- 1. DEFINITIONS
- 2. DATA CONTROLLER OR DATA PROCESSOR
- 3. WHAT DATA DO WE COLLECT ABOUT YOU AND WHEN?
- 4. PERSONAL DATA WE PROCESS
- 5. WHAT WE DO NOT DO?
- 6. PERSONAL DATA SECURITY
- 7. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
- 8. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA
- 9. HOW LONG DO WE KEEP YOUR DATA?
- 10. YOUR RIGHTS
- 11. CALIFORNIA RESIDENTS PRIVACY NOTICE
When we say "you", "your" or "Data Subject" we mean any natural person that shares personal data with us via Website.
When we say "processing" we mean any operation or set of operations which is performed on personal data or sets of personal data. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
When we say "Data Processors" or "processor" we mean any natural or legal person who processes the data on behalf of the Data Controller. In some cases, COING is a Data Processor and in others, Data Controller (as further explained in Section 2). In addition, we may use the services of various service providers to process your data more effectively. In such cases, they are either our processors or sub-processors.
2. DATA CONTROLLER OR DATA PROCESSOR
In relation to your personal data processed on or via the Website and the Service, COING may be either a Data Controller or Data Processor.
- COING Inc.
- 2100 Geng Road, Suite 210
- Palo Alto, CA 94303
- Email: email@example.com
By using the Service, you may disclose, share, record, or otherwise use various types of data via a Workspace as the User Content. The type of User Content is determined by the person that owns the Workspace and not by us. The extent to which personal data is processed while using the Service also depends on the Clockify functionalities that the owner of the Workspace decides to use. In that event, COING is a Data Processor and Data Controller is the owner of the Workspace. Thus, COING does not analyze, disclose or access such data unless a User (including an Enterprise as a User) sends a request for support and, in these cases, the access is limited to enabling the functioning of the Service.
Please also note that we do not collect or process your personal data if you are an End User of Server Clockify. In that case, Client (the company that has Clockify installed on their server) is responsible for your personal data.
If would like to sign a DPA with us, please contact us at firstname.lastname@example.org for more information.
3. WHAT DATA DO WE COLLECT ABOUT YOU AND WHEN?
We may collect and receive information about you in various ways:
- (i) Information you provide through the use of the Service (for example, by creating the account on Cloud Clockify).
- (ii) Information you decide to provide through getting in touch with us via email@example.com.
4. PERSONAL DATA WE PROCESS
4.1 COING as Data Controller
|DATA WE COLLECT||PURPOSE||LEGAL BASIS||RETENTION|
|Email address, password, time zone and sometimes profile photo, name and personal API key
(if the User decides to provide such personal data).
The User will also obtain the User ID so that we can identify that User in the future.
such as name, address, bank account and payment card details. The payer may not be the User subscribing to the Paid Plan, so it is possible to receive the information from another User.
i.e., data you decide to share with us.
|If you send us an inquiry at firstname.lastname@example.org or otherwise request support, we will collect data you decide to share with us.||Processing of personal data is either necessary to provide a Service or part thereof, or the processing is based on your consent.||If the processing is based on your consent, we keep the information until you withdraw your consent or for one year, whichever date comes first.|
If you decide to sign up for our newsletter, we use your email address.
|This newsletter allows us to inform you of the new features of the Service, updates, as well as other news relevant to the company.||Processing is based on your consent. You have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent prior to such withdrawal. You may unsubscribe from receiving a newsletter from us. If you wish to do so, simply follow the instructions found at the end of each email.||We may use your email for this purpose until you unsubscribe or until you delete your User Account.|
(when provided by other Users)
|Users may invite non-users via Clockify to join the Workspace, in which case they provide the non-user's email address.||Processing is necessary for the performance of the Agreement between us and the User who provided the information and it is also in the User's legitimate interest.||After sending the message to you we do not keep your personal data unless you decide to become a User, in which case other purposes apply.|
|Other personal data||For the prevention and detection of fraud, money laundering or other crimes or to respond to a binding request from a public authority or court.||The processing is necessary to comply with legal and regulatory obligations.||In accordance with the applicable statutory deadlines.|
4.2 COING as Data Processor
As a processor, COING is permitted to collect, use, disclose and/or otherwise process your personal data only following the instructions of the Owner of the Workspace.
1. Processing prior to using the Service
- The Owner of the Workspace shares your email address to enable you to access the Service.
- The Owner of the Workspace may assign you tasks and projects.
- If you have any questions regarding the legal basis for such personal data processing, please contact the Owner of the Workspace who invited you to the Service.
2. Processing during the usage of the Service
If you decide to accept the invitation to use the Service, you will be required to create an account. To create the User Account, you will need to share your email address and password.
You manage personal data you share via your account such as name and surname, photo, email data (personal email address and/or work email address).
In the course of the use of the Service we may process system usage data, IP address, work position, attendance at work, time-tracking data you inserted (for example, the time you started work, the time you finished work, tasks or projects worked on), application integration data, navigational data (including website usage information such as interactions with Clockify, and other electronic data submitted, stored, sent, or received by the Data Controller via the Service.
If you choose to connect your Clockify account to Google Calendar or Outlook (Office 365), you will be able to track time for events right from such calendars. This function enables a User to have the events from the calendar within the Clockify calendar and create time entries for each event, as further explained here. Once the calendar is connected, you will see all events from Google Calendar or Outlook right inside Clockify. If you make changes in the external calendar, those changes will reflect in Clockify.
To provide this Service, we need to access your Google or Outlook calendar and collect the data from such calendars. The data we collect include name of the event, description of the event, start and end time, link and calendar name. We ask Users for such authorization explicitly prior to processing such data.
Personal data from your connected calendar are only displayed in Clockify, while data from Clockify will not be displayed or shared in Google Calendar or Outlook.
While Admins and Team Managers can view other Users' Clockify calendar, only the User can see events from the connected Google or Outlook calendar (Admins and Managers cannot see events from your connected calendar).
The User may disconnect the calendar at any time by clicking on the Disconnect option on their Clockify calendar.
If the Owner of the Workspace is an Enterprise, depending on whether certain Clockify functionalities have been activated, we may collect screenshots of your desktop screen in low resolution (blurred) and/or GPS location and/or names of applications used on your computer, websites visited and time spent (if you decide to share such data).
Screenshot is an extra feature, which an Enterprise can enable to generate screenshots randomly every 5 minutes while the timer is running on a desktop app. Admin has to enable "Activate screenshot capturing" in Workspace settings. All Workspace members will receive a notification when screenshot capturing is enabled via both the web and the desktop app. Screenshots are taken only while the timer is running (no matter from where you started the timer) AND you have the screenshot recording app installed. For more information on Screenshots and processing of personal data, please see here.
GPS tracking is an extra feature, which an Enterprise can enable to track who is currently working on-site and everyone's location history throughout the day while the timer is running. Location is recorded every time the TIMER IS STARTED AND STOPPED IN THE MOBILE APP. Also, while the timer is running, more locations will be recorded if the user moves significantly (usually more than 500m) - but this varies depending on your device (its operating system, version, settings, and granted permissions). Locations are collected even if the mobile app works in the background. For more information on GPS tracking and processing of personal data, please see here.
Auto tracker tracks websites and programs that you view for more than 10 seconds (apps you use for less than that won't show up). This data is stored locally on your device and may be visible to other users in your Workspace only after you add it as an entry from the auto tracker table. If your computer goes to sleep, the Auto tracker will stop recording. For more information please see here.
COING does not undertake analysis of any special categories of personal data (including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation) and Clockify functionalities are not meant to be used for the processing of any such personal data. However, if you decide to provide such personal data to us or Data Controller via the Service, you will be deemed to have consented to such processing of the data.
For more information on who may access personal data, please see here.
5. WHAT WE DO NOT DO?
COING will never:
- — Sell any kind of personal information or data
- — Disclose this information to marketers or third parties not specified in Section 7
6. PERSONAL DATA SECURITY
We take administrative, technical, organizational and other measures to ensure the appropriate level of security of personal data we process. Upon assessing whether a measure is adequate and which level of security is appropriate, we consider the nature of the personal data we are processing and the nature of the processing operations we perform, the risks to which you are exposed by our processing activities, the costs of the implementation of security measures and other relevant matters in the particular circumstances.
Some of the measures we apply include access authorization control, information classification (and handling thereof), protection of integrity and confidentiality, data backup, firewalls, data encryption and other appropriate measures. We equip our staff with the appropriate knowledge and understanding of the importance and confidentiality of your personal data security.
7. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
COING utilizes external processors for certain processing activities. We use information audits to identify, categorize and record all personal data that is processed outside the company, so that the information, processing activity, processor and legal basis are all recorded, reviewed and easily accessible.
We have strict due diligence procedures and measures in place and review, assess and background check all processors prior to forming a business relationship. We obtain company documents, certifications, references and ensure that the processor is adequate, appropriate and effective for the task we are employing them for.
We audit their processes and activities prior to contract and during the contract period to ensure compliance with the data protection regulations and review any codes of conduct that oblige them to confirm compliance.
This is the list of processors and sub-processors with whom we share your personal data:
|The Rocket Science Group, LLC (MailChimp)||Email services based on Cloud||USA|
|Amazon Web Services, Inc.||Cloud Infrastructure (IaaS)||USA|
|Stripe, Inc.||Payment provider||USA|
|Zendesk, Inc.||Email and chat support||USA|
|Coing DOO||Software development||Serbia|
We may also share your personal data with our outside accountants, legal counsels and auditors.
Please keep in mind that, subject to your instructions to us while using the Service, your data may be shared with third parties in the following situations:
- — If you join another User's Workspace;
- — If you invite another User to join you Workspace;
- — If you invite a non-user to join Clockify;
- — If you decide to share User Content from your Workspace to persons who do not have an account on Clockify by providing links to such User Content.
8. INTERNATIONAL TRANSFER OF YOUR PERSONAL DATA
- 1. To the countries within the EEA;
- 2. To the countries which ensure an adequate level of protection;
- 3. To the countries which do not belong to those specified under item 1. and 2, but only by applying the appropriate safeguard measures.
9. HOW LONG DO WE KEEP YOUR DATA?
However, as an exception to the retention periods in Section 4 the data may be processed to determine, pursue or defend claims and counterclaims.
10. YOUR RIGHTS
Given that transparency is one of our cornerstone principles, we grant Data Subjects certain rights in relation to their personal data. These rights may be exercised by Data Subject when COING operates as a Data Controller.
In the event COING receives a request for exercising any of these rights directly from a Data
Subject, we are obliged to notify the owner of the relevant Workspace before responding to such a request.
Right of Access
You can send us a request for a copy of the personal data we hold about you.
We have ensured that appropriate measures have been taken to provide such in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Such information is provided in writing free of charge. It may be provided by other means when authorized by the Data Subject and with prior verification as to the subject's identity.
Information is provided to the Data Subject at the earliest convenience, but at a maximum of 30 days from the date the request was received. Where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months where necessary.
Right to Correction of Your Personal Data
If the personal data we have about you is incorrect, you have the right to request that we correct those data. Where notified of inaccurate data by the Data Subject, we will rectify the error within 30 days and inform any third party of the rectification if we have disclosed the personal data in question to them.
Right to Erasure
You have the right to request from us that your personal data is deleted in certain circumstances including:
- — The personal data are no longer needed for the purpose for which they were collected;
- — You withdraw your consent (where the processing was based on consent);
- — You object to the processing and no overriding legitimate grounds are justifying us processing the personal data;
- — The personal data have been unlawfully processed; or
- — To comply with a legal obligation.
However, this right does not apply where, for example, the processing is necessary:
- — To comply with a legal obligation; or
- — For the establishment, exercise or defense of legal claims.
Right to Restriction of Processing
If the accuracy of the personal data is contested, you consider the processing is unlawful but you do not want it erased, we no longer need the personal data but you require it for the establishment, exercise or defense of legal claims or you have objected to the processing and verification, you can exercise your right to the restriction of processing.
Right to Data Portability
Where you have provided personal data to us, you have the right to receive such personal data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party Data Controller without hindrance but in each case only where:
- — The processing is carried out by automated means; and
- — The processing is based on your consent or the performance of a contract with you.
Right to Withdraw the Consent
If you have provided your consent to the collection, processing and transfer of your personal data, you have the right to fully or partly withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.
Right to Lodge a Complaint
If you have any concerns or requests in relation to your personal data, please contact us at email@example.com and we will respond as soon as possible but not later than within 30 days.
11. CALIFORNIA RESIDENTS PRIVACY NOTICE
Information we collect
Use of Personal Information
Sharing Personal Information
COING does not sell your personal information
COING does not sell personal information, including personal information of anyone under 18 years of age.
Your Rights and Choices
This section describes your rights under the CCPA and explains how to exercise those rights. These rights may be exercised by consumers when COING operates as a Data Controller.
In the event COING receives a request for exercising any of these rights directly from a consumer, we are obliged to notify the owner of the relevant Workspace before responding to such a request.
Right to know Personal Information and Data Portability Rights
You have the right to request that we disclose certain information to you about COING's collection and use of your personal information over the past 12 months, i.e.:
- — Our business or commercial purpose for collecting your personal information.
- — The categories of personal information we collected about you.
- — The categories of third parties with whom we share your personal information.
- — The specific pieces of personal information we collected about you („data portability request").
We will disclose this information to you once we receive and confirm your verifiable consumer request.
Right to Deletion
You have the right to deletion your personal information COING collected. COING will delete your personal information from the records once we receive and confirm your verifiable consumer request unless a CCPA exception applies.
Namely, we may deny your deletion request subject to the exceptions in CCPA §1798.105, i.e. if retaining the information is necessary for COING or our service providers to:
- 1. Complete the transaction for which COING collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of COING's ongoing business relationship with you, or otherwise perform our contract with you.
- 2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- 3. Debug products to identify and repair errors that impair existing intended functionality.
- 4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- 5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- 6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- 7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- 8. Comply with a legal obligation.
- 9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
If your request is justified, COING will also direct their service providers to delete your personal information as well.
Right to Non-Discrimination
COING will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, COING will not:
- — Deny you use of our Services.
- — Provide you a different level or quality of Services.
- — Charge you different prices or rates for Services, including through the use of discounts or other benefits or by imposing penalties.
- — Suggest that the person exercising their rights will receive a different price or rate for Services or a different level or quality of Services.
Right to say no to the sale of your personal information (Right to opt-out)
The CCPA requires businesses that sell personal information to allow consumers the ability to opt-out of the selling of their personal information.
Again, COING does not sell personal information.
Exercising your rights
To exercise the rights to access, data portability, and deletion, please submit a verifiable consumer request at firstname.lastname@example.org or contact us via our Contact page.
Consumers are entitled to make a request for access or data portability twice within a 12-month period.
To exercise your rights, you may send a request by yourself or use an authorized agent.
If COING cannot verify your identity or authority to make the request and confirm the personal information relates to you, COING cannot respond to your request or provide you with personal information.
We try to respond to consumers' requests within 45 days of their receipt. Sometimes, COING may need more time to respond to the request (up to 90 days total from the moment we receive the request) when COING will inform the consumer of the reason and extension period in writing.
You are not obliged to create an account with us in order to make a verifiable consumer request. We will deliver our written response to the registered email associated with the account if you have an account with us. Please note that any information we provide will only cover the 12-month period preceding the consumer's request receipt. If we cannot comply with your request, we will provide an explanation.
If a consumer files a data portability request, COING will select a format that is readily usable and should allow the transmission of the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If COING determines that the request warrants a fee, COING will:
- — inform you why the decision was made and
- — provide the consumer with a cost estimate before completing the request.
Last updated on 29/11/2021