Privacy Policy

LawTekno LLC ("we", "us", or "our") operates the GateKipas visitor and employee check-in management platform (the "Service"). We respect your privacy and are committed to protecting the personal information you share with us. This Privacy Policy explains what information we collect, how we use it, how we store and protect it, and your rights regarding your data. By using the Service, you agree to the collection and use of information in accordance with this policy.

When you register for a GateKipas account, we collect the following information: your full name, email address, phone number, business name, and business type. During the subscription process, payment information (credit card number, billing address) is collected and processed directly by Stripe — we do not store your full credit card number on our servers. We also collect your language preference, timezone selection, and any business logo you upload for kiosk branding.

When visitors check in through the GateKipas kiosk, the following information may be collected: first name and last name; phone number and/or email address (depending on the business's contact requirement settings); the selected host they are visiting; the stated purpose of their visit; check-in and check-out timestamps; responses to any custom fields configured by the business; and digital signatures on any agreements or NDAs presented during check-in. All visitor information is entered voluntarily by the visitor at the kiosk. The business using GateKipas is the data controller for visitor information, and GateKipas acts as a data processor on the business's behalf.

For employees using the time-tracking features, we collect: the employee's name, email address, phone number, and department as entered by the business administrator; clock-in and clock-out timestamps; and total hours worked. Employee PINs used for authentication are stored as salted SHA-256 hashes and cannot be retrieved in plain text. If biometric authentication is enabled, additional information is collected as described in Section 5.

When a business enables biometric authentication for employee clock-in (available on the Pro plan), the following applies: WebAuthn credential identifiers and public keys are stored on our servers to verify employee identity during clock-in. Raw biometric data — including fingerprints and facial scans — never leaves the employee's device and is never transmitted to or stored on GateKipas servers. Before biometric enrollment, we require explicit consent from each employee. The exact consent text shown to the employee and a precise timestamp are recorded and stored as a legal record. Employees can request deletion of their biometric credentials at any time by contacting their business administrator. Business administrators can also remove biometric data from any employee's profile through the dashboard. All biometric credential data stored on our servers is encrypted at rest. GateKipas is designed to comply with the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington State biometric privacy law (RCW 19.375).

For education-type businesses (schools, daycares, and tutoring centers) using the student management module on the Pro plan, we collect the following student information: student name, grade or class level, student ID, primary guardian name and contact information (phone and email), secondary guardian name and contact information, authorized pickup persons, and notes (which may include allergies, medical conditions, or special instructions). Guardian contact details, authorized pickup persons, and notes are never displayed on the public-facing kiosk. Only the student's name and grade are shown on the kiosk for pickup purposes. Access to student data is restricted by role: Admin and Manager roles can view and edit student records, while Front Desk can view but not modify them. Student data is protected in compliance with the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA). The business (school or educational institution) is responsible for obtaining all required parental consents for the collection of student data as required by applicable law.

We use the information we collect to: provide, operate, and maintain the Service; process visitor check-ins and check-outs and send real-time notifications to hosts via email and SMS; manage employee timesheets and clock-in/clock-out records; generate analytics, reports, and dashboards for business administrators; process billing and subscription payments through Stripe; send transactional emails related to account activity, billing, and service updates; improve the Service based on usage patterns and feedback; comply with legal obligations and respond to lawful requests from authorities; and support bilingual operation in English and French. We do not use visitor, employee, or student data for advertising or marketing purposes.

All data is stored securely using Supabase, which provides enterprise-grade PostgreSQL databases hosted in the United States (East US region). Data is encrypted in transit using HTTPS/TLS and encrypted at rest. We implement Row Level Security (RLS) policies at the database level to ensure strict multi-tenant data isolation — each business can only access its own data. Employee PINs are stored as salted SHA-256 hashes and can never be retrieved in plain text. Kiosk access PINs are also stored as hashed values. Each kiosk is assigned a unique access key that is validated on every page load. Notification acknowledgment links use HMAC-signed tokens. CSV and PDF exports are sanitized against formula injection attacks. Access to data within the dashboard is controlled through role-based access control (RBAC) with four permission levels: Admin, Manager, Front Desk, and Host. We conduct regular security reviews and maintain access controls, firewalls, and monitoring to protect against unauthorized access.

We do not sell, rent, or trade your personal information to any third party. We share data only with the following service providers, solely for the purpose of operating the Service: Stripe for payment processing and subscription management; Resend (sending from notifications@gatekipas.com) for transactional email delivery; Twilio for SMS notifications to hosts; and Supabase for database hosting and storage. Each of these providers maintains their own privacy policies and data processing agreements. We share only the minimum data necessary for each service to function. We may also disclose information if required to do so by law or in response to valid legal process, such as a subpoena or court order. We do not share data for advertising or marketing purposes.

Business administrators can configure data retention periods through the Settings page in the dashboard. Available retention periods range from 6 to 60 months, with a default of 12 months. There is no option for unlimited retention. Visitor data older than the configured retention period is automatically purged by our system. Employee time-tracking records may be retained longer in accordance with applicable labor and employment laws. Upon account cancellation, all data is retained for 30 days to allow for account reactivation or data export, after which it is permanently and irrecoverably deleted from all systems including backups. You may request the export or deletion of your data at any time by contacting support@gatekipas.com.

The emergency evacuation roster feature provides a real-time view of all currently checked-in visitors and clocked-in employees, along with their contact information and location assignment. This feature does not collect any additional data beyond what is already gathered during normal check-in and clock-in operations. The evacuation roster can be printed for use during an emergency but is not stored separately from the standard visitor and employee records. Emergency roster data is not shared with any third party except law enforcement during an active emergency situation when required by law or when the safety of individuals is at risk.

For businesses with multiple locations on the Pro plan, each location's data is logically isolated and scoped within the system. Branch staff can only access visitor, employee, and student data for their own assigned location. Headquarters administrators have visibility across all locations and can view aggregate data, generate cross-location reports, and manage branch settings. When an employee is transferred between locations, their historical time-entry data remains associated with the original location where it was recorded. New time entries after the transfer are recorded under the new location.

We may send product updates, feature announcements, and service-related communications to business owner email addresses. You may opt out of non-essential marketing communications at any time by using the unsubscribe link included in every email or by contacting support@gatekipas.com. We do not use visitor, employee, or student data for marketing communications. We do not share your email address with third parties for their marketing purposes.

Visitors who wish to access, correct, or delete their personal information collected through the GateKipas kiosk should contact the business that collected their data, as the business is the data controller for visitor information. GateKipas acts as a data processor and processes visitor data on behalf of the business. If a visitor is unable to reach the business, they may contact GateKipas at support@gatekipas.com, and we will make reasonable efforts to assist with their request. Businesses using GateKipas are responsible for informing visitors about data collection practices and obtaining any consents required by applicable law.

GateKipas uses only essential cookies that are strictly necessary for the operation of the Service, including session management and authentication state. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. The kiosk interface uses the minimum cookies required for functionality. You can manage your cookie preferences through your browser settings; however, disabling essential cookies may prevent the Service from functioning properly.

The GateKipas Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 outside of the student management module. If we discover that we have inadvertently collected personal information from a child under 13 without proper parental consent, we will promptly delete that information. For school-type businesses using the student management module to manage students who may be under 13, the business (school or educational institution) is solely responsible for obtaining proper parental consent as required by COPPA, FERPA, and any other applicable child privacy laws. If you believe we have collected information from a child under 13 without proper consent, please contact us at support@gatekipas.com.

GateKipas serves businesses internationally. All data is stored on servers located in the United States (East US region). By using the Service, you consent to the transfer of your data to and processing of your data in the United States. GateKipas supports bilingual operation in English and French to serve international markets, including businesses in Canada and Francophone Africa. We ensure that appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

If you are a resident of California, you have certain rights under the California Consumer Privacy Act (CCPA), including: the right to know what categories of personal information we collect about you and how it is used; the right to request deletion of your personal information; the right to opt out of the sale of your personal information (GateKipas does not sell personal information); and the right to non-discrimination for exercising your privacy rights. To exercise any of these rights, please contact us at privacy@gatekipas.com. We will respond to verified requests within 45 days as required by the CCPA.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. For material changes, we will provide at least 30 days advance notice by sending an email to the address associated with your account and by posting a notice on the Service. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. For privacy-specific inquiries: privacy@gatekipas.com. For general support: support@gatekipas.com. LawTekno LLC is the legal entity operating the GateKipas service.