Group 165
Products
Contact us
EN
01. Enterprise & Business ›
02. Industrial Solutions ›
03. Commercial & Marketing Solutions ›
04. Governance & Administration Solutions ›
Séparateur

Privacy Policy and Data Protection

Last Revised: 26 October 2025

Introduction

At Ixora, we understand that you are entrusting us with confidential information, and we believe you have a right to know how we collect, use, store, and protect that information.

Ixora provides a cloud-based HR and Attendance platform, deployed locally in Saudi Arabia, that enables organizations to manage time, attendance, employee scheduling, and related HR services through its Web Dashboard, Mobile App, and Attendance Kiosk App.

This Policy describes the practices of Ixora (“we”, “our”, or “us”) concerning personal data, including collection, use, access, correction, disclosure, and protection under the Saudi Personal Data Protection Law (PDPL) and related National Cybersecurity Authority (NCA) guidelines. Ixora aligns its practices with international frameworks such as the General Data Protection Regulation (GDPR) and ISO 27001 where applicable.

Scope and Applicability

This Policy applies to use of Ixora’s services by enterprise customers, their authorized users, and visitors to Ixora’s public websites and forms.

Account Ownership

Each subscribing organization designates an Account Owner (Administrator) responsible for managing its Ixora account. The Account Owner:

  • Creates and manages company users and branches,
  • Defines attendance methods (Attendance Machine, Face Recognition, NFC, PIN, or QR),
  • Controls all data access and configuration, and
  • Is responsible for ensuring that employee data uploaded to Ixora complies with applicable laws.

Data Controller and Processor Roles

For the purposes of the Saudi PDPL and comparable data-protection laws:

  • The Customer (Employer) is the Data Controller (or “Data Fiduciary”), responsible for determining the purpose and means of processing its employees’ data.
  • Ixora acts as the Data Processor, processing data strictly in accordance with the Customer’s written instructions and contractual agreement.

For data collected directly via Ixora’s website, marketing forms, or recruitment portal, Ixora acts as the Data Controller.

Information We Collect and How We Use It

Personal Data collected through the Ixora Service may include:

  • Identification data: full name, employee ID, photo, nationality, job title, department, employment status, start and termination dates.
  • Contact details: work email, work phone number (optional).
  • Attendance and scheduling data: check-in/out timestamps, shifts, break records, exceptions, and overtime.
  • Government ID information if required for employment records (not mandatory for attendance use).
  • Bank or payroll references if integrated by the Customer (Ixora does not collect such data independently).

We collect only the minimum necessary information to perform attendance and HR services under the Customer’s authorization.

Legal Basis: Processing is based on performance of contract (to provide services to the Customer) and, where sensitive data such as biometrics or geolocation are involved, explicit consent obtained from employees. Ixora does not knowingly collect data from individuals under 18 years of age.

Biometric and Attendance Data

If the Customer enables Face Recognition Attendance, Ixora collects and processes biometric data (facial templates) solely for verifying identity and recording attendance.

  • The biometric template is mathematically encrypted and cannot reconstruct the user’s face.
  • It is never used for marketing, analytics, or profiling.
  • The template is deleted immediately once the employee is removed or face-based attendance is disabled.
  • Sub-processors supporting the facial-recognition engine process data transiently and do not retain any facial images after processing.

Attendance data (check-in/out time, method, and geolocation) is stored in the Customer’s secure workspace and transmitted only over encrypted channels.

Device and Location Information

When using the Ixora Mobile App or Tablet Kiosk, we may capture device and location data for security and accuracy:

  • Device ID, operating system, app version, and connectivity status.
  • GPS coordinates or Wi-Fi SSID when geofence attendance is enabled.
  • Camera permission for QR scanning or face capture (with user consent).

Employees can withdraw location permission at any time, though this may limit certain attendance functions.

Location Data Usage for Attendance Verification

The Ixora HR application uses location data strictly for attendance and workforce management purposes. Location information is collected solely to verify that an employee is physically present at the designated workplace during working hours.

Location data may be collected at the time of clock-in, clock-out, and periodically during an active work shift to confirm continued presence at the authorized work location. The application does not perform continuous background tracking and does not record movement history or travel paths outside of attendance verification events.

All location data is processed automatically by the system and is not monitored in real time by managers, administrators, or any human operators. The application does not allow employers or administrators to view live location data or detailed location history of employees.

Location data is used exclusively for attendance validation, payroll accuracy, and compliance with internal workforce policies. It is not used for marketing, analytics, profiling, or any secondary purposes.

Location information is not shared with any third parties. It remains securely stored within the system and is accessed only by authorized system processes required for attendance verification.

If the application detects that an employee is outside the authorized work location, the employee is notified and given the ability to submit a request or correction through the application in case of technical errors or legitimate exceptions.

By accepting this Privacy Policy, users explicitly consent to the collection and processing of location data as described above. Location access may be revoked at any time through device settings; however, doing so may limit the availability of attendance-related features.

Non-Personal Information

Ixora also collects non-identifiable information such as aggregated system logs, error reports, browser type, operating system, and usage analytics for improving reliability and performance. This information cannot identify individual users.

Data Collected as a Service Provider

Ixora collects and processes data only per Customer instruction. The Customer (employer) is responsible for:

  • Informing employees about how their data will be used;
  • Obtaining lawful consent for processing biometric or location data;
  • Managing employee access and deletion requests.

Ixora provides a Data Processing Addendum (DPA) to Customers detailing sub-processors and transfer safeguards.

Disclosure of Personal Data

Ixora does not sell or trade user data. Data may be disclosed only in the following cases:

  1. To authorized sub-processors (e.g., hosting or biometric services) under strict confidentiality and security agreements;
  2. To comply with Saudi laws, court orders, or legitimate national security or law-enforcement requests;
  3. To protect system security or investigate misuse or fraud;
  4. During a merger, acquisition, or corporate restructuring, ensuring continued data protection.

All third-party providers are required to respect privacy and process data only under Ixora’s documented instructions.

Data Retention

Ixora retains data only as long as necessary to provide the Service and comply with legal obligations.

  • Attendance and log data: retained per Customer’s configuration (typically 3–7 years).
  • Biometric templates: retained only while the user is active; permanently deleted within 60 days of deactivation or withdrawal of consent.
  • Offline kiosk records: automatically deleted after synchronization.
  • Backups: maintained for disaster recovery and automatically purged per lifecycle policy.

After service termination, Ixora begins secure deletion within 60 days, except anonymized usage statistics which may be retained for analytics.

Where Do We Store Your Data

All Ixora data is hosted locally within the Kingdom of Saudi Arabia, aligned with National Cybersecurity Authority (NCA) and Saudi Data and Artificial Intelligence Authority (SDAIA) requirements. Servers reside in certified data centers compliant with ISO 27001 and NCA Cloud Cybersecurity Controls (CCC). Data is not transferred outside the Kingdom unless required by the Customer and in full compliance with PDPL cross-border transfer conditions.

Data Security and Storage of Information

Ixora employs multiple layers of protection:

  • Encrypted communication (TLS 1.2+) and encrypted databases (AES-256).
  • Role-based access control (RBAC) and multi-factor authentication for administrators.
  • Regular penetration testing and log monitoring.
  • Enforced MDM lock mode on kiosk devices and secure local encryption.
  • Staff training on PDPL and data-handling procedures.

In the event of a personal data breach, Ixora will notify the affected Customer and the relevant Saudi authority (if required) without undue delay (72 hours), and assist in investigation and remediation.

Your Rights Associated with Your Information

If Ixora controls your information directly (e.g., website inquiries, demos, job applications):

  • You may access, correct, delete, restrict, or object to processing by contacting info@ixora.com.
  • Ixora will respond within 30 business days in line with PDPL requirements.

If you are an employee of a Customer using Ixora HR:

  • Your employer controls your data; please contact your HR or system administrator for access or deletion requests.
  • Ixora will support the Customer to fulfill verified requests.

Cookies

Ixora’s website uses cookies and analytics tools (e.g., Google Analytics) to enhance user experience and service improvement. These cookies collect anonymous data such as page views, time on site, and browser information. Users may disable cookies in their browser settings. Ixora does not use cookies to collect personal or biometric data.

Holding Information on Minors

The Service is not directed to minors. If Ixora discovers that information has been collected from a person under 18, the information will be promptly deleted.

Email Opt-Out Procedure

Marketing communications from Ixora include an “unsubscribe” link. Users can also opt out by contacting info@ixora.com. Transactional or system notifications essential to service operation may still be sent.

Changes to Our Privacy Policy

Ixora may update this Policy from time to time. Material updates will be communicated to Account Owners via email or in-app notice. Continued use of Ixora after updates constitutes acceptance of the revised Policy.

Contact

For any questions or concerns about this Policy or Ixora’s data-protection practices, please contact:
Email: info@ixora.com

This Privacy Policy complies with the Saudi Personal Data Protection Law (PDPL) and the National Cybersecurity Authority (NCA) controls. Ixora remains committed to maintaining the confidentiality, integrity, and availability of all customer and employee data entrusted to its systems.