GDPR (Trello power-up)

Last Updated: November 8, 2023

In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). This new piece of legislation has had a great impact on anyone whose business involves handling personal data about EU residents or within the EU. It came into effect on May 25, 2018.

This article provides an overview of the data-related roles and responsibilities that you need to know now that you’ve chosen Time Tracking Power-Up by Everhour (further “Powerup”) as your time tracking and invoicing platform. It explains Powerup’s actions in living up to the values and requirements of the GDPR.

What is considered “personal data”?

As per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Considering the extremely broad reach of that definition, personal data will now include not only data that is commonly considered to be personal in nature (e.g. names, physical addresses, email addresses), but also such data as IP addresses, cookie IDs, behavioral data, location data, financial information, and much more.

Powerup as the data processor

Any person or entity which is registered with Powerup can invite other users to the account, store and share with the invited users any type of information for the purposes, to the extent and in a manner defined by such person or entity. Powerup does not access or share that data, and does not know what type of data you or other users are storing.

Therefore, the data you and your invited users store in Powerup as an account holder is subject to your management. Accordingly, you are considered the data controller for this personal data. By using Powerup to manage your customers and projects you engage Powerup as a data processor to carry out certain processing activities on your behalf.

Please note that “special categories” of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, requires a greater level of protection. You should not store such sensitive data within your Powerup account.

Powerup as the data controller

Powerup acts as the data controller for the personal data we collect about you when you visit Powerup as an unregistered user.

We also qualify as the data controller in a limited number of cases connected with:

  • meeting our legal obligations (this primarily involves financial data and information that we need to meet our accountability obligations under the GDPR)
  • improving Powerup
  • making sure that your data and Powerup’s systems are safe and secure

As the controller for your personal data, Powerup is committed to respect your rights under the GDPR.

Does it matter whether you are a controller or a processor?

If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you represent. A controller is the organization that determines the purposes and means of processing personal data and also determines the specific personal data that is collected from a data subject for processing.

A processor is the organization that processes the data on behalf of the controller.

Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.

In the context of the Powerup application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information is uploaded or transferred into their Powerup account (our ecosystem).

Does GDPR require that my information be stored in the EU?

No. Under GDPR, a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU.

We use Standard Contractual Clauses to ensure the lawful and secure transfer of personal data of our customers to our service providers located in non-EEA countries.

Security and storage

Powerup has industry standard security measures in place to protect the loss, misuse, and alteration of the information under our control. While there is no such thing as “perfect security” on the Internet, we will take all reasonable steps to ensure the safety of your information.

All data is encrypted via SSL/TLS when transmitted from our servers to your browser. The database backups are also encrypted. Data isn’t encrypted while it’s live in our database (since it needs to be ready to send to you when you need it), but we go to great lengths to secure your data at rest.


We work closely with our customers to answer any questions and address any concerns regarding how we protect their personal data and, in particular, in compliance with GDPR.

If you have any questions, please don’t hesitate to contact us at