption

Multi-layered security protecting all data types:

Attendance Data Encryption:

• Hybrid Encryption: RSA-OAEP + AES-GCM encryption
• Unique Keys: Each sheet gets its own cryptographic key pair
• Secure Transmission: All data encrypted before leaving your device
• No Plaintext Storage: Data is encrypted at rest and in transit

Registered User Security:

• PBKDF2 Password Hashing: 100,000 iterations with unique salts
• JWT Authentication: Secure token-based sessions with expiration
• Password Verification: Current password required for sensitive operations
• Session Invalidation: Secure logout with token blacklisting
• Legacy Support: Backward compatibility with secure upgrade paths
• Biometric Protection: Digital signatures handled with privacy-first approach

Data Export & Portability

Comprehensive data export options respecting privacy and security:

Attendance Sheet Exports (All Users):

• PDF Export: Complete attendance records with signatures for verification
• Excel Export: Data-only format excluding signatures for enhanced security
• Privacy Protection: Signatures excluded from Excel exports to protect biometric data
• No Cloud Storage: Export files generated locally and downloaded directly

Account Data Export (Registered Users Only):

• Comprehensive JSON Export: Complete account data in structured format
• Profile Information: User details, creation dates, and account metadata
• Sheeter+ Sheets: All saved attendance sheets with metadata
• Checker Data: Complete checklists with items and progress
• Attendance Records: All attendee data with privacy-safe metadata
• Biometric Protection: Signature data excluded; only capture status included
• Export Metadata: Timestamps, versions, and user information for verification

Configurable Data Collection

You have complete control over what data is collected:

• Optional Signatures: Can be enabled/disabled and required/optional per sheet
• Custom Fields: Email, phone, position, organization - all optional
• Timestamp Control: Choose whether to include submission timestamps
• Field Requirements: Set any field as required or optional independently

What We DON'T Do

Anonymous Analytics

We use minimal, anonymous tracking to improve our service:

• Google Analytics: Anonymous usage statistics only
• Performance Monitoring: Error tracking and performance metrics
• No Personal Data: Analytics never include attendee information
• Opt-Out Available: Use browser settings to disable tracking

GDPR & Privacy Law Compliance

Our 24-hour data retention policy exceeds requirements of major privacy laws:

• GDPR Compliance: Right to erasure, data minimization, consent
• CCPA/CPRA Compliance: No sale of personal data, transparent practices
• Data Minimization: Only collect what's necessary for attendance tracking
• Consent Management: Clear opt-in for all data collection
• Right to Deletion: Immediate deletion available at any time

Event Organizer Responsibilities

Your Rights

All users have the right to:

• Know what data we collect (detailed in this policy)
• Request immediate deletion of your data
• Control what data is collected through sheet configuration
• Opt-out of analytics tracking
• Export attendance data in PDF and Excel formats

Additional rights for registered users:

• Export all account data in comprehensive JSON format
• Delete your entire account with cascading data removal
• Change your username with availability verification
• Update your password with secure verification
• Access detailed information about what data is exported/deleted
• Control biometric data inclusion in exports (PDFs only)
• Manage checklist data independently

Security Measures

• SSL/TLS Encryption: All data transmitted over secure connections
• Bot Protection: Cloudflare Turnstile prevents automated attacks
• Rate Limiting: Protection against abuse and spam
• Security Headers: Comprehensive security headers implemented
• CORS Protection: Restricted cross-origin access
• Content Security Policy: Protection against XSS attacks

Policy Updates

We'll update this policy if our privacy practices change, always with advance notice and clear explanations of what's changed. Check this page periodically for updates.

Contact Us

Questions about our privacy practices? We'd love to hear from you: