← Back to home

Privacy Policy

Last updated: May 4, 2026

1. Who We Are

MONTA CAPITAL INVESTMENT COMPANY LIMITED ("ATGO", "we") operates the ATGO Cloud Attendance service at atgo.io. For privacy questions: codekhongbug@gmail.com.

2. What Data We Collect

2.1 Account data (from you)

• Email, full name, workspace name + slug, country, password (hashed).
• Billing details: country and currency for tax calculation. Card data is handled by Paddle directly — we never see or store card numbers.

2.2 Employee + attendance data (from your workspace)

• Employee records you create (name, PIN, optional email/phone, department, etc.).
• Attendance punches sent by ZKTeco devices (employee PIN, timestamp, verify type, device serial, source IP).
• We DO NOT store biometric templates (fingerprint, face, palm). Any such payload is stripped before persistence.

2.3 Telemetry

• Page views (path, referrer, user-agent, visitor cookie, country from Cloudflare header or IP lookup). Used for product analytics.
• API request logs (IP, status, latency) for 30 days for abuse detection and debugging.

3. How We Use Your Data

• Operate the Service (sync device → cloud → dashboard).
• Process payments (via Paddle, VNPay, Razorpay) and manage credits.
• Send transactional emails (signup, payment receipts, plan changes).
• Provide aggregate, anonymized usage stats for product improvement.

We do NOT sell your data. We do NOT use it for advertising.

4. Sub-Processors

We share data with the following processors strictly for service delivery:

• Paddle — payments (USD, global).
• VNPay / MoMo — payments (VN).
• Razorpay — payments (India).
• Cloudflare — DDoS protection and geo-detection (when enabled).
• Telegram — admin notifications (no customer PII sent).

5. Data Retention

• Attendance logs: retained per your plan (30 days Free, up to 1 year on Scale).
• Employee records: kept until you delete them or close the workspace.
• Audit logs: 2 years.
• Backups: 30 days rolling.
• After workspace closure: 30-day grace period for export, then deleted.

6. Data Location

Primary storage is in Vietnam (farm1.mypacksoft.com). Paddle and other payment processors store payment data in their own jurisdictions.

7. Security

• HTTPS-only with Let's Encrypt; HSTS enabled.
• Postgres Row-Level Security per tenant — your data cannot be read by other workspaces.
• Passwords hashed with bcrypt; tokens are JWT with 60-minute access TTL.
• Biometric stripping at the API gateway.

8. Your Rights

You can at any time:

• Export all your workspace data via the dashboard or by emailing us.
• Delete employees, devices, or the entire workspace.
• Request rectification of inaccurate data.
• Withdraw payment consent (cancellation downgrades to Free at end of credit period).

9. Cookies

We use a single `atgo_token` localStorage entry for authentication and an anonymous `atgo_visitor` cookie for unique-visitor counts. No third-party advertising cookies.

10. Changes

Material changes will be announced via email and in-app banner at least 30 days in advance.

11. Contact

Email: codekhongbug@gmail.com