GDPR

Our commitment to data protection for users in the EU and EEA.

The General Data Protection Regulation (GDPR) sets a high bar for how companies handle personal data of people in the European Union and European Economic Area. We're committed to meeting that bar. This page explains how Cloxly complies with the GDPR and what that means for you.

Our role

Under the GDPR, organizations can act as either a data controller or a data processor, depending on the context:

  • Controller — When you sign up for Cloxly, we act as the data controller for your account information (name, email, billing details). We decide why and how this data is processed.
  • Processor — For the time tracking data you and your team enter into Cloxly, we act as a data processor. You (or your organization) are the controller, and we process that data on your behalf according to your instructions.

Legal basis for processing

We only process personal data when we have a lawful reason to do so. Depending on the situation, our legal basis is one of the following:

  • Contract — We need to process your data to provide the service you signed up for (e.g., running your account, processing payments).
  • Legitimate interest — We process some data to improve our product and protect against fraud, where our interests don't override your rights.
  • Consent — For things like analytics cookies, we ask for your consent and you can withdraw it at any time.
  • Legal obligation — In some cases, we're required by law to retain certain data (e.g., billing records for tax purposes).

Your rights under the GDPR

If you're in the EU or EEA, you have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Ask us to correct any inaccurate or incomplete data.
  • Right to erasure — Ask us to delete your personal data. We'll comply unless we have a legal obligation to retain it.
  • Right to restrict processing — Ask us to temporarily limit how we use your data while a concern is being resolved.
  • Right to data portability — Receive your data in a structured, commonly used format so you can transfer it to another service.
  • Right to object — Object to processing based on legitimate interests, including analytics and profiling.
  • Right to withdraw consent — If we process data based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at help@cloxly.io. We'll respond within 30 days.

International data transfers

Cloxly's infrastructure is based in the United States, which means data from EU/EEA users is transferred outside the European Economic Area. To ensure this transfer is lawful and your data remains protected, we use Standard Contractual Clauses (SCCs) approved by the European Commission.

These clauses are legally binding agreements that require us to protect your data to the same standard as the GDPR, regardless of where it's stored.

Data Processing Agreement

Every Cloxly customer is covered by our Data Processing Agreement (DPA), which is included as part of our standard terms. The DPA outlines our obligations as a data processor, including how we handle your data, our security measures, and your rights as the data controller. No need to request one separately — it applies to all accounts automatically.

Sub-processors

We work with a limited number of third-party services (sub-processors) to operate Cloxly — for things like hosting, payment processing, and email delivery. Each sub-processor is carefully vetted and bound by data processing agreements that meet GDPR requirements. We'll notify customers of any changes to our sub-processor list.

Data retention

We keep your personal data only as long as necessary for the purposes described in our Privacy Policy. When you delete your account, we remove your personal data within 30 days. Some data may be retained longer where required by law, such as billing records for tax compliance.

Breach notification

In the event of a data breach that affects your personal data, we'll notify you and the relevant supervisory authority within 72 hours, as required by the GDPR. Our notification will include what happened, what data was affected, and what steps we're taking in response.

Supervisory authority

If you believe we're not handling your data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority. We'd appreciate the chance to address your concern directly first — but the choice is yours.

Questions?

For any GDPR-related questions or to exercise your data rights, contact us at help@cloxly.io.