ShiftMate — Privacy Policy

Last updated: 12 May 2026

ShiftMate is a browser extension that helps users of the Keka HR platform clock in and out, take timed breaks, and view their attendance from the browser toolbar. This page explains exactly what data the extension touches and where that data lives.

Short version: ShiftMate has no servers. Everything runs locally in your browser, and the only network destination is Keka itself. Your data is not collected, sold, shared, or transmitted to the extension's author.

1. Data the extension handles

To do its job, ShiftMate handles the following pieces of data, all of which originate from your interaction with Keka:

OIDC tokens (access token, refresh token, expiry, OIDC client_id) — issued by Keka's identity server to authenticate your API calls.
Email and password — only when you choose to sign in through the extension's built-in login form. They are sent directly to Keka's login endpoint (app.keka.com) and are never retained by the extension after the request completes.
Captcha response — submitted along with the password on Keka's request. Not retained.
Attendance data (today's punches, recent workdays, totals) — fetched from Keka on demand to render the popup; not stored beyond what the popup needs to display.
Active break state (start time, return time, duration) — stored locally so the countdown survives the popup closing.
Keka tenant subdomain — read from the Subdomain cookie Keka itself sets on .keka.com, so the extension calls the correct API host.

2. Where this data is stored

All persistent data is written exclusively to chrome.storage.sync — Chrome's built-in, encrypted storage tied to your Google profile. Nothing is written to any external database, file, or remote server operated by the extension author.

3. Where this data is sent

The extension contacts the following hosts, all owned by Keka:

https://app.keka.com — OIDC authentication endpoints (/connect/authorize, /connect/token, /Account/Login, /captcha).
https://<your-subdomain>.keka.com — attendance APIs (clock in/out, daily and historical punch data, user profile, deploy config).

No other host is contacted. No data is sent to the author, to analytics services, to advertising networks, or to any third party.

4. What the extension does not do

It does not run any analytics, telemetry, crash reporting, or remote logging.
It does not load or execute remote code. All extension code is bundled in the package.
It does not read tabs, cookies, or storage from non-Keka domains.
It does not sell, share, or transfer your data to anyone.
It does not display advertising and is not monetized.

5. Permissions, briefly explained

storage — keep tokens and break state across popup opens.
alarms — fire the auto clock-in at the end of a timed break, and refresh the toolbar badge once a minute.
notifications — confirm whether the post-break auto clock-in succeeded.
tabs + scripting — detect an open Keka tab so you can sign in without copying tokens by hand.
cookies — read the Keka-set Subdomain cookie to find your tenant.
Host permissions on *.keka.com — required to call Keka's own APIs.

6. Your control

You can clear every piece of data ShiftMate has stored at any time via the popup's Settings → Reset Everything button, or by removing the extension from chrome://extensions/.

7. Children

ShiftMate is designed for adult employees of organisations that use Keka. It is not intended for use by children under 13.

8. Changes to this policy

If the extension's data handling ever changes, this page will be updated and the "Last updated" date at the top will change with it.

9. Contact

Questions or concerns: open an issue on GitHub.