Privacy Policy

Effective & last updated: May 2026

Welcome to Visitor Desk, a digital visitor-management platform consisting of a web admin panel and an Android app. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to both surfaces of the platform and to anyone who signs up, signs in, or visits a site managed with Visitor Desk.

        Our two privacy modes — at a glance.

        Standalone (no business code): visitor data stays on the device; optional Google Drive backup is to your personal Drive.

        Attached (approved business): visitor data syncs to your organisation's backend over HTTPS and is visible to the desk manager who controls that business.

1. Who we are

Visitor Desk is operated by Black & White Studio. When you use the web admin panel as an owner/manager, we (the operator) are the data controller for your account. When the app is used by staff on behalf of a business, the desk manager who created the business is the controller of the visitor records that flow into that business; we act as a processor for those records.

2. Information we collect

a) Web admin account information

Full name, email, phone
Company / organisation name and address
Password (stored as a salted hash — never in plaintext)
Session cookies for keeping you signed in
Subscription state and renewal date

b) Android sign-in (Google)

Google ID, name, email, profile photo URL
Access token, refresh token, and token lifetime (used for silent refresh so you stay signed in)

c) Profile information you provide

Phone number and optional alternate phone
Address (optional)
Business type

d) Device information

Device ID and device name
Android version and app version
Local database size (helps us monitor sync health)
"Last seen" timestamp (so the desk manager knows the device is active)

e) Business & site data (created by the manager)

Business name, contact person, contact number, address
Auto-generated unique business code (e.g. BZ-NXCE2M)
Destinations (flats, offices, gates, etc.) with optional contact details
App-user membership records (approved / pending / rejected / cancelled)

f) Visitor records (entered by front-desk staff)

Visitor name, phone number, destination
Optional: visitor photo, ID number, purpose, vehicle, company, notes
Entry time, exit time, QR code data
Incident / security notes added to a visitor

g) Visitor card data (regular-visitor passes)

Cardholder name, phone, company, designation, ID number, photo, notes
Auto-generated card number and QR payload
Validity window (date and time, or "no expiry")
Entry limit (capped or unlimited) and entry-count usage
Card status: Active / Scheduled / Expired / Used up / Revoked
List of business areas the card is authorised for

3. How we use information

Authenticate your account and keep your session secure
Record and manage visitor entry and exit
Track active visitors and detect overstays
Provide search, history, and reporting across the businesses you manage
Process approve/reject decisions on app-user join requests
Issue, validate, revoke, and re-activate QR visitor cards
Synchronise records between the Android app and your business backend
Maintain app stability, security, and abuse prevention
Send essential service messages (e.g. subscription renewal, force update)

4. Offline-first & local storage

The Android app is offline-first. Visitor entries, exits, destinations, incident logs, and history are first written to a local Room database on the device. Most features — entry, exit, search, history, QR generation — work fully without an internet connection.

Important: if you choose to run the app without attaching to a business, your data lives only on the device (and in your own Drive backup, if you create one). It is not visible to any organisation and not protected by our server-side backups. See our offline-only risk guide.

5. Cloud sync & business attachment

To sync records to a business, an app user submits the manager's business code. The manager then explicitly approves, rejects, or later cancels the membership.

Only an approved member can upload data.
Each sync batch carries the business code and a unique batch ID.
Records are uploaded to the backend over HTTPS.
Detaching a user immediately stops further sync from their device.
Pending or rejected users keep working locally — but their data is not pushed.

6. QR visitor cards

Visitor cards are created by the desk manager in the web admin. Each card carries a unique QR code and identifying details of the cardholder. When the QR is scanned at the front desk, the server records an entry or exit, enforces the card's validity window and entry limit, and returns the result to the device.

QR card creation requires the cardholder's consent for the personal data shown on the card.
Scanned card events (entry/exit timestamps, who scanned, where) are stored on the business backend.
Managers can revoke a card at any time — the QR stops being accepted immediately.

7. Google Drive backup (standalone only)

When the app is not attached to a business, Settings exposes a Google Drive backup option. This writes a JSON snapshot of your local database to your own Google Drive (app-data folder) using the drive.appdata scope. We never see the contents of these backups. When the app is attached to a business, this option is hidden because the business backend is the source of truth.

8. ONLINE / OFFLINE mode

The desk manager can set each app user to ONLINE or OFFLINE mode:

ONLINE: entries, exits, destinations, and incidents are sent to the backend in real time and not retained on the device beyond what the app needs to function.
OFFLINE: data is stored on the device until the user taps "Sync now", at which point it is uploaded in a batch.

When the app starts or resumes its dashboard, it makes a lightweight call to the backend to refresh the user's mode and the active business code. This call also updates the user's "last seen" timestamp visible to the manager.

9. Camera & QR permissions

The Android app requests camera access to capture visitor photos and to scan QR codes (entry/exit, visitor cards). The permission is used only for these features and only while you actively use them. Photos are stored locally and, where applicable, synced with the related visitor record.

10. Data sharing & third parties

We do not sell your personal information or visitor data. Limited data is processed by trusted infrastructure or service providers strictly to operate the platform:

Google Sign-In & Google Play Services — Android authentication and token refresh.
Google Drive — only when you initiate a personal Drive backup.
Hosting / cloud infrastructure — to operate the web admin and sync backend.
Firebase (Remote Config, Crashlytics, Analytics) — for configuration, crash reports, and basic usage analytics. Crash and analytics reporting may be opt-out via app settings.

Visitor profiles can be shared by you through other apps (WhatsApp, SMS, email) as text, image cards, or QR codes. Once shared, the destination app and its policies govern that copy.

11. Data security

All backend communication is over HTTPS only.
Web admin sessions use server-side session cookies; passwords are stored only as salted hashes.
Android sign-in uses Google's Credential Manager API with refresh tokens stored in encrypted preferences.
Each sync request is validated against the user's membership status, business code, and device.
Approval gating, card revocation, and member detachment all take effect immediately at the next request.

12. Data retention & deletion

Local data stays on the device until you delete a record, uninstall the app, or restore from a backup.
Synced records are retained on the business backend according to your organisation's needs. Deleted records use soft-delete (deletedAt) so the system can resolve sync correctly across devices.
Account closure: contact us to close your account. We will delete or anonymise your account data within a reasonable period, subject to legal retention requirements.

13. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights for data we directly control, contact us using the address below. For visitor records held by a business that uses our platform, please contact the desk manager of that business — they are the controller of those records.

14. Children's privacy

Visitor Desk is intended for use by reception, security, and administrative staff. The app and admin are not directed at children under 13, and we do not knowingly collect data from them.

15. Changes to this policy & contact

We may update this Privacy Policy from time to time. Material changes will be highlighted in the app or admin. The "last updated" date at the top reflects the latest revision.

Questions or requests? Email info@blacknwhiteStudio.com.