Privacy Policy
PULSE Imel — Android Application
Version: 1.3 | Publication date: 29.05.2026 | Imel d.o.o. Lukavac
1. General Information
This Privacy Policy describes how Imel d.o.o. Lukavac (hereinafter: “Imel” or “we”), as the publisher and developer of the PULSE software solution, processes data generated when using the Android application PULSE Imel.
PULSE Imel is a business (B2B) application intended exclusively for companies and organisations for employee time and attendance management. The application functions exclusively within the client’s business infrastructure and requires an active licence issued by Imel d.o.o.
The data controller is the employer (client) who has entered into an agreement with Imel and uses the PULSE system to track their employees. Imel d.o.o. acts as the data processor, providing the technical platform for data processing on behalf of and for the account of the employer.
2. Data Processed by the Application
PULSE Imel processes the following categories of data:
2.1 Identity and Licence Data
- Licence Key — a unique identifier entered by the employee when activating the application, linked to the employee’s electronic card in the PULSE system.
- Employee NFC Card UID — a unique NFC card identifier (4 or 7 bytes) read during check-in or check-out. The card does not contain biometric data.
2.2 Location Data (GPS device type only)
- GPS coordinates (latitude and longitude) — collected only when an employee initiates an attendance event via a GPS-type device, used exclusively to validate the geofencing zone at the time of the event. Continuous location tracking is not implemented.
- If all registered devices in the system are of NFC type, location coordinates are not collected for any attendance event.
2.3 Attendance Records
- Event type — Entry, Exit, Break, Trip, or Auto event.
- Date and exact time of the attendance event.
- Device and area identifier where the event was recorded.
2.4 NFC Device Check-In Data (v1.3)
- Physical NFC terminal UID — the application locally verifies that the scanned UID matches the pre-loaded terminal UID. The terminal UID is not sent separately to the server — the server receives a standard attendance request without GPS coordinates.
2.5 Device Technical Data
- Android device information relevant to the application’s security mechanism (HMAC-SHA256 request signing, nonce values). This information is not stored on the server as a separate device profile.
3. Purpose and Legal Basis for Processing
Purpose: recording working hours and controlling employee attendance, in order to fulfil legal and contractual obligations arising from the employment relationship.
Legal basis: processing is carried out on the basis of the employment contract between the employee and the employer (Art. 6(1)(b) GDPR), and/or on the basis of the employer’s legal obligation regarding working-time records (Art. 6(1)(c) GDPR).
4. Recipients of Data
Data recorded via the PULSE Imel application is accessible exclusively to:
- Authorised administrators of the employer via the PULSE Web application (dashboard, reports).
- Imel d.o.o., exclusively for technical purposes (service provision and maintenance, troubleshooting). Imel has no right to use this data for its own purposes.
Data is not shared with third parties and is not transferred outside the infrastructure agreed between the client and Imel.
5. Data Security
Imel d.o.o. has implemented appropriate technical and organisational security measures:
- Local data encryption: AES-256-GCM — all data stored on the device is encrypted.
- Secure communication: HTTPS (TLS) for all network communication between the application and the server.
- Request authentication: HMAC-SHA256 signing of every API request, with single-use nonce values.
- Data access: restricted to authorised users with a valid licence and appropriate user account.
6. Data Retention
The retention period for attendance data is determined by the employer (data controller) in accordance with applicable laws and internal policies. Imel d.o.o. provides technical capabilities for data deletion or archiving but does not independently decide on retention periods.
Local data on the Android device (offline cache) is deleted upon licence deactivation or application uninstallation.
7. Data Subject Rights
Employees whose data is processed have, under applicable data protection legislation, the right to: access, rectification, erasure, restriction of processing, objection to processing, and data portability. These rights are exercised by submitting a request directly to the employer, who is the data controller.
Imel d.o.o. supports the employer in fulfilling these requests to the extent technically possible.
8. Cookies and Analytics
The PULSE Imel Android application does not use cookies and does not integrate any third-party analytics tools (such as Google Analytics, Firebase Analytics, etc.). The application does not send anonymised usage data to Imel or any third party.
9. Children
PULSE Imel is exclusively a business application intended for adult employees. It is not intended for persons under the age of 18.
10. Changes to This Policy
Imel d.o.o. may periodically update this Privacy Policy. The version and publication date are indicated in the document header. Clients (employers) will be notified of any significant changes through the usual communication channels.
11. Contact
For any questions regarding this Privacy Policy and the processing of data through the PULSE system, please contact:
Imel d.o.o.
Address: Skendera Kulenovića bb, 75300 Lukavac, Bosnia and Herzegovina
Email: software@imel.ba
Web: www.imel.ba
