Privacy Policy
This policy covers how Punctual handles your data on this website (the marketing/landing site at welcome.punctualgroup.app and its subdomains). The full Privacy Policy covering the Punctual mobile and web app — including how we handle GPS, clock records, and worker data — will be published before the app launches, and will be a separate document.
If you only signed up to the waitlist, this is the relevant document.
Who we are
Punctual is operated by Kevin Li, trading as Punctual.
- Registered business: NSW, Australia
- ABN: TBD (registration in progress)
- Privacy contact:
privacy@punctualgroup.app(provisioning in progress) - General contact:
hello@punctualgroup.app(provisioning in progress)
What this policy covers
This policy covers the marketing website only — every page served from welcome.punctualgroup.app and its subdomains except the future app subdomain. It does not cover:
- The Punctual mobile app (a separate Privacy Policy will be published before app launch)
- The Punctual web admin (same — separate document)
- Third-party services we link to (each has its own policy)
What data we collect on this website
Three things, each with a clear purpose:
1. Your email address
- When: only when you submit the waitlist signup form
- Why: to send you launch updates if you consent on the form
- Where stored: today, in Vercel function logs only (Phase 0a). When Resend and Supabase are wired (Phase 0b), your email will move to those services; this policy will be updated first
- Retention: until you unsubscribe (every email contains a one-click unsubscribe), or 24 months from collection if no email has ever been sent
2. Your IP address
- When: every request to the waitlist API endpoint
- Why: anti-abuse — we run a sliding-window rate limit (10 submissions per 10 minutes per IP) to keep the form from being abused by bots or scripts
- Where stored: Upstash Redis, US region
- Retention: maximum 10 minutes (the rate-limit window). After 10 minutes the entry expires automatically
3. Standard server logs
- What: timestamp, user-agent, response code, request path
- Why: debugging and security
- Where stored: Vercel’s edge log system
- Retention: per Vercel’s defaults (currently 30 days for free tier; we will note any change)
What data we do NOT collect on this website
- Your name
- Your phone number
- Your company or employer
- Your GPS or location
- Cookies for analytics or tracking — the marketing site is currently cookie-free
- Browser fingerprints
- Anything from the future Punctual app — the app doesn’t exist yet
Analytics
When the PUBLIC_PLAUSIBLE_DOMAIN environment variable is configured for a given deployment, this site loads Plausible Analytics, a privacy-respecting analytics platform from a self-hosted Plausible Cloud instance:
- No cookies are set by Plausible
- No PII is collected (no email, no name, no precise IP — only first-octet for country-level geolocation)
- No cross-site tracking — Plausible does not share data with any third party
- No fingerprinting — Plausible doesn’t use browser fingerprinting, canvas tracking, or any persistent identifier
- Aggregated only — we see “X visitors from AU clicked Submit on the waitlist form”, never “alice@example.com from 203.0.113.42 did X”
You can verify this in Plausible’s own data policy.
When PUBLIC_PLAUSIBLE_DOMAIN is not set (e.g., local development or preview deployments), no analytics script loads at all and nothing is tracked.
The waitlist form fires a custom event — landing.hero.waitlist_submitted — when a submission succeeds. The event payload contains only the event name; no email, no IP, no token.
How we use your email
- Confirmation email (double opt-in per Spam Act 2003 — see Spam Act notice)
- Periodic launch updates — capped at 6 per year before launch
- A Founding Member invitation when early access opens — the first 30 paying businesses get 40% off the public Starter or Pro plan, locked as a percentage for as long as the subscription remains active. The offer closes once 30 slots are filled. See the Pricing section for the full Founding Member terms
That’s it. We do not sell, rent, swap, or share your email with third parties.
Sub-processors (third parties who may handle your data)
| Service | What for | Region |
|---|---|---|
| Vercel | Hosting + serverless functions + logs | Global edge (you may be served from US / EU / AU POPs) |
| Upstash Redis | Rate-limit storage | US |
| Resend (planned) | Email delivery | US |
| Supabase (planned) | Future durable email storage | AU |
Each of these has its own privacy policy. We chose them for security posture (SOC 2 where applicable) and for AU data residency where possible.
Your rights under the Australian Privacy Principles
The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) give you specific rights:
- APP 12 — Access: you can ask what data we hold about you, and we’ll send it within 30 days
- APP 13 — Correction: you can ask us to correct anything inaccurate
- Right to deletion: you can ask us to delete your email and any associated logs at any time
To exercise any of these rights, email privacy@punctualgroup.app. We aim to respond within 7 business days.
If you’re unsatisfied with our response, you can complain to the Office of the Australian Information Commissioner at <oaic.gov.au>.
Security
- All data in transit is encrypted (TLS 1.3)
- Email and rate-limit data at rest is encrypted by the respective sub-processor (Upstash, Resend, Supabase) using their standard encryption
- Access to data is limited to the founder, Kevin Li
- We have no offline copies; everything is in the sub-processors above
International data transfers
Some sub-processors are in the US or EU. By using this website you consent to your data being transferred to and stored in those regions. We’ve selected services with strong contractual data-protection commitments.
Children
Punctual is not directed at users under 18, and we do not knowingly collect data from minors. If you believe a minor has submitted the form, email privacy@punctualgroup.app and we’ll delete the entry.
Changes to this policy
We’ll update the “Updated” date at the top whenever this changes. Material changes will be noted with a brief summary at the top of this page for 30 days.
Contact
For any privacy question, complaint, or data request:
- Email:
privacy@punctualgroup.app - Postal: TBD (will be added before public launch)
Effective date: 2026-05-15
Status: Draft pending Australian privacy-law solicitor review. Substantive review will be commissioned before public launch.