Skip to Content

Xthings Biometric Data Policy

Effective Date: July 20, 2025​

What Information Do We Collect and Why?How Do We Protect Your Privacy and Security?Your Rights and Choices Under GDPROur Commitment to Lawful and Ethical Processing

At Xthings, protecting your personal information is our top priority. This policy aims to explain, in a clear and transparent way, how we handle biometric data used for our attendance systems and to ensure our technology and operational procedures fully comply with the highest standards of the EU's General Data Protection Regulation (GDPR). 

What Information Do We Collect and Why?

According to the EU's General Data Protection Regulation (GDPR), biometric data is "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data". In simple terms, this includes physical characteristics used to uniquely identify you, such as your fingerprint or facial features.

Please be assured that the sole purpose for collecting and using this information is to provide you with a secure, accurate, and convenient way to record your work attendance.

Important Declaration: Your biometric data will never be used for any other purpose, such as evaluating job performance, tracking your activities, or conducting any form of surveillance. We strictly adhere to the "purpose limitation" principle to prevent any "function creep".

How Do We Protect Your Privacy and Security?

We understand the sensitivity of biometric data, which is why we have integrated robust privacy protections into the core of our technology's design.

  • We do not store your original image: Most importantly, our system does not store the original image of your fingerprint or face.
  • Secure Template Technology: When you first enroll, the system analyzes unique data points from your biometric features (like the endpoints and splits in fingerprint ridges) and converts them into a secure, encrypted digital code. This code is called a "template".
  • One-Way Irreversible Conversion: The process of converting your biometric feature into a template is one-way and irreversible. This means that no one, including us, can reverse-engineer your original fingerprint or facial image from the template. Even in the extremely rare event of a data breach, the stolen template is just a string of encrypted code that is useless to an attacker.
  • Data Minimization Principle: By storing only the necessary template instead of the full image, we strictly follow the GDPR's "data minimization" principle, which means we only collect and process the absolute minimum amount of data required for the stated purpose.
  • Strong Encryption and Access Control: All biometric templates are protected with strong encryption algorithms during both storage and transmission. At the same time, internal access to this data is strictly controlled and limited only to authorized personnel who require it for system maintenance.

Your Rights and Choices Under GDPR

We understand the sensitivity of biometric data, which is why we have integrated robust privacy protections into the core of our technology's design.

  • We do not store your original image: Most importantly, our system does not store the original image of your fingerprint or face.
  • Secure Template Technology: When you first enroll, the system analyzes unique data points from your biometric features (like the endpoints and splits in fingerprint ridges) and converts them into a secure, encrypted digital code. This code is called a "template".
  • One-Way Irreversible Conversion: The process of converting your biometric feature into a template is one-way and irreversible. This means that no one, including us, can reverse-engineer your original fingerprint or facial image from the template. Even in the extremely rare event of a data breach, the stolen template is just a string of encrypted code that is useless to an attacker.
  • Data Minimization Principle: By storing only the necessary template instead of the full image, we strictly follow the GDPR's "data minimization" principle, which means we only collect and process the absolute minimum amount of data required for the stated purpose.
  • Strong Encryption and Access Control: All biometric templates are protected with strong encryption algorithms during both storage and transmission. At the same time, internal access to this data is strictly controlled and limited only to authorized personnel who require it for system maintenance.

Our Commitment to Lawful and Ethical Processing

Under GDPR, biometric data is classified as "special category personal data," which requires the highest level of protection. Our legal basis for processing this data is the necessity of fulfilling the employment contract and related legal obligations, and we ensure that your fundamental rights and freedoms are fully protected through the series of strict technical and organizational measures described above.  

Under GDPR, the use of biometric data for time and attendance is only permitted in specific circumstances where it is strictly necessary to fulfill obligations under employment law. The decision to enable biometric verification is made solely by the data controller (your employer), who is responsible for assessing and establishing the legal basis for this processing. As the technology provider, we act only upon the instructions of your employer.

Our goal is not just to comply with the law, but to build an ethical framework based on trust and respect.

If you have any questions about this policy or how your data is handled, please contact us,your employer or their designated Data Protection Officer.