XForce
EN عربي
Back to home

Privacy Policy

Last updated:

This Privacy Policy explains how XForce handles personal information when you use our HR operating system, web admin panels, and mobile applications (together, the “Service”). We comply with the Egyptian Personal Data Protection Law No. 151 of 2020 and draw on internationally recognised principles, including those reflected in the EU GDPR.

Two roles you should understand. XForce acts as a data controller for the small set of information we receive directly to provide and run the Service (for example, your account credentials and billing details). For the much larger set of HR data that an employer enters about its workforce — salaries, attendance, leave, contracts, identification documents — XForce acts as a data processor. The employer is the controller of that data and decides what is uploaded, who can see it, and how long it is retained. XForce only stores and processes it as instructed by the employer.

1. Who we are

XForce is an HR software-as-a-service platform that helps companies manage employee records, attendance, leave, payroll, and loans. For any privacy-related question, contact us at privacy@xforcehr.com.

2. Information we receive

From you (when you create or use a XForce account)

  • Account credentials: name, email address, phone number, hashed password, optional two-factor authentication secret.
  • Profile basics: avatar, role, branch, language preference.

From the subscribing employer (for billing)

  • Organisation name, billing contact, tax ID.
  • Subscription plan, billing cycle, payment method tokens. We do not store full card numbers; payment data is tokenised by our payment processor.

From your mobile device (only when you use the XForce app)

  • Device push token (Firebase Cloud Messaging), device model, OS version, app version, IP address, timezone.
  • Geolocation captured at check-in / check-out only if your employer has enabled geofencing.
  • Biometric authentication result (pass/fail only) — if you enable fingerprint or Face ID app unlock, your biometric template is stored and matched entirely within your device’s secure hardware enclave. XForce only receives a pass/fail signal from the operating system and never stores or transmits biometric data.

Automatically (security and operations)

  • Server logs — IP address, user-agent, request paths, timestamps — used for security, abuse prevention, and debugging.
  • An audit log of significant actions inside your workspace (creations, updates, deletions).

3. HR data uploaded by employers

The Service is a platform that lets employers manage their workforce. Your employer enters or records information in XForce — for example, your job title, salary, attendance check-ins, leave balances, contracts, and identification documents. XForce does not actively collect this data; it is uploaded or generated by your employer in the course of using the Service, and XForce stores and processes it strictly on the employer’s behalf as a data processor. Some employer-uploaded data (such as identification documents and financial records) may constitute sensitive personal data under Egyptian Law 151/2020, and XForce applies technical and contractual measures appropriate to that classification.

If you are an employee, your employer is the controller of this data. Questions about your specific HR records (what is stored about you, who can see it, how long it is retained) should be directed to your employer’s HR team. We will support the employer in responding.

4. Why we process this information

  • Performance of contract: to deliver the features the customer subscribed to.
  • Legal obligation: issuing tax invoices and supporting employer compliance with Egyptian Labor Law, Social Insurance Law, and Tax Law.
  • Legitimate interest: security monitoring, fraud detection, and product improvement using aggregated, non-identifying data.
  • Consent: for optional product newsletters and marketing emails — you can withdraw at any time.

5. How long we keep information

  • Employer-uploaded HR data: retained while the employer’s subscription is active and for the period required by the employer’s legal obligations under Egyptian Labor Law, Social Insurance Law, and Tax Law. The employer controls deletion through XForce.
  • User account data: personal data (name, email, phone, profile) is purged within 30 days of account deletion. Account identifiers are retained for up to 90 days for audit and dispute resolution, then deleted.
  • Mobile push tokens, notification preferences: removed immediately on account deletion or device unregistration.
  • Server logs: 90 days, except where a longer period is necessary for an open security incident.

6. Who we share information with

XForce does not sell personal data. We share data only with vetted third-party processors who help us deliver the Service, and only to the extent necessary. Categories of subprocessor:

  • Cloud hosting — hosts the application and the customer database.
  • Push notifications — Google Firebase Cloud Messaging, used to deliver mobile push notifications.
  • Transactional email — for account-related emails (password reset, alerts).
  • SMS / WhatsApp — for OTP and operational notifications when enabled.
  • Payment processing — for XForce subscription billing only; no employee payroll data is sent to the payment processor.

Some of these subprocessors (notably Firebase/Google) operate outside Egypt. Data transferred internationally is encrypted in transit and protected by standard contractual clauses or equivalent safeguards recognised under Egyptian Law 151/2020 Art. 12.

7. How we keep information safe

  • Encryption in transit (TLS 1.2+) and at rest (database and backup encryption).
  • Per-employer database schema isolation: each company’s data lives in a separate PostgreSQL schema.
  • Role-based access control with optional two-factor authentication.
  • Rate limiting and brute-force protection on authentication endpoints.
  • Audit logging of sensitive actions; security review of new releases.

In the event of a personal data breach, XForce will notify the Personal Data Protection Centre (PDPC) and affected parties without undue delay in accordance with Egyptian Law 151/2020. To report a suspected security issue, contact security@xforcehr.com.

8. Your rights

Under Egyptian Law 151/2020 and equivalent regimes you have rights of access, correction, deletion, restriction, portability, objection, and withdrawal of consent.

If you are an employee, requests about your HR records should generally go to your employer (the controller). Requests that concern XForce directly — for example, deleting your mobile-app account — can be sent to privacy@xforcehr.com. If you are unable to reach your employer’s HR team, contact us directly and we will assist. We respond within 30 days and may ask you to verify your identity first.

9. Account deletion

Mobile-app users can delete their XForce account from Settings → Account → Delete account. Confirmation requires re-entering your password. On confirmation:

  • All active sessions and access tokens are revoked across every device.
  • The account is marked as deleted and can no longer authenticate.
  • Mobile push tokens and notification preferences are removed immediately.
  • Personal data (name, email address, phone number, profile) is permanently purged within 30 days. Account identifiers may be retained for up to 90 days solely for audit and dispute resolution, after which they are deleted.
  • HR records that relate to your employment (attendance, leave, payroll) are retained by your employer, which is the data controller and is bound by Egyptian labor and tax retention laws.

No mobile-app access? Email privacy@xforcehr.com and we will process the request manually.

10. Children’s data

XForce is not directed at children under 18. We do not knowingly create accounts for minors. If you believe a minor has registered, contact us and we will remove the account.

11. Cookies

We use only essential cookies (sign-in sessions, CSRF protection, language preference). We do not currently use third-party analytics on the marketing site or admin panels. Blocking cookies in your browser may break sign-in.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes are notified to active customer administrators by email at least 14 days in advance, and the date at the top of this page reflects the latest version.

13. Contact

For any privacy or legal questions, contact us at support@xforcehr.com.