1. Data controller
| Name | David Lorenzo García |
|---|---|
| Tax ID (NIF) | 12395061Q |
| Address | Urbanización Espejo del Mar, 04002 Almería, España |
| support@clockin.chat | |
| Websites | clockin.chat / controlhorario.chat |
There is no obligation to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR for the activities carried out.
2. Data we process and purposes
2.1 Clients (companies and self-employed individuals subscribing to the service)
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Name, email, company, phone number | Account registration, contractual communications and support | Performance of a contract (Art. 6.1.b) |
| Billing and payment data (managed by Stripe) | Subscription billing and invoice issuance | Performance of a contract (Art. 6.1.b) / Legal obligation (Art. 6.1.c) |
| Email for commercial communications | Sending product updates (only with consent) | Consent (Art. 6.1.a) |
2.2 Employees of clients (end users of the service)
When a client company registers its employees in clockin.chat, the client acts as the data controller and David Lorenzo García acts as the data processor under the terms of the Data Processing Agreement.
| Data | Purpose | Legal basis (of the client as controller) |
|---|---|---|
| Name, phone number (WhatsApp) | Identification and access to the time-tracking system | Performance of employment contract (Art. 6.1.b) / Legal obligation (Art. 6.1.c) |
| Clock-in/out records and working hours | Mandatory working time recording under Spanish Royal Decree-Law 8/2019 | Legal obligation (Art. 6.1.c) |
| Holiday and absence requests and approvals | HR management | Performance of employment contract (Art. 6.1.b) |
2.3 Website visitors
| Data | Purpose | Legal basis |
|---|---|---|
| IP address, browsing data (Google Analytics, Simple Analytics) | Web traffic analysis and service improvement | Legitimate interest (Art. 6.1.f) / Consent for cookie-based analytics (Art. 6.1.a) |
| Language preference (technical cookie) | Displaying content in the user's chosen language | Legitimate interest (Art. 6.1.f) |
3. Retention periods
| Category | Period | Basis |
|---|---|---|
| Working time records (clock-in/out) | 4 years from creation | Spanish Royal Decree-Law 8/2019 and Workers' Statute |
| Client account data | Duration of the contractual relationship + 1 year after account deletion | Statutory limitation periods (Spanish Civil Code) |
| Tax and billing data | 5 years from the transaction | Spanish General Tax Law 58/2003 |
| Commercial communications (with consent) | Until withdrawal of consent | GDPR Art. 7.3 |
| Web browsing data | 26 months (Google Analytics), 12 months (Simple Analytics) | Spanish DPA (AEPD) cookie guidance |
4. Recipients and data processors
Data may be shared with the following providers, who act as data processors:
| Provider | Purpose | Country | Transfer safeguards |
|---|---|---|---|
| Meta Platforms Ireland Ltd. | WhatsApp Business API messaging | Irlanda (UE) / EE.UU. | Yes — Standard Contractual Clauses |
| Stripe, Inc. | Payment processing and billing | EE.UU. / UE | Yes — Standard Contractual Clauses |
| OVHcloud SAS | Server hosting and infrastructure | Francia (UE) | Not required (EU/EEA) |
| DonDominio / Arsys Internet S.L. | Domain registration and transactional email delivery | España (UE) | Not required (EU/EEA) |
| Google LLC (Google Analytics) | Web traffic analytics (IP anonymisation enabled) | EE.UU. | Yes — Standard Contractual Clauses |
| Simple Analytics BV | Privacy-friendly web analytics (no cookies) | Países Bajos (UE) | Not required (EU/EEA) |
Data is not shared with third parties for their own purposes unless required by law.
5. International data transfers
Some providers listed above (Meta/WhatsApp, Stripe, Google Analytics) transfer data outside the European Economic Area (EEA). These transfers are carried out with adequate safeguards under Article 46 of the GDPR, in particular through Standard Contractual Clauses adopted by the European Commission.
6. Data subjects' rights
Data subjects have the right to:
- Access: obtain confirmation of whether their data is being processed and access it.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of their data when it is no longer necessary.
- Restriction of processing: request that processing be restricted to certain purposes.
- Data portability: receive their data in a structured, commonly used format.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: where processing is based on consent, withdraw it at any time.
To exercise these rights, send a written request to support@clockin.chat indicating the right you wish to exercise, enclosing a copy of your national ID or other valid identity document.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
7. Data security
David Lorenzo García has implemented appropriate technical and organisational measures to ensure the security and integrity of personal data, including:
- Encrypted transmission via TLS/HTTPS.
- Encryption of sensitive data at rest.
- Role-based access control with secure authentication.
- Regular backups.
- Security breach notification procedure within the timeframes established by the GDPR.
8. Changes to this Privacy Policy
This Privacy Policy may be updated to reflect changes in legislation or service functionality. Any material changes will be communicated to registered clients by email. Last updated: 2026-05-07.
