Logo PulseTimePulseTime

Legal notice and privacy

Privacy policy

PulseTime is a time-tracking application for Belgian SMEs and their team members. This policy explains which personal data we process, why, for how long, and how you can exercise your rights, in line with Regulation (EU) 2016/679 (GDPR) and the Belgian law of 30 July 2018.

1. Data controller

H&H Informatique SA, Rue Léon Morel 4, 5032 Isnes (Belgium), CBE company number 0431.238.937, is the data controller for the pulsetime.be website and the PulseTime application with regard to:

  • visitors to the public site;
  • Primary Administrators who subscribe to a plan;
  • administrators and team members invited by their employer (B2B2C relationship).

For the time entries and HR data of your team members, your company (the Primary Administrator) is the data controller and PulseTime acts as processor within the meaning of article 28 of the GDPR. The conditions of this processing are described in a data processing agreement (DPA), provided to business customers on request at dpo@pulsetime.be.

Data Protection Officer (DPO): dpo@pulsetime.be.

2. Data collected and purposes

2.1 Primary Administrator account

When creating an account:

  • Identity: first name, last name, email address, language preference.
  • Authentication: password (hashed with bcrypt, never stored in plain text); personal access link (« magic link »).
  • Company: legal name, VAT number, address, billing email, IBAN.

Purpose: performance of the contract (account creation, access to the service, billing). Legal basis: performance of a contract (art. 6.1.b GDPR).

2.2 Invited team members

  • Identity: first name, last name, email address and/or phone number (at least one), language.
  • Time entries: start / end times of the shift, method used (smartphone/web, QR code, tablet kiosk), associated location.
  • GPS location (only if the administrator enables the option and the team member allows it in their browser): latitude / longitude at the time of the entry, and approximate address obtained by reverse geocoding.
  • IP address and user-agent on every sign-in (security log).

Purpose: working-time register (Belgian legal obligation, law of 26 June 2002 on labour and upcoming 2027 obligation), shift management, generation of reports for the payroll provider. Legal basis: legal obligation (art. 6.1.c GDPR) and legitimate interest (art. 6.1.f) for security and fraud prevention.

2.3 Audit log

All sensitive actions (creation / modification / deletion of an entry, validation of a correction, sending of an invitation, plan change, etc.) are recorded in an append-only log, with author, date, timestamp and IP. This log is used for traceability and GDPR compliance (article 5.1.f, integrity and confidentiality).

3. Categories of data not collected

We do not process any sensitive data within the meaning of article 9 of the GDPR (racial origin, political opinions, health data, sexual orientation, etc.). We do not profile users for advertising purposes.

4. Sub-processors

We rely on the following sub-processors to run the service. All of them offer GDPR compliance guarantees:

  • Contabo GmbH (Germany, EU): hosting of the application servers and database.
  • Stripe Payments Europe Ltd. (Ireland, EU): processing of card payments and subscriptions. Stripe is an independent controller for payment data (PCI-DSS).
  • Resend Inc. (Delaware, USA): sending of transactional emails (invitations, confirmations, access codes). Transfer covered by the European Commission's Standard Contractual Clauses.
  • Proximus / RingRing (Belgium, EU): sending of invitation SMS and PIN codes.
  • OpenStreetMap (Nominatim): reverse geocoding service to translate latitude/longitude into a postal address, with no cookie or profiling.
  • Microsoft Ireland Operations Limited (Clarity): behavioural analytics and ergonomics (heatmaps, anonymised session recordings). Strict masking enabled on pages displaying personal data: no text is captured. Servers hosted within the European Union. Active only after explicit consent via the cookie banner.

5. Hosting and data location

All application data and backups are hosted on Contabo servers located in Germany (European Union). Transactional emails go through Resend, which may involve a transfer to the United States; this transfer is covered by the Standard Contractual Clauses (SCC) of the European Commission.

6. Retention period

  • Time entries: 5 years after the year of the shift, in line with the retention period for shift registers required by Belgian legislation.
  • Audit log: 5 years (corollary to the above).
  • Account data (administrator, team member): up to 30 days after deactivation / termination, then deletion or anonymisation.
  • Encrypted backups: 30-day rotation, except for longer legal obligations.
  • Security logs (IP, user-agent): 12 months.

7. Your rights

In line with the GDPR, you have the following rights:

  • Access to your data and a copy of it;
  • Rectification in case of inaccuracy;
  • Erasure in the cases provided by law (the « right to be forgotten »);
  • Restriction of processing;
  • Portability of your data in a machine-readable format;
  • Objection to processing based on legitimate interest;
  • Withdrawal of consent at any time when consent is the legal basis.

The Account → GDPR tab of the application allows the Primary Administrator to request the full deletion of the company. Team members can leave a company from their profile; for any other request, they contact the Primary Administrator of their employer (data controller).

To exercise a right or ask a question, contact dpo@pulsetime.be. We respond within one month.

8. Complaint

If you believe your rights are not being respected, you can lodge a complaint with the Belgian Data Protection Authority (DPA): www.autoriteprotectiondonnees.be.

9. Security

We implement reasonable technical and organisational measures to protect your data: end-to-end TLS encryption, bcrypt password hashing, access logs, encrypted backups, secret rotation, principle of least privilege for our teams. No system is infallible. In case of a breach posing a risk, we notify the DPA and the persons concerned within the timeframes set by the GDPR (72 hours).