Everhour and GDPR

Last updated: May 23, 2018

In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. It will come into effect on May 25, 2018.

This article provides an overview of the data-related roles and responsibilities when you’ve chosen Everhour as your time tracking and invoicing platform and will explain Everhour’s efforts to live up to the values and requirements of the GDPR.

What is considered “personal data”?

Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g. names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, financial information, and much more.

What personal information we collect?

We collect the email addresses of those who communicate with us via email. When you browse our marketing pages, we track that for analytical purposes (conversion rates and testing new designs). We'll also store any information you voluntarily submit (for example, filling out a survey) for the duration of the research project or as long as it makes sense.

When you sign up for Everhour, we ask for your name, email address, country, and company name. This allows us to personalize your new account, and send you invoices, updates, or contact you concerning your account. We’ll never give nor sell your personal information to third parties.

Everhour acknowledges that EU and Swiss individuals have the right to access the personal information that we maintain about them. An EU or Swiss individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their query to ask@everhour.com. If requested to remove data, we will respond within a reasonable timeframe.

Everhour as the data processor

Users of Everhour can store any type of information in Everhour, but Everhour does not access or share that data, and does not know what type of data you or other users are storing. The data is only used by the account owner and invited users as they intend to use it.

Therefore, the data you store in Everhour is your data subjects, and you are considered the data controller for this personal data. Using the Everhour app to manage your customers and projects means that you have engaged Everhour as a data processor to carry out certain processing activities on your behalf.

Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Everhour account.

Everhour as the data controller

Additionally, Everhour acts as the data controller for the personal data we collect about you, the user of our web app, mobile app, and website.

First and foremost, we process data that is necessary for us to perform our contract with you.

Secondly, we process data to meet our obligations under the law — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

Thirdly, we process your personal data for our legitimate interests in line with GDPR. What are these ‘legitimate interests’ we talk about?

  • Improving the app to help you reach new levels of productivity.
  • Making sure that your data and Everhour’s systems are safe and secure.
  • Responsible marketing of our product and its features.

As the controller for your personal data, Everhour is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out at ask@everhour.com

Does it matter whether you are a controller or a processor?

If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.

A processor is the organization that processes the data on behalf of the controller.

Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.

In the context of the Everhour application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information is uploaded or transferred into their Everhour account (our ecosystem).

Does GDPR require that my information be stored in the EU?

No. Under GDPR, a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU.

Is Everhour using third-parties to process data?

Everhour, just like any other business, currently uses third-party Subprocessors to provide various business functions like business analytics, cloud infrastructure, email notifications, payments, and customer support.

We’ve listed our Suprocessors below. We will keep this page up-to-date, please check back regularly to get updates on all changes.

Everhour v2:

Entity Name Subprocessing Activities Entity Country
Amazon Web Services, Inc. Cloud Infrastructure United States
Stripe, Inc. Payments United States
Intercom, Inc. Customer Support United States
The Rocket Science Group, LLC (MailChimp) Cloud-based Email Notification Services United States
200 OK, LLC (ProfitWell) Subscription and Financial Metrics United States
WOOTRIC, Inc. Customer Satisfaction, Net Promoter Score United States
Google Inc. Analytics United States
Ably Real-time Ltd. Realtime Data Delivery Platform United States
Functional Software, Inc. (Sentry) Error Tracking Platform United States

Everhour v1:

Entity Name Subprocessing Activities Entity Country
RackSpace Cloud Infrastructure United States
Stripe, Inc. Payments United States
UserVoice Customer Support United States
SendGrid Cloud-based Email Notification Services United States
200 OK, LLC (ProfitWell) Subscription and Financial Metrics United States
Google Inc. Analytics United States

Security and Storage

The Everhour website and Service has industry standard security measures in place to protect the loss, misuse, and alteration of the information under our control. While there is no such thing as "perfect security" on the Internet, we will take all reasonable steps to insure the safety of your information.

All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. Data isn’t encrypted while it’s live in our database (since it needs to be ready to send to you when you need it), but we go to great lengths to secure your data at rest.

Cookies

When you use the Everhour Service we and our vendors may use “cookies”, “web beacons”, and similar devices to track your activities. These small pieces of information are stored on your hard drive, not on the Everhour website.

We use cookies to help you navigate the Everhour website and Service as easily as possible, and to remember information about your current session. We do not use this technology to spy on you or otherwise invade your privacy. You can disable cookies and tracking technologies through your web browser, however doing so may render the Everhour Service unusable.

Deleted Data

When you remove your account, we delete all data associated with your account from our production database.

We do keep backups, designed for catastrophic system recovery, for 30 days. The backups are purged on a rolling 30 day cycle. When an account is deleted, none of your personal data will remain on our servers past 30 days. Anything you delete from your account while it’s active will also be purged from the backups at day 30.

Deactivated users will no longer have access to your account, but their name, email addresses, and time entries will remain in your account for historical reporting purposes.

Data Portability

Our customers enjoy full data portability using our API, which allows them to easily access their data in a portable way as well import data from other systems. Additionally, you can export all company time data and invoices from the Export section of Account Settings. Which data you can export depends on your user permissions.

Questions

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to contact us at ask@everhour.com.