Privacy Policy

Last updated: July 11, 2026

Who we are

Cookiems (“we”, “us”) provides HR, payroll, and attendance software for companies in the Philippines. This policy explains what personal data we process, why, and the choices you have. We process personal data in accordance with the Philippine Data Privacy Act of 2012 (RA 10173) and its implementing rules.

When your employer uses Cookiems, your employer is the personal information controller for your employment records; Cookiems processes that data on their behalf to deliver the service.

Data we collect

Depending on how your company uses Cookiems, we process:

  • Account & profile: name (including optional middle name and extension), email, role, position, phone number, birthday, emergency contact details, profile photo.
  • Attendance: time-in/time-out and break punches with date and time, and — when you allow it — the location coordinates of a punch. Biometric device logs your employer imports (employee number and punch times; we do not receive fingerprint templates).
  • Payroll & financials: salary, payslips, allowances, loans and advances, withholding tax and statutory contribution amounts (SSS, PhilHealth, Pag-IBIG).
  • Leave & requests: time-off requests, overtime requests, attendance correction requests, and attachments you upload with them.
  • Documents: files uploaded for onboarding checklists and requirements.
  • Messenger linking (optional module): if your company enables Messenger time in/out and you link your account, we store your page-scoped Messenger ID (PSID) and the text of attendance commands you send to the page. We never see your Facebook password or friends list.
  • Sign-in data: if you sign in with Google, we receive your verified email and name from Google. We store session tokens in cookies and local storage to keep you signed in.

How we use data

  • Operate attendance, leave, and payroll for your employer
  • Compute Philippine payroll obligations (withholding tax, SSS, PhilHealth, Pag-IBIG, 13th month)
  • Send notifications your company configures (e.g. email)
  • Secure the service (authentication, rate limiting, abuse and bot prevention)

We do not sell personal data. We do not use your data for advertising.

Third parties we rely on

  • Cloudflare Turnstile — bot protection on sign-in and sign-up forms.
  • Google — optional “Sign in with Google”.
  • Meta (Facebook Messenger) — only if your company enables the Messenger attendance module and you choose to link your account.
  • Anthropic — if your company enables AI chat replies for Messenger attendance, the text of your attendance messages is processed to generate a reply.
  • Google Analytics — optional usage analytics, only after you accept the cookie banner. See the Cookies section below.

Our servers are hosted with our infrastructure provider; data is stored encrypted in transit (HTTPS everywhere).

Cookies

Strictly necessary: authentication tokens that keep you signed in (7-day lifetime) and security cookies set by Cloudflare Turnstile during bot checks. These are always on.

Analytics (optional): with your consent, we use Google Analytics to understand how the site and app are used — page views and coarse feature-usage events. No analytics cookies are set unless you accept the cookie banner, you can decline without losing any functionality, and ad personalization is disabled. We never send names, emails, salaries, or other personal records to analytics.

No advertising or cross-site tracking cookies.

Retention and deletion

We keep personal data for as long as your employer’s account is active, because payroll and attendance records are ongoing employment records your employer is required to maintain.

We follow hard deletion on request.

  • When a company requests account deletion, its data — employee profiles, attendance records, payslips, documents, uploaded files, and Messenger links — is permanently deleted from our systems, not just deactivated or hidden.
  • Individual employees may ask their employer (the controller) to correct or delete their personal data; where your employer instructs us, or where you contact us directly with a valid request, we delete the data permanently.
  • Unlinking Messenger deletes the stored PSID mapping immediately.

Note that your employer may be legally required to retain certain payroll records under Philippine labor and tax law before a deletion can be completed; where that applies, we delete as soon as the retention obligation lapses.

Your rights

Under the Data Privacy Act you have the right to be informed, to access, correct, and object to processing of your personal data, the right to erasure, and the right to data portability. Most requests are fastest through your company’s HR admin, since they control your employment records; you can also reach us directly and we will coordinate with your employer.

Contact

Questions or requests: contact-us@cookiems.app. We respond to privacy requests within 15 days.

We may update this policy as the product changes; material changes are announced in-app. Continued use after an update means the revised policy applies.

Looking for how to delete your data right now? Company owners can request deletion from Settings, or email us. See also our Terms of Service.