1. Controller
The controller within the meaning of data protection laws, in particular the General Data Protection Regulation (GDPR), is:
IT-Service Hanna
Tulpenstr. 25
76275 Ettlingen
Germany
Email: info@it-hanna.de
2. General information on data processing
We take the protection of your personal data very seriously. Personal data is treated confidentially and in accordance with statutory data protection regulations and this privacy policy.
Personal data is all data with which you can be personally identified.
Data processing is carried out exclusively for the provision and use of our time-tracking software. All data transmissions are TLS-encrypted (HTTPS).
Allocation of roles: Where your employer uses the software for time tracking, the employer is the controller for the processing of your employee data; we process this data as a processor on the basis of an agreement pursuant to Art. 28 GDPR. In addition, this privacy policy covers your visit to our website and the administration of your user account.
3. Hosting
Our website and application are hosted by the following provider:
ALL-INKL.COM (ALL-INKL.COM – Neue Medien Münnich)
The hosting provider processes personal data such as:
4. User accounts and master data
Using our time-tracking software requires creating a user account. The following data may be processed:
5. Processing of working-time and absence data
When using our software, working-time and absence data is stored, e.g.:
6. Cookies
Our website does not use tracking or marketing cookies. Only technically necessary cookies are used: session cookies required for login and operation of the application, and a functional cookie with a storage period of twelve months that is set after a login and directs returning users on the start page straight to the login page instead of the product presentation. The legal basis is Section 25 (2) No. 2 of the German TDDDG in conjunction with Art. 6 (1) (f) GDPR; a consent banner is therefore not required.
6a. Bot protection (Cloudflare Turnstile)
To protect registration and login forms, we use the bot protection service Turnstile provided by Cloudflare, Inc. (USA). Technical connection data is processed in this context (including IP address, device and browser characteristics). The legal basis is Art. 6 (1) (f) GDPR (protection against abusive access). Cloudflare is certified under the EU-US Data Privacy Framework; an adequate level of data protection is thereby ensured.
6b. Sign-in via third-party providers (Single Sign-On)
You can optionally sign in via Google, Microsoft or Apple. In doing so, we receive only your name and e-mail address from the respective provider; your time data is not transmitted to the provider. The legal basis is Art. 6 (1) (b) GDPR (performance of the contract or provision of the chosen login function). The respective provider's own privacy notices apply to processing on their side (Google Ireland Ltd./Google LLC, Microsoft Ireland Operations Ltd./Microsoft Corp., Apple Distribution International Ltd./Apple Inc.); the US entities are certified under the EU-US Data Privacy Framework.
6c. AI help assistant (optional)
If your employer uses the optional AI help assistant, it answers questions about how to operate the software. The feature is only active if your employer enables it with its own access key from an AI provider. Only your entered question and an excerpt of the public program documentation in your selected language are transmitted; working-time, absence or other employee data are not transmitted. Depending on your employer’s choice, one of the following providers is used: Anthropic PBC (Claude), Google Ireland Ltd./Google LLC (Gemini), OpenAI, L.L.C. (ChatGPT) or Groq, Inc. (Llama). Where the provider processes data in a third country (in particular the USA), the transfer is based on appropriate safeguards under Art. 44 et seq. GDPR (EU-US Data Privacy Framework where the provider is certified, otherwise standard contractual clauses). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient operating assistance). We store neither your questions nor the answers; the respective provider’s own privacy notices apply to its processing.
7. Disclosure of data
Your personal data will not be passed on to third parties unless:
8. Storage period
Personal data is only stored for as long as is necessary for the respective purposes or for as long as statutory retention obligations exist. The specific deletion periods result from our deletion concept (see “Deletion of Data”).
9. Your rights
You have the right at any time to:
10. Right to lodge a complaint with a supervisory authority
You have the right to complain to a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany.