Legal

Terms of Service

Last updated 20 April 2026
Plain-English summary. RealAttend is face-based attendance software for small and medium businesses in South Africa. By signing up you agree to these terms. We aim to keep them simple, fair, and easy to exit. Biometrics are sensitive, so there's more detail in this doc than in a typical SaaS agreement - that's on purpose. If anything is unclear or seems unfair, drop us a note and we'll try to improve it.

1. Who we are

RealAttend ("we", "us", "our") is a face-based attendance and payroll-sync service operating from South Africa. These terms form a binding agreement between you (the business customer, "you" or "Customer") and RealAttend. Our registered business details, physical address, and the full information required under section 43 of the Electronic Communications and Transactions Act, 2002 are published at realattend.co.za/legal/disclosures.

2. What the service does

A subscription to a web dashboard plus a mobile and tablet app that captures clock-in and clock-out events for your workers. The service includes geofenced sites, face matching via a third-party biometric matching provider (processed in a South Africa data region), and optional sync to third-party payroll systems where you configure them. Features may change - material changes are notified under section 21.

3. Your account

  • You are responsible for keeping your password and any device API keys secret. If you think an account or device has been compromised, revoke it from the dashboard immediately and contact support.
  • You must be at least 18 and authorised to enter contracts on behalf of your business.
  • One account per business. Don't share logins - each person who needs access should have their own.

4. Acceptable use

Don't do any of the following with RealAttend:

  • Enrol or collect biometric data from anyone without their informed consent (see section 5).
  • Use the service to track people outside the scope of lawful workplace attendance.
  • Attempt to break, reverse-engineer, scrape, or overload the service.
  • Re-sell access, or use a single subscription for multiple unrelated businesses.
  • Upload illegal content or content that infringes someone else's rights.

5. Biometric data, consent, and POPIA

Face templates are biometric information, which is "special personal information" under section 26 of the Protection of Personal Information Act, 2013 ("POPIA"). Processing is prohibited unless a section 27 exception applies. RealAttend processes biometric information on the lawful basis of the data subject's consent under section 27(1)(a) of POPIA.

The Customer is the Responsible Party for its workers' personal information. RealAttend is the Operator, acting only on the Customer's documented instructions. This means:

  • The Customer must obtain and record each worker's informed, specific, and voluntary consent before enrolment. RealAttend provides a consent-capture flow in the tablet app to make this easy - the Customer must use it, or an equivalent documented process.
  • The Customer must be able to justify the necessity of using biometrics over less intrusive alternatives (such as PIN codes or manual registers), and must offer a non-biometric clock-in option to any worker who declines biometric enrolment.
  • Workers may withdraw consent at any time. On withdrawal, the Customer must mark the worker inactive in the dashboard; RealAttend will then delete the face template as described in section 7.
  • The Customer must notify workers of the matters listed in POPIA section 18, including: the identity and contact details of the Responsible Party, the purpose of collection, whether supply is voluntary or mandatory, the consequences of refusal, the recipients of the information (including RealAttend and any payroll sub-processors listed in section 6), the right to object, and the right to lodge a complaint with the Information Regulator (details in section 24).

6. Roles, sub-processors, and your data

  • Tenant data ownership. Your tenant data - workers, attendance events, photos, face templates, site definitions, reports - belongs to you. You can export it at any time from the dashboard.
  • Operator obligations. RealAttend processes personal information only on your documented instructions and in line with sections 20 and 21 of POPIA. We will assist you with data-subject requests (access, correction, deletion, objection) and your broader POPIA compliance obligations.
  • Categories of sub-processor we use:
    • Biometric matching provider - face matching, processed in a South Africa data region.
    • Cloud hosting and encrypted object-storage providers - server hosting and check-in / enrolment photo storage.
    • Transactional email provider - signup, password reset, invites.
    • Subscription payments provider - when billing is enabled.
    • Bot-protection provider - on the public contact form only.
    • Third-party payroll integrations of your choosing - only where you enable payroll sync.

    We use a small number of named vendors within each of these categories. Vendor names are kept internal as a security and operational matter, in line with standard South African practice. On reasonable written request, and where you have a legitimate compliance reason, we will share the current named list under NDA.

  • Adding or changing sub-processor categories. We'll give you at least 30 days' email notice before introducing a new category of sub-processor that processes your biometric or personal information. Vendor swaps within an existing category (e.g. swapping one cloud-hosting provider for another in the same data region) do not require notice. If we change a category and you reasonably object, you may terminate the affected portion of the service without penalty.
  • No training, no sale. We will never use your workers' faces or any face templates to train our own or anyone else's models. We will never sell, rent, or disclose your data to advertisers or data brokers.

7. Retention, deletion, and data subject rights

  • Face templates. Deleted when the worker is marked inactive in the dashboard - for example, employment ends or consent is withdrawn. Deletion is permanent and applies to backups within the next backup rotation cycle.
  • Attendance events and tenant data. Retained for the life of your subscription. On termination, we keep data for a 30-day grace period in case you return, then delete it.
  • Data subject requests. Workers contact you as the Responsible Party. You raise the request with us through the dashboard or contact form, and we'll action access, correction, or deletion within a reasonable time - typically 5 working days.
  • Export format and window. On termination or on request, you can export tenant data as CSV (tabular data) and JSON (structured data) for up to 30 days after termination.

8. Security and data breaches

  • All data is encrypted in transit (TLS) and at rest. Face templates are stored encrypted and partitioned from other tenant data.
  • Access is controlled by role, logged, and reviewed periodically.
  • If we become aware of a security compromise affecting your personal information, we will notify you as soon as reasonably possible, with the information you need to meet your own notification obligations to affected data subjects and the Information Regulator under POPIA section 22.

9. Cross-border processing

Biometric processing currently takes place in a South Africa data region, so no cross-border transfer of face templates under POPIA section 72 occurs. If this changes, we'll give you at least 30 days' email notice before any new region goes live, and you may terminate the affected portion of the service without penalty if you don't accept the new arrangement.

10. Your responsibilities

  • Obtain lawful consent from each worker before enrolment, using the RealAttend consent flow or an equivalent documented process.
  • Notify workers of everything required under POPIA section 18 (see section 5).
  • Document your necessity justification for using biometrics.
  • Offer a non-biometric clock-in alternative to any worker who declines biometric enrolment.
  • Designate your own Information Officer (or Deputy Information Officer) as required by POPIA, and make your PAIA manual available to data subjects.
  • Pay subscription fees on time. If a payment fails we'll email you; after 14 days of non-payment we may suspend the account.
  • Keep your device OS and the RealAttend app up to date.

11. Our responsibilities

  • Provide the service with reasonable skill and care.
  • Aim for high uptime. Scheduled maintenance is announced in advance; unplanned outages are rare but do happen.
  • Maintain encryption, access controls, and backups.
  • Never sell your data or use worker face templates to train ML models.
  • Assist you with POPIA compliance as set out in sections 6, 7, and 8.

12. Pricing and billing

Current pricing is published at realattend.co.za/pricing. We may change pricing with at least 30 days' email notice. Subscriptions renew monthly or annually as chosen at signup. You can cancel at any time from the dashboard - cancellation takes effect at the end of the current billing period.

13. Suspension, termination, and exit

  • By you. Cancel any time from the dashboard. The subscription ends at the end of the current billing period.
  • By us, for non-payment. If a payment fails, we'll email you. After 14 days of non-payment we may suspend the account; after 60 days we may terminate it.
  • By us, for material breach. We may suspend or terminate immediately for breach of section 4 (acceptable use) or where we reasonably believe unlawful biometric collection is occurring. We'll tell you why.
  • Data export. You have 30 days from termination to export tenant data in CSV and JSON. After that, we delete your data, subject to backup rotation.
  • Face template deletion. Face templates are deleted at worker-inactive events as described in section 7, regardless of termination status.

14. Warranties and disclaimers

The service is provided "as is" and "as available". To the maximum extent permitted by law, we disclaim all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the service will be uninterrupted or error-free, or that face matching will be 100% accurate.

Beta features. From time to time we may offer features marked "beta", "preview", or "experimental". These are excluded from any uptime or availability expectation and are provided on a best-effort basis.

15. Indemnity

You agree to indemnify and hold RealAttend harmless against third-party claims, including claims from your workers or the Information Regulator, arising from:

  • Your failure to obtain, record, or maintain valid worker consent.
  • Your failure to provide the notifications or alternatives required by POPIA.
  • Your use of the service outside the scope of these terms or applicable law.
  • Content or data you upload that infringes a third party's rights.

16. Liability cap

To the maximum extent allowed by South African law, RealAttend's total liability to you under these terms is capped at the fees you paid us in the 12 months before the claim. We are not liable for indirect, consequential, or lost-profit damages.

17. Intellectual property

We own the RealAttend software, brand, and related IP. You own your tenant data, including the face templates you cause to be created. Nothing in these terms transfers ownership of our IP to you, or of your data to us. You grant us only the licence needed to operate the service on your behalf.

18. Confidentiality

Each party will keep the other's non-public information confidential and use it only to perform or use the service. This obligation survives termination for three years.

19. Force majeure

Neither party is liable for delays or failures caused by events beyond its reasonable control - including load-shedding, natural disasters, cyber attacks on upstream providers, or government action. The affected party must notify the other and do what it reasonably can to minimise the impact.

20. Electronic communications and notices

You consent to receive notices from us by email at the address on your account. This constitutes valid written communication for purposes of the Electronic Communications and Transactions Act, 2002. You must keep that email address current.

21. Changes to these terms

We may update these terms occasionally. Material changes will be emailed to the address on file at least 14 days before they take effect. Continuing to use the service after that means you accept the new terms.

22. Consumer Protection Act

This service is sold to juristic persons (businesses). The Customer confirms that it is a juristic person and that the Consumer Protection Act, 2008 does not apply to this agreement under section 5(2)(b), either because the Customer's asset value or annual turnover exceeds the threshold determined by the Minister, or because the Customer otherwise falls outside the Act's application.

23. Governing law and disputes

These terms are governed by the laws of the Republic of South Africa. Any disputes are subject to the exclusive jurisdiction of the courts of South Africa. The parties will try to resolve disputes in good faith by email or a meeting before starting formal proceedings.

24. PAIA manual, Information Officer, and the Information Regulator

25. Contact

Questions, complaints, or just want to chat? Send us a message.

Note on this document. These are general-purpose terms written for clarity. They don't replace formal legal advice. If you are running RealAttend in a regulated environment or doing something unusual, get a South African attorney to review. We'll revise this document as the product matures.