Everhour and GDPR

In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. It come into effect on May 25, 2018.

This article provides an overview of the data-related roles and responsibilities that you need to know now that you've chosen Everhour as your time tracking and invoicing platform. It explains Everhour's actions in living up to the values and requirements of the GDPR.

What is considered “personal data”?

As per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Considering the extremely broad reach of that definition, personal data will now include not only data that is commonly considered to be personal in nature (e.g. names, physical addresses, email addresses), but also such data as IP addresses, behavioral data, location data, financial information, and much more.

What personal information do we collect?

We collect the email addresses of those who communicate with us via email. When you browse our marketing pages, we track this information for analytical purposes (conversion rates and testing new designs). We'll also store any information you voluntarily submit (for example, filling out a survey) for the duration of the research project or as long as it makes sense.

When you sign up for Everhour, we will ask for your name, email address, country, and company name. This allows us to personalize your new account, and send you invoices, updates, or contact you concerning your account. We’ll never give nor sell your personal information to third parties.

Everhour acknowledges that EU and Swiss individuals have the right to access the personal information that we maintain about them. An EU or Swiss individual who seeks access, or who wishes to correct, amend, or delete inaccurate data, should direct their query to ask@everhour.com. If requested to remove data, we will respond within a reasonable timeframe.

Everhour as the data processor

Users of Everhour can store any type of information in Everhour, but Everhour does not access or share that data, and does not know what type of data you or other users are storing. The data is only used by the account owner and invited users as they intend it to be used.

Therefore, the data you store in Everhour is subject to your management, and you are considered the data controller for this personal data. Using the Everhour app to manage your customers and projects means that you have engaged Everhour as a data processor to carry out certain processing activities on your behalf.

Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Everhour account.

Everhour as the data controller

Everhour acts as the data controller for the personal data we collect about you, the user of our web app, mobile app, and website.

First and foremost, we only process the data that is necessary for us to perform our contract with you.

Secondly, we process data to meet our obligations under the law — this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR.

Thirdly, we process your personal data for our legitimate interests in line with GDPR. So, what are these ‘legitimate interests’ we talk about?

  • Improving the app to help you reach new levels of productivity.
  • Making sure that your data and Everhour’s systems are safe and secure.
  • Responsible marketing of our product and its features.

As the controller for your personal data, Everhour is committed to respect your rights under the GDPR. If you have any questions or feedback, please reach out at ask@everhour.com and we will do our best to resolve your query as soon as possible.

Does it matter whether you are a controller or a processor?

If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you represent. A controller is the organization that determines the purposes and means of processing personal data and also determines the specific personal data that is collected from a data subject for processing.

A processor is the organization that processes the data on behalf of the controller.

Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.

In the context of the Everhour application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information is uploaded or transferred into their Everhour account (our ecosystem).

Does GDPR require that my information be stored in the EU?

No. Under GDPR, a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU.

Is Everhour using third-parties to process data?

Everhour, just like any other business, currently uses third-party Subprocessors to provide various business functions like business analytics, cloud infrastructure, email notifications, payments, and customer support.

We’ve listed our Subprocessors below. We will keep this page up-to-date, please check back regularly to see the latest updates on all changes.

Entity Name Subprocessing Activities Entity Country
Amazon Web Services, Inc. Cloud Infrastructure United States
Stripe, Inc. Payments United States
Help Scout PBC Customer Support United States
The Rocket Science Group, LLC (MailChimp) Cloud-based Email Notification Services United States
Paddle.com Market Ltd. (ProfitWell) Subscription and Financial Metrics UK
MailerLite Limited Cloud-based Email Notification Services Ireland
Google Inc. Analytics United States
Ably Real-time Ltd. Realtime Data Delivery Platform United States
Functional Software, Inc. (Sentry) Error Tracking Platform United States

Security and storage

The Everhour website and Service has industry standard security measures in place to protect the loss, misuse, and alteration of the information under our control. While there is no such thing as "perfect security" on the Internet, we will take all reasonable steps to ensure the safety of your information.

All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. Data isn’t encrypted while it’s live in our database (since it needs to be ready to send to you when you need it), but we go to great lengths to secure your data at rest.

Cookies

When you use the Everhour Service we and our vendors may use “cookies”, “web beacons”, and similar devices to track your activities. These small pieces of information are stored on your hard drive, not on the Everhour website.

We use cookies to help you navigate the Everhour website and Service as easily as possible, and to remember information about your current session. We do not use this technology to spy on you or otherwise invade your privacy. You can disable cookies and tracking technologies through your web browser, however doing so may render the Everhour Service unusable.

Deleted data

When you remove your account, we delete all data associated with your account from our production database.

We do keep backups, designed for catastrophic system recovery, for 30 days. These backups are purged on a rolling 30 day cycle. When an account is deleted, none of your personal data will remain on our servers past 30 days. Anything you delete from your account while it’s active will also be purged from the backups after 30 days.

Deactivated users will no longer have access to your account, but their name, email addresses, and time entries will remain in your account for historical reporting purposes.

Data portability

Our customers enjoy full data portability using our API, which allows them to easily access their data in a portable way as well import data from other systems. Additionally, you can export all company time data and invoices from the Export section of your Account Settings. The particular type of data you can export depends on your user permissions.

Questions

We work closely with our customers to answer any questions and address any concerns regarding how we protect their personal data and, in particular, in compliance with GDPR. If you have any questions, please don't hesitate to contact us at ask@everhour.com.