Skip to content
Legal

Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 1, 2026

TurnoutHQ, Inc. ("TurnoutHQ," "we," "us," or "our") operates the TurnoutHQ web platform and the Attendly mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. How We Share Your Information
  4. 4. Mobile Application (Attendly)
  5. 5. Cookies and Tracking Technologies
  6. 6. Data Retention
  7. 7. Security
  8. 8. Your Rights and Choices
  9. 9. Children's Privacy
  10. 10. International Transfers
  11. 11. Changes to This Policy
  12. 12. Contact Us
1

Information We Collect

Information You Provide Directly

  • Account information: name, email address, phone number, password, and role (staff, volunteer, etc.) when you register or are added to an organization.
  • Organization information: organization name, timezone, locale, and configuration settings entered by administrators.
  • Attendance and check-in data: session attendance records, enrollment status, check-in timestamps, and check-in method (QR code, NFC badge, manual).
  • Profile photos and session photos: images uploaded or captured through the application.
  • Communications: messages, notes, or other content you submit through the Service.
  • Phone number for SMS: when you provide a phone number, we use it to send verification codes, attendance notifications, and bulk messages configured by your organization. Standard message and data rates may apply.

Information Collected Automatically

  • Log and usage data: IP address, browser type, pages visited, time spent, referring URLs, and other standard server log information.
  • Device information: device model, operating system version, and unique device identifiers for mobile applications.
  • Authentication tokens: session tokens and OAuth tokens used to keep you signed in.
  • Audit logs: records of administrative actions and API calls for security and compliance purposes.

Information from Third Parties

  • OAuth providers: if you sign in with Google, we receive your name, email address, and profile picture from your Google account.
  • Registration integrations: data submitted through connected registration forms (e.g., Google Forms) may be imported into the Service.
2

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including processing check-ins, managing attendance records, and sending automated notifications.
  • Authenticate your identity and maintain the security of your account.
  • Generate attendance reports, analytics, and insights for organization administrators.
  • Send transactional communications such as verification codes, approval notifications, and system alerts.
  • Fulfill automated workflow actions configured by your organization (e.g., follow-up messages triggered by attendance events).
  • Detect and prevent fraud, abuse, and unauthorized access.
  • Comply with legal obligations and enforce our terms.
  • Improve and develop the Service based on aggregate usage patterns.
3

How We Share Your Information

We do not sell your personal information. We share information only in these limited circumstances:

  • Within your organization: administrators and staff members of your organization can view attendance records, profiles, and reports for members of that organization.
  • Service providers: we use vetted third-party vendors to help operate the Service (e.g., cloud hosting, email/SMS delivery, analytics). These vendors access your data only to perform services on our behalf and are bound by confidentiality agreements.
  • Business transfers: if TurnoutHQ is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
  • Legal requirements: we may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of TurnoutHQ, our users, or others.
  • With your consent: we will share information for any other purpose with your explicit consent.
4

Mobile Application (Attendly)

The Attendly mobile app (Android) functions as a kiosk check-in device for organizations. It requests the following device permissions:

  • Camera: used to scan QR codes for attendee check-in and to capture session photos. Camera access is active only while the scanning interface is open.
  • NFC (Near Field Communication): used to read NFC-enabled badges for contactless check-in. NFC data is read-only and is not written to or stored on badges.
  • Local storage (encrypted): the app stores attendance data locally in an encrypted database when the device is offline. This data is synced to our servers when connectivity is restored and then removed from local storage per your organization's retention settings.
  • Network access: used to sync data with TurnoutHQ servers and to authenticate kiosk devices.

The Attendly app does not transmit camera or NFC data to third parties. All captured data is sent only to your organization's TurnoutHQ account.

5

Cookies and Tracking Technologies

We use the following technologies to operate and improve the Service:

  • Session cookies: set when you sign in to maintain your authenticated session. These are deleted when you sign out or close your browser.
  • Preference storage (localStorage): we store your UI preferences such as theme (light/dark mode) and language in your browser's local storage. This data stays on your device and is not transmitted to our servers.
  • CSRF tokens: short-lived tokens included in forms to protect against cross-site request forgery. These are not used for tracking.
  • No third-party advertising trackers: we do not use advertising cookies, third-party pixel trackers, or cross-site tracking technologies.

Most browsers allow you to control cookies through their settings. Disabling session cookies will prevent you from signing in to the Service.

6

Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained for the lifetime of your organization's account and for up to 90 days after account closure, after which it is permanently deleted.
  • Attendance records are retained for as long as configured by your organization administrator (default: indefinitely while the account is active).
  • Audit logs are retained for 12 months for security and compliance purposes.
  • Backups may persist for up to 30 additional days after deletion before being purged from backup systems.

You may request deletion of your personal data at any time (see Your Rights).

7

Security

We implement industry-standard technical and organizational measures to protect your information, including:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest (including local mobile storage using AES-256).
  • Hashed password storage (bcrypt) — we never store passwords in plain text.
  • Two-factor authentication (TOTP) available for all accounts.
  • Role-based access controls that limit data access to authorized personnel only.
  • Regular security reviews and audit logging of sensitive operations.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach, we will notify affected users as required by applicable law.

8

Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate or incomplete personal data.
  • Deletion: request that we delete your personal data, subject to legal retention requirements.
  • Portability: request a machine-readable export of your personal data.
  • Objection / Restriction: object to or request restriction of certain processing activities.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@turnouthq.ai. We will respond within 30 days. Note that some requests may be subject to verification of identity and to limitations under applicable law.

To request deletion of your Attendly account and associated data, you may also use our Account Deletion Request form.

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

EEA / UK residents have rights under the General Data Protection Regulation (GDPR). Our lawful basis for processing is typically performance of a contract (providing the Service) and legitimate interests (security, fraud prevention, service improvement).

9

Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@turnouthq.ai and we will promptly delete such information.

Organizations using TurnoutHQ to track attendance of minors (e.g., children's ministry) are responsible for obtaining appropriate parental consent in accordance with applicable laws in their jurisdiction.

10

International Data Transfers

TurnoutHQ is operated in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We take steps to ensure that transferred data receives adequate protection consistent with this Privacy Policy and applicable law.

South Korea (PIPA): For users in South Korea, we process personal data in accordance with the Personal Information Protection Act (개인정보 보호법, PIPA). You have the right to request access, correction, deletion, and suspension of processing of your personal data. To exercise these rights, contact us at privacy@turnouthq.ai.

11

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending an email notification or displaying an in-app notice. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

We encourage you to review this policy periodically to stay informed about how we protect your information.

12

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Peoply, Inc.

Toronto, Ontario, Canada

support@turnouthq.ai

We aim to respond to all privacy inquiries within 30 days. For urgent security concerns, please include "URGENT" in your subject line.

This Privacy Policy is governed by our Terms of Service.

© 2026 TurnoutHQ, Inc. All rights reserved.  ·  Privacy Policy