Privacy Policy
Last updated: January 27, 2026
Data Controller
Company: MATAT TECHNOLOGIES LTD
Address: Israel
Email: support@matat.co.il
Data Protection Officer: support@matat.co.il
1. Introduction
MATAT TECHNOLOGIES LTD ("Clokio", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy is designed to comply with the Israeli Privacy Protection Law 5741-1981 and its Amendment 13 (תיקון 13 לחוק הגנת הפרטיות), as well as the European Union General Data Protection Regulation (GDPR - Regulation 2016/679).
This policy explains how we collect, use, store, share, and protect your personal data when you use our attendance management services, and informs you of your rights regarding your personal data.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Data Subject: The individual whose personal data is being processed
- Processing: Any operation performed on personal data (collection, recording, storage, use, disclosure, etc.)
- Data Controller: The entity that determines the purposes and means of processing personal data (Clokio)
- Data Processor: An entity that processes personal data on behalf of the controller
- Sensitive Data: Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.
3. Categories of Personal Data We Collect
3.1 Identity and Contact Data
- Full name
- Email address
- Phone number
- Profile photograph
3.2 Employment Data
- Employee ID number
- Job title and department
- Work location assignment
- Employment status
3.3 Attendance and Time Data
- Clock-in and clock-out timestamps
- Break times
- Working hours calculations
- Leave requests and absences
3.4 Location Data
- GPS coordinates at clock-in/clock-out (with explicit consent)
- Geofencing verification data
3.5 Biometric Authentication
Important - We Do NOT Store Biometric Data:
Clokio uses your device's built-in biometric authentication (Face ID, Touch ID, fingerprint scanner) for identity verification. This means:
- Your biometric data never leaves your device - it is processed and stored locally by your phone's operating system (iOS/Android)
- We only receive a success/failure confirmation from your device, not your actual biometric data
- Apple and Google are responsible for the security and storage of your biometric templates
- We cannot access, view, or export your fingerprint, face scan, or any biometric information
For information about how your device handles biometric data, please refer to Apple's Face ID Security or Google's Biometric Security documentation.
3.6 Technical Data
- IP address
- Device type and operating system
- Device identifiers
- Browser type (for web access)
- App version
4. Legal Basis for Processing (GDPR Article 6 & Israeli Law)
We process your personal data only when we have a valid legal basis:
| Processing Purpose | Legal Basis |
|---|---|
| Providing attendance tracking services | Contract performance |
| Device biometric verification (Face ID/Touch ID) | Device OS consent (handled by Apple/Google) |
| Location tracking during clock-in/out | Explicit consent |
| Sending marketing communications | Consent |
| Service improvement and analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Compliance with labor laws | Legal obligation |
| Tax and financial record keeping | Legal obligation |
5. Purposes of Processing
We process your personal data for the following specific purposes:
- Providing and maintaining attendance management services
- Verifying employee identity during clock-in/clock-out
- Generating attendance reports for employers
- Processing leave requests and managing absences
- Sending service-related notifications
- Providing customer support
- Improving and optimizing our services
- Ensuring security and preventing fraud
- Complying with legal and regulatory requirements
- Sending marketing communications (only with consent)
6. Data Sharing and Recipients
We do not sell your personal data. We may share your data with the following categories of recipients:
6.1 Your Employer
Attendance data, working hours, and leave information are shared with authorized administrators in your organization as part of the employment relationship.
6.2 Service Providers (Sub-processors)
We engage third-party service providers who process data on our behalf. For a complete list of our sub-processors, please visit our Sub-processors page.
All service providers are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance and appropriate security measures. Organizations requiring a DPA can contact us at support@matat.co.il.
6.3 Legal and Regulatory Authorities
We may disclose data when required by law, court order, or government request, or to protect our legal rights.
7. International Data Transfers
Your data may be transferred to and processed in countries outside Israel or the European Economic Area (EEA). When we transfer data internationally, we ensure adequate protection through:
- Adequacy Decisions: Transfers to countries recognized as providing adequate protection by the European Commission or Israeli Privacy Protection Authority
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards for data transfers
- Binding Corporate Rules: For transfers within corporate groups
- Your Explicit Consent: When required and obtained
You may request information about the specific safeguards in place by contacting our Data Protection Officer.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days |
| Attendance records | 7 years (legal requirement) |
| Biometric data | Not stored by Clokio (device-only) |
| Location data | 90 days (unless required longer) |
| Technical logs | 12 months |
After the retention period, data is securely deleted or anonymized in accordance with our data destruction procedures.
9. Your Rights (GDPR & Israeli Privacy Law)
Under GDPR and the Israeli Privacy Protection Law (Amendment 13), you have the following rights regarding your personal data:
Right of Access (Article 15 GDPR / Section 13 Israeli Law)
Request confirmation of whether we process your data and obtain a copy of your personal data.
Right to Rectification (Article 16 GDPR / Section 14 Israeli Law)
Request correction of inaccurate or incomplete personal data.
Right to Erasure / "Right to be Forgotten" (Article 17 GDPR / Section 14a Israeli Law)
Request deletion of your personal data when it is no longer necessary, you withdraw consent, or you object to processing.
Right to Restriction of Processing (Article 18 GDPR)
Request limitation of processing in certain circumstances.
Right to Data Portability (Article 20 GDPR)
Receive your data in a structured, commonly used, machine-readable format.
Right to Object (Article 21 GDPR / Section 13a Israeli Law)
Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Article 7 GDPR)
Withdraw consent at any time for processing based on consent. Withdrawal does not affect prior lawful processing.
Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)
Not be subject to decisions based solely on automated processing that significantly affect you.
How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer at support@matat.co.il. We will respond within:
- GDPR: 30 days (extendable by 60 days for complex requests)
- Israeli Law: 30 days
We may request identification verification before processing your request.
10. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:
- Israel: The Privacy Protection Authority (הרשות להגנת הפרטיות) - www.gov.il/privacy
- EU: The supervisory authority in your country of residence or where the alleged infringement occurred
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Employee security training and confidentiality agreements
- Incident response and breach notification procedures
- Physical security of data centers
- Regular backups and disaster recovery procedures
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR requirement)
- We will notify the Israeli Privacy Protection Authority as required by Israeli law
- If the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay
13. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience. This section explains what cookies are, how we use them, and how you can control them.
13.1 What Are Cookies?
Cookies are small text files that are stored on your device when you visit a website. They help websites remember your preferences and improve your experience.
13.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Required for the website to function. Include session cookies, CSRF protection, and authentication tokens. | Session / 2 hours |
| Preference Cookies | Remember your settings like language, timezone, and display preferences. | 1 year |
| Security Cookies | Help detect fraud, protect against attacks, and ensure secure login. | Session |
| Analytics Cookies | Help us understand how visitors use our website to improve performance (only with consent). | 2 years |
13.3 Specific Cookies Used
| Cookie Name | Provider | Purpose |
|---|---|---|
| XSRF-TOKEN | Clokio | Security - Prevents cross-site request forgery attacks |
| clokio_session | Clokio | Essential - Maintains your login session |
| remember_web_* | Clokio | Preference - Remember me functionality |
| cookie_consent | Clokio | Essential - Stores your cookie consent preference |
13.4 Local Storage
In addition to cookies, we use browser local storage for:
- FCM Token: Push notification device token
- Cookie Consent: Your cookie preference
- UI Preferences: Sidebar state and display settings
13.5 Managing Cookies
You can control and manage cookies in several ways:
- Cookie Consent Banner: Use our cookie banner to accept or decline non-essential cookies
- Browser Settings: Most browsers allow you to block or delete cookies through settings
- Third-Party Tools: Use browser extensions to manage cookie preferences
Note: Blocking essential cookies may affect the functionality of our service, including your ability to log in.
14. Children's Privacy
Our services are intended for adults in employment relationships. We do not knowingly collect personal data from children under 16 (GDPR) or 18 (Israeli law). If we become aware that we have collected data from a minor without appropriate consent, we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes:
- By email at least 30 days before the changes take effect
- Through a prominent notice in our application
- By updating the "Last updated" date at the top of this policy
Continued use of our services after changes become effective constitutes acceptance of the revised policy.
16. Contact Information
Data Controller
Company: MATAT TECHNOLOGIES LTD
Email: support@matat.co.il
Data Protection Officer (DPO)
Email: support@matat.co.il
For any questions about this Privacy Policy, to exercise your rights, or to lodge a complaint, please contact our Data Protection Officer.
Legal References
- • Israeli Privacy Protection Law 5741-1981 (חוק הגנת הפרטיות, תשמ"א-1981)
- • Israeli Privacy Protection Regulations (Data Security) 5777-2017 (תקנות הגנת הפרטיות (אבטחת מידע), תשע"ז-2017)
- • EU General Data Protection Regulation (GDPR) - Regulation 2016/679