Back to home
Privacy Policy

Your data, your privacy

GeoMark collects only what is necessary to verify attendance. We do not sell data, track you continuously, or share your information with third parties.

Last updated: May 2026

Information We Collect

We collect information you provide when creating an account: your name, email address, matric number (students), and role access codes. When you mark attendance, we automatically collect GPS coordinates at the moment of the scan, device fingerprint data (canvas rendering, WebGL, screen resolution), your IP address, and browser user-agent string. This data is collected solely to verify legitimate, in-person attendance.

How We Use Your Information

Your information is used to: (a) verify your identity and authenticate sessions; (b) validate GPS location against the classroom geofence; (c) detect fraudulent patterns such as GPS spoofing and device sharing; (d) generate attendance records and reports for authorised lecturers and administrators; (e) maintain security logs for audit purposes. We do not sell or share your personal data with third parties for marketing.

Data Storage and Security

All data is stored in encrypted MongoDB databases. Passwords are hashed using bcrypt with 12 salt rounds — never stored in plain text. QR tokens are signed with HMAC-SHA256 and expire within 30 seconds. Session tokens use JWT with a 30-day maximum age. All data in transit is protected by TLS encryption. Access to the database is restricted to the application server only.

Location Data

GPS coordinates are collected only at the moment of QR code scanning and are not tracked continuously. Location data is stored as part of the attendance record and used solely to verify proximity to the registered classroom. Your coordinates are never shared with third parties and are visible only to authorised instructors and administrators for that course.

Data Retention

Attendance records are retained for the academic period during which they were created, plus up to three years for audit and accreditation purposes. Notifications are automatically deleted after 30 days. You may request deletion of your account and associated data at any time by contacting your institution administrator.

Your Rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you, request correction of inaccurate data, request deletion of your account and records, object to certain processing, and export your data in a portable format. To exercise any of these rights, contact your institution's GeoMark administrator.

Cookies and Sessions

GeoMark uses HTTP-only session cookies to maintain authenticated sessions. These cookies are strictly necessary for the platform to function. We do not use third-party tracking or advertising cookies. Session tokens expire after 30 days of inactivity.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting a notice on the platform. Continued use of GeoMark after such changes constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or our data practices, please contact the GeoMark team through your institution's administrator portal, or reach out via the contact details provided during onboarding.