DATA CONTROLLER OR DATA PROCESSOR</li>
WHAT DATA DO WE COLLECT ABOUT YOU AND WHEN?</li>
WHY DO WE PROCESS PERSONAL DATA AND FOR HOW LONG?</li>
WHAT WE DO NOT DO?</li>
PERSONAL DATA SECURITY</li>
WITH WHOM DO WE SHARE YOUR PERSONAL DATA?</li>
INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA</li>
HOW LONG DO WE KEEP YOUR DATA?</li>
DEFINITIONS <p>When we say <b>"you"</b>, <b>"your"</b> or <b>"Data Subject"</b> we mean any natural person that shares personal data with us via Website.</p>
<p>When we say <b>"processing"</b> we mean any operation or set of operations which is performed on personal data or sets of personal data.
This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.</p>
<p>When we say <b>"personal data"</b> or <b>"data"</b> we mean any information relating to an identified or identifiable natural person.
an identifiable natural person is one who can be identified, either directly or indirectly.
Therefore, data about a company or any legal entity is not considered to be personal data but registering on behalf of a legal entity may include sharing personal data.
For example, the information in relation to one-person companies may constitute personal data where it allows the identification of a natural person.
The rules also apply to all personal data relating to natural persons in the course of professional activity, such as the employees of a company or organization, business e-mail addresses like <b>"email@example.com"</b>.
<p>When we say <b>"Data Processors"</b> or <b>"processor"</b> we mean any natural or legal person who processes the data on behalf of the Data Controller.
In some cases, COING is a Data Processor and in others, Data Controller (as further explained in Section 2).
In addition, we may use the services of various service providers to process your data more effectively.
In such cases, they are either our processors or sub-processors.</p>
<p>When we say <b>"cookies"</b> we mean small pieces of data stored on your device (computer or mobile device).
This information is used to track your use of the Website and to compile statistical reports on website activity.
<p>When we say <b>"consent"</b> we mean your explicit consent on the processing of personal data.
Persons who are 15 years of age or older may give free consent to the processing of their personal data.</p> 2.
DATA CONTROLLER OR DATA PROCESSOR <p>In relation to your personal data processed on or via the Website, COING may be either a Data Controller or Data Processor.</p>
<p>When COING acts in the capacity of a Data Controller, COING determines the purposes and means of the processing of personal data.
The purpose of data processing is the reason why we process your personal data.
In such cases, COING is responsible for your personal data.</p>
Should you have any inquiries, or you wish to exercise any of the rights of a Data Subject stipulated in Section 10, please contact us:</p>
<li>2100 Geng Road, Suite 210</li>
<li>Palo Alto, CA 94303</li>
<p>By using the Service, you may disclose, share, record, or otherwise use various types of data via a Workspace as the User Content.
The type of User Content is determined by the person that owns the Workspace and not by us.
In that event, COING is a Data Processor and Data Controller is the owner of the Workspace.
Thus, COING does not analyze, disclose or access such date unless a User sends a request for support and, in these cases, the access is limited to enabling the functioning of the Service.
Should you wish to send an inquiry or exercise any of the Data Subject's rights, please contact the owner of the relevant Workspace via which your personal data has been processed.</p>
<p>Please also note that we do not collect your personal data if you are End User of Server Clockify.
In that case, Client (the company that has Clockify installed on their server) is responsible for your personal data.</p>
<p>If would like to sign a DPA with us, please contact us at firstname.lastname@example.org for more information.</p> 3.
WHAT DATA DO WE COLLECT ABOUT YOU AND WHEN? <p>We may collect and receive information about you in various ways:</p>
<li>(i) Information you provide through the use of the Service (for example, by creating the account on Cloud Clockify).</li>
<li>(ii) Information you decide to provide through getting in touch with us via email@example.com.</li>
WHY DO WE PROCESS PERSONAL DATA AND FOR HOW LONG? DATA WE COLLECT PURPOSE LEGAL BASIS RETENTION <b>Email address, password, time zone and sometimes profile photo, name and personal API key</b>
<br>(if the User decides to provide such personal data).<br>
<br>The User will also obtain the User ID so that we can identify that User in the future.
Without providing an email address, password and time zone, the User may not create the User Account.
<br>such as name, address, bank account and payment card details.
The payer may not be the User subscribing to the Paid Plan, so it is possible to receive the information from another User.
Processing is necessary for the User’s performance of the Agreement which includes providing Additional Features based on the selected Paid Plan.
<br>i.e., data you decide to share with us.
If you send us an inquiry at firstname.lastname@example.org or otherwise request support, we will collect data you decide to share with us.
Processing of personal data is either necessary to provide a Service or part thereof, or the processing is based on your consent.
If the processing is based on your consent, we keep the information until you withdraw your consent or for one year, whichever date comes first.
<br>If you decide to sign up for our newsletter, we use your e-mail address.
This newsletter allows us to inform you of the new features of the Service, updates, as well as other news relevant to the company.
Processing is based on your consent.
You have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent prior to such withdrawal.
You may unsubscribe from receiving a newsletter from us.
If you wish to do so, simply follow the instructions found at the end of each e-mail.
We may use your email for this purpose until you unsubscribe or until you delete your User Account.
<br>(when provided by other Users) Users may invite non-users via Clockify to join the Workspace, in which case they provide the non-user’s email address.
Processing is necessary for the performance of the Agreement between us and the User who provided the information and it is also in the User’s legitimate interest.
After sending the message to you we do not keep your personal data unless you decide to become a User, in which case other purposes apply.
Processing is necessary for compliance with a legal obligation which Controller is subject to.
We keep this information for a period of one year.
<b>Other personal data</b> For the prevention and detection of fraud, money laundering or other crimes or to respond to a binding request from a public authority or court.
The processing is necessary to comply with legal and regulatory obligations.
In accordance with the applicable statutory deadlines.
WHAT WE DO NOT DO? <p>COING will never:</p>
<li>— Sell any kind of personal information or data</li>
<li>— Disclose this information to marketers or third parties not specified in Section 7</li>
PERSONAL DATA SECURITY <p>We take administrative, technical, organizational and other measures to ensure the appropriate level of security of personal data we process.
Upon assessing whether a measure is adequate and which level of security is appropriate, we consider the nature of the personal data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing activities, the costs of the implementation of security measures and other relevant matters in the particular circumstances.</p>
<p>Some of the measures we apply include access authorization control, information classification (and handling thereof), protection of integrity and confidentiality, data backup, firewalls, data encryption and other appropriate measures.
We equip our staff with the appropriate knowledge and understanding of the importance and confidentiality of your personal data security.</p> 7.
WITH WHOM DO WE SHARE YOUR PERSONAL DATA? <p>COING utilizes external processors for certain processing activities.
We use information audits to identify, categorize and record all personal data that is processed outside the company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible.</p>
<p>We have strict due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship.
We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate and effective for the task we are employing them for.</p>
<p>We audit their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that oblige them to confirm compliance.</p>
<p>This is the list of processors and sub-processors with whom we share your personal data:</p> PROCESSOR ROLE SEAT The Rocket Science Group, LLC (MailChimp) Email services based on Cloud USA Google, Inc.
Analytics USA Amazon Web Services, Inc.
Cloud Infrastructure (IaaS) USA SendGrid, Inc.
E-mail services based on Cloud USA Stripe, Inc.
Payment provider USA Zendesk, Inc.
Email and chat support USA <p>We may also share your personal data with our outside accountants, legal counsels and auditors.</p>
<p>Please keep in mind that, subject to your instructions to us while using the Service, your data may be shared with third parties in the following situations:</p>
<li>— If you join another User's Workspace;</li>
<li>— If you invite another User to join you Workspace;</li>
<li>— If you invite a non-user to join Clockify;</li>
<li>— If you decide to share User Content from your Workspace to persons who do not have an account on Clockify by providing links to such User Content.</li>
INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA <p>We may transfer your personal data to countries other than the one you reside in.
To the countries within the EEA;</li>
To the countries which ensure an adequate level of protection;</li>
To the countries which do not belong to those specified under item 1.
and 2, but only by applying the appropriate safeguard measures.</li>
HOW LONG DO WE KEEP YOUR DATA? <p>The period for which we store your personal data depends on a particular purpose for the processing of personal data, as explained in detail in Section 4.
We retain personal data for as long as we reasonably require it for legal or business purposes.
When we no longer need personal information, or when you request us to delete your information, where this is legal, we will securely delete or destroy it.</p>
<p>However, as an exception to the retention periods in Section 4 the data may be processed to determine, pursue or defend claims and counterclaims.</p> 10.
YOUR RIGHTS <p>Given that transparency is one of our cornerstone principles, we grant Data Subjects certain rights in relation to their personal data.
These rights may be exercised by Data Subject when COING operates as a Data Controller.
If your inquiry or exercise of any of the Data Subject's rights relates to the data on a Workspace, please contact the owner of the relevant Workspace via which your personal data has been processed.</p> Right of Access <p>You can send us a request for a copy of the personal data we hold about you.</p>
<p>We have ensured that appropriate measures have been taken to provide such in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Such information is provided in writing free of charge.
It may be provided by other means when authorized by the Data Subject and with prior verification as to the subject's identity.</p>
<p>Information is provided to the Data Subject at the earliest convenience, but at a maximum of 30 days from the date the request was received.
Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary.</p> Right to Correction of Your Personal Data <p>If the personal data we have about you is incorrect, you have the right to request that we correct those data.
Where notified of inaccurate data by the Data Subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them.</p> Right to Erasure <p>You have the right to request from us that your personal data is deleted in certain circumstances including:</p>
<li>— The personal data are no longer needed for the purpose for which they were collected;</li>
<li>— You withdraw your consent (where the processing was based on consent);</li>
<li>— You object to the processing and no overriding legitimate grounds are justifying us processing the personal data;</li>
<li>— The personal data have been unlawfully processed.
<li>— To comply with a legal obligation.</li>
<p>However, this right does not apply where, for example, the processing is necessary:</p>
<li>— To comply with a legal obligation.
<li>— For the establishment, exercise or defense of legal claims.</li>
</ul> Right to Restriction of Processing <p>If the accuracy of the personal data is contested, you consider the processing is unlawful but you do not want it erased, we no longer need the personal data but you require it for the establishment, exercise or defense of legal claims or you have objected to the processing and verification, you can exercise your right to the restriction of processing.</p> Right to Data Portability <p>Where you have provided personal data to us, you have the right to receive such personal data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party Data Controller without hindrance but in each case only where:</p>
<li>— The processing is carried out by automated means.
<li>— The processing is based on your consent or the performance of a contract with you.</li>
</ul> Right to Withdraw the Consent <p>If you have provided your consent to the collection, processing and transfer of your personal data, you have the right to fully or partly withdraw your consent.
Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.</p> Right to Lodge a Complaint <p>If you have any concerns or requests in relation to your personal data, please contact us at email@example.com and we will respond as soon as possible but not later than within 30 days.</p> 11.
If we make any changes, we will publish the new rules on this web page and, if we have your e-mail, we will notify you directly.</p>
<p>Last updated on October 15, 2019</p>