Timebutler Data Protection and Security

Data Protection According to the EU General Data Protection Regulation

This information is valid for users of this website and customers of the service provider.

1. Notes on Data Protection

We are aware of the importance of the personal data you entrust to us. We consider ensuring the confidentiality of your data to be one of our most important tasks. Regarding all aspects of data protection, the following applies:

• Timebutler provides you and your company with an online time tracker to enter, view, modify, and delete data as needed.
• Our services do not require any of our employees to view, modify, edit, or delete your data. Therefore, we do not come into personal, direct contact with your data; you alone have control over it.

Read further to find out what measures we have put in place to protect your privacy.

2. Who is Responsible for Data Processing and Who Can You Contact?

The provider of these websites (hereinafter referred to as “provider” or “we/us”) is responsible for data protection:

Timebutler GmbH
Rathausgasse 1
12529 Schönefeld
Germany

Register court: District Court of Cottbus.
Registration number: HRB 18094 CB.

The provider offers software accessible via the Internet at www.app.timebutler.com (hereinafter referred to as “Timebutler” or “Software”). For all questions regarding data protection, you can contact us as follows:

Email: datenschutz@app.timebutler.com
Contact form: Contact us here
Phone: 06123 – 503891

3. Which Sources and Data Are Used

With Timebutler, we provide a tool for entering, editing, managing, evaluating, and tracking vacation, absence, and working time entries, as well as personnel data, including salary information (digital personnel file), for one or more employees. The software allows for settings such as individual holiday schedules, weekly working days, rights management, corporate design settings, and more.

Timebutler users can set up personal user accounts in accordance with the Terms of Use, whose data will be processed and managed automatically by Timebutler.

We, therefore, process personal data that we receive as part of your use of Timebutler. The data is entered via the input masks provided by Timebutler and processed automatically by Timebutler without any influence or review by any of our employees.

Relevant personal data that we receive when using app.timebutler.com may include: name, business address and other contact details (telephone, email address), title, date of birth, gender, employee number, cost centre, preferred language for using the software, affiliation to a company branch, affiliation to a company department, assignment to superiors, absence information, vacation data and vacation entitlement data, working time entries, profile picture, weekly working days, public holiday regulations, salary information, individual data fields in the digital personnel file.

4. What is Your Data Processed for (Purpose of Processing), and on What Legal Basis?

The processing of personal data can be based on various legal bases. If we need your data to fulfil a contract with you or to answer your inquiries regarding a contract, the legal basis for this data processing is Art. 6 (1) (b) GDPR. If we obtain your consent for a specific data processing operation, the legal basis is Art. 6 (1) (a) GDPR. We carry out some data processing on the basis of our legitimate interest, whereby a balance is always struck between your interests worthy of protection and our legitimate interests. The legal basis for this is Art. 6 (1) (f) GDPR. If processing is necessary to fulfil a legal obligation to which we are subject, the legal basis is Art.
6 (1) (c) GDPR.

5. What Data is Processed When the Website is Accessed?

If you use the website for informational purposes only, i.e. if you do not contact us via the online form or otherwise provide us with information, we collect the following technical information (log file data):

• Operating system of the device you use to visit our website.
• Browser (type, version, and language settings).
• The amount of data retrieved.
• The current IP address of the device you use to visit our website.
• Date and time of access.
  The URL of the previously visited website (referrer).
• The URL of the (sub) page you access on the website.
• The Internet service provider of the accessing system.

The collection of this data is technically necessary to display our website to you and to ensure stability and security. We (and our service provider) generally do not know who is behind an IP address. We do not combine the above-mentioned data with other data.

The legal basis is Art. 6 (1) (f) GDPR. Since the collection of data to provide the website and its storage in log files are absolutely necessary for the operation of the website and to protect against misuse, our legitimate interest in data processing prevails at this point.

6. What Data is Processed When Contacting Us Via Email or the Contact Form?

When you contact us by email or via a contact form, the data you provide (your email address, if applicable, your name and telephone number) will be stored by us in order to answer your questions and process your concerns. The legal basis for this is Art. 6 (1) (f) GDPR.

If we request information via our contact form that is not required to establish contact, we have always marked it as optional. This information helps us specify your inquiry and process your request more effectively. It is provided expressly on a voluntary basis and with your consent, Art. 6 (1) (a) GDPR.

If this information relates to communication channels (e.g. email address, telephone number), you also consent to us contacting you via this communication channel if necessary to answer your concern. You can, of course, revoke this consent at any time in the future.

We will delete your data once it is no longer needed for the purpose it was collected. This typically happens after we have fully processed your request and no further communication is required or requested.

7. Who Receives the Data?

The data is entered, edited, modified, or deleted by the user in Timebutler. The provider’s employees have the technical ability to view, modify, or delete the entered data, but they do not access the data without express and prior authorisation from the user. A user authorisation to view, modify, add, or delete data may be given, for example, in the following cases:

• If the user needs support clarifying open questions about the functionality of Timebutler.
• If the user specifically requests a change in certain data.
• For information about the stored personal data of a user.

8.  Is Data Transmitted to Third Parties?

User data for usage purposes is transmitted securely as follows:

• Timebutler is operated in a secure, high-performance data centre near Frankfurt am Main, Germany. The data centre provider only provides the infrastructure, such as computing capacity, internet connection, and storage space, but does not access or process personal data.
• Payment and billing information for processing orders and payment transactions, depending on the selected payment method:
  • If you choose to pay by SEPA direct debit, the payment data will be transferred to the financial institution Deutsche Bank AG (Deutsche Bank AG, Taunusanlage 12, 60325 Frankfurt, Germany) to execute the direct debit.
  • If you choose to pay via PayPal, you will be redirected to the online payment processing at PayPal (www.paypal.com, PayPal (Europe) S.à rl et Cie, SCA, 22-24 Boulevard Royal, 2449 Luxembourg) during the ordering process.
  • If you choose to pay by credit card, you will be redirected to the online payment processing at MyCommerce / Share-It (MyCommerce Share-it – Digital River GmbH, Scheidtweilerstr. 4, 50933 Cologne, Germany) during the ordering process and the order data will be transferred to the order form.
• Timebutler uses the Single Sign-On feature (hereinafter “SSO”) from third-party providers to automatically log in to the Timebutler user account. If the user links their Timebutler user account with the user account of one of the SSO providers, a connection to the SSO provider’s server is established on the Timebutler user account login page. The Timebutler user can decide whether SSO should be activated and whether and to which provider data should be transferred. Data transfer only takes place if the Timebutler user has previously consented to the transfer. The SSO providers and the links to the SSO providers’ privacy policies are:
• Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ( https://www.google.com/intl/de/policies/privacy/ )
• Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA ( https://www.microsoft.com/privacy )
• Slack Technologies Limited, 4th Floor, One Park Place, Hatch Street Upper, Dublin 2, Ireland ( https://slack.com/intl/de-de/privacy-policy )

You can disable the single sign-on feature for all your employees. To do so, log in to Timebutler as an admin and deactivate the “Link to social media providers” option in the global settings.

9. Is Data Transferred to a Third Country or to an International Organisation?

Data will not be transferred to countries outside the EU or EEA (so-called third countries), with the exception of the recipients mentioned above, for which each user must give their prior consent.

10. How Long Will the Data Be Stored?

We process and store your personal data as long as it is necessary to fulfill our contractual and legal obligations and as long as you use Timebutler.

You have the option to delete your data in Timebutler yourself at any time, without our assistance. Timebutler also offers a setting that allows you to specify the period after which Timebutler should delete the data fully automatically.

To ensure data security and recoverability in the event of a serious server failure, we automatically create backups of all data. The maximum retention period for backups is 14 calendar days. After this period, the backups are automatically deleted.

11. What Data Protection Rights Do You Have?

Every data subject has the right to information pursuant to Article 15 GDPR (EU General Data Protection Regulation), the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR, and the right to data portability pursuant to Article 20 GDPR. The restrictions set out in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right to information and the right to erasure. Furthermore, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the EU General Data Protection Regulation came into force, i.e., before May 25, 2018.

12. Is there an Obligation to Provide Data?

Entering data into Timebutler is voluntary and not mandatory. You decide which data you provide when using Timebutler. For technical and functional reasons, in some cases, the provision of data is required to use Timebutler. Timebutler will notify you when additional data is required to enter a record or execute a function.

13. Is there automated decision-making (including profiling)?

We do not use automated decision-making in accordance with Article 22 GDPR for our business relationship. Profiling does not occur.

14. Are Cookies Used?

A cookie is a small piece of information that is transferred between your browser and an internet server used to deliver a website. Cookies are also transferred when you use Timebutler. Cookies that are necessary for the proper technical operation of Timebutler are stored and transferred.

For example, cookies are used to save your Timebutler login. Without cookies, your login cannot be saved, and you will be automatically logged out immediately after logging in, making it impossible to use Timebutler. We use the following cookies on both our website and in the Timebutler tool:

14.1. Consent Manager
For our Consent Management Tool (CMT) we use a service provided by consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden.

When you visit our website, you can submit declarations of consent via the CMT for individual data processing activities that the CMT will store. These are stored on your computer in the form of cookies.

You can access the CMT at any time via this link, check the settings, and see which services are integrated and which cookies are used.

When you reopen the website, cookies can be used to track which data processing and services you have consented to or not consented to. This way, you don’t have to adjust your cookie settings every time you visit. Of course, you can also change your selections later via the settings. You can access the settings at any time by clicking the checkmark icon in the bottom left corner of our website.

We use the CMT so that you can consent to various data processing operations and revoke the consent you have already given. We are legally obligated to obtain and document your consent. The legal basis for data processing by the CMT is Art. 6 (1) (f) GDPR – our legitimate interests in operating the website and providing interesting content. Further information on the CMT and data protection at consent manager can be found at: https://www.consentmanager.net/de/datenschutz/

14.2. Google Tag Manager
For the sake of transparency, we would like to point out that we use Google Tag Manager. This is a tag management system for managing JavaScript and HTML tags, which is used to implement tracking and analysis tools. It is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The controller in the EU/EEA is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Google Tag Manager itself does not collect any personal data. It makes it easier for us to integrate and manage our tags. Tags are small pieces of code that are used, among other things, to measure traffic and visitor behaviour, track the impact of online advertising and social media channels, set up remarketing and audience targeting, and test and optimise websites. If you have opted out, Google Tag Manager will honor this opt-out.

Recipients of the data are:

• Google Ireland Limited, EU.
• Google LLC, USA.
• Alphabet Inc., USA.

This service may process data outside the European Union and the European Economic Area (EEA). The legal basis for this data processing is your consent. You have the option of revoking your consent once granted with future effect by changing your settings here . The legality of the data processing up to the point of revocation remains unaffected.

For further information about Google Tag Manager, please visit:
https://www.google.com/intl/de/tagmanager/use-policy.html

14.3. Google Analytics
If you consent, we use Google Analytics, a web analysis service Google LLC provides. The responsible service providers in the EU are Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Analytics uses cookies, which enable us to analyse your use of our website. The information collected through cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

We use the ‘anonymiseIP’ function (so-called IP masking): Due to the activation of IP anonymisation on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

• During your visit to the website, the following data is collected, among others:
  The pages you visit, your “click path.”
• Achievement of “website goals” (conversions, e.g., newsletter registrations or downloads).
• Your user behavior (e.g. clicks, dwell time, or bounce rates).
  Your approximate location (region).
• Your IP address (in abbreviated form).
• Technical information about your browser and the devices you use (e.g., language settings and screen resolution).
• Your internet provider.
• If the referrer URL (from which website/advertising medium you came to this website).

On behalf of the website operator, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.

The data recipient is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as the processor. We have concluded a data processing agreement with Google for this purpose. Google LLC, based in California, USA, and possibly US authorities may access the data stored by Google.

The data we send and linked to cookies will be automatically deleted after [insert period]. Data whose retention period has been reached is automatically deleted once a month.
You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by:

A.) Do not give your consent to the cookie setting.

B.) Download and install the browser add-on to deactivate Google Analytics. 

You can also prevent cookies from being saved by selecting the appropriate settings in your browser. However, if you configure your browser to reject all cookies, some of the functionality on this and other websites may be restricted.

To prevent Universal Analytics from tracking your data across devices, you must opt-out of all systems you use. Clicking here will set the opt-out cookie: Deactivate Google Analytics.

Further information on Google Analytics terms of use and Google’s privacy policy can be found at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de. The legal basis for this data processing is your consent, Art. 6 (1) (a) GDPR. You can revoke your consent at any time with future effect by opening the data protection settings in the bottom left (“shield”) and selecting the appropriate control.

15. How is Consent Given to the Processing of Personal Data?

By using Timebutler, and in particular, when registering a new user, you consent to the processing of personal data in accordance with this privacy policy.

16. What Are the Obligations of the Timebutler User?

Before a user enters, edits, changes, or deletes their own data or data of third parties (e.g., company employees) in Timebutler, consent must be obtained from the data subjects. The user must also ensure that data protection regulations and restrictions, if applicable, are observed when using Timebutler and that the necessary approvals and consents have been granted. Possible operational requirements may arise, among other things, but not exclusively, from agreements with employees, works agreements, works council requirements, employment contracts, union requirements, and other organisations and agreements.

17. What Technical and Organisational Measures Are Taken to Protect Data, and Can a Contract for Order Processing Be Concluded?

Our contract for data processing describes the technical and organisational measures to protect your data. You can access our contract for data processing here.

18. Information About Your Right Of Objection Under Article 21 of the EU General Data Protection Regulation (GDPR)

Right of objection in individual cases: you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) GDPR (data processing in the public interest) and Article 6 (1) (f) GDPR (data processing on the basis of a balance of interests), for reasons arising from your particular situation; this also applies to profiling based on this provision within the meaning of Article 4 (4) GDPR. 

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms or the processing serves to assert, exercise, or defend legal claims.

Any objection can be made informally by email, via our contact form, or to the postal address given at the top of this page.