Introduction

The following gives a simple overview of what happens to your personal information when you visit our website. Personal information is any data with which you could be personally identified. Detailed information on the subject of data protection can be found in our privacy policy found below.

Who is responsible for the data collection on this website?

The data collected on this website are processed by the website operator. The operator’s contact details can be found in the website’s required legal notice.

How do we collect your data?

Some data are collected when you provide it to us. This could, for example, be data that you sent us with an email.

Other data are collected automatically by our IT systems when you visit the website. These data are primarily technical data such as the requested URL or when you accessed the page. These data are collected automatically as soon as you enter our website.

What do we use your data for?

Part of the data is collected to ensure the proper functioning of the website. Other data can is used to analyze how visitors use the site.

What rights do you have regarding your data?

You always have the right to request information about your stored data, its origin, its recipients, and the purpose of its collection at no charge. You also have the right to request that it be corrected, blocked, or deleted. You can contact us at any time using the address given in the legal notice if you have further questions about the issue of privacy and data protection. You may also, of course, file a complaint with the competent regulatory authorities.

Data protection

We treat your personal data as confidential and in accordance with the statutory data protection regulations and this privacy policy.

If you use this website, various pieces of personal data will be collected. Personal information is any data with which you could be personally identified. This privacy policy explains what information we collect and what we use it for. It also explains how and for what purpose this happens.

Data transmitted via the internet (e.g. via email communication) may be subject to security breaches. Complete protection of your data from third-party access is not possible.

Responsible for this website

The party responsible for processing data on this website is:

Kevin Papst, Schweidlgasse 46/1/13, 1020 Vienna (Austria)
Telephone: +49 (0)30 12087229
Email: support@kimai.org
EU-VAT Id: ATU75657727

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (names, email addresses, etc.).

Revocation of your consent to the processing of your data

Many data processing operations are only possible with your express consent. You may revoke your consent at any time with future effect. An informal email making this request is sufficient. The data processed before we receive your request may still be legally processed.

Right to file complaints with regulatory authorities

If there has been a breach of data protection legislation, the person affected may file a complaint with the competent regulatory authorities. The competent regulatory authority for matters related to data protection legislation is the data protection officer of the German state in which our company is headquartered. A list of data protection officers and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Right to data portability

You have the right to have data which we process based on your consent or in fulfillment of a contract automatically delivered to yourself or to a third party in a standard, machine-readable format. If you require the direct transfer of data to another responsible party, this will only be done to the extent technically feasible.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and for the protection of the transmission of confidential content, such as the inquiries you send to us as the site operator.

If SSL or TLS encryption is activated, the data you transfer to us cannot be read by third parties.

Information, blocking, deletion

As permitted by law, you have the right to be provided at any time with information free of charge about any of your personal data that is stored as well as its origin, the recipient and the purpose for which it has been processed. You also have the right to have this data corrected, blocked or deleted. You can contact us at any time using the address given in our legal notice if you have further questions on the topic of personal data.

Data collection

Cookies

Some of our web pages use cookies. Cookies help make our website more user-friendly. Cookies are small text files that are stored on your computer and saved by your browser. Most of the cookies we use are so-called “session cookies.” They are automatically deleted after your visit. Other cookies remain in your device’s memory until you delete them. These cookies make it possible to recognize your browser when you next visit the site.

You can configure your browser to inform you about the use of cookies so that you can decide on a case-by-case basis whether to accept or reject a cookie. Alternatively, your browser can be configured to automatically accept cookies under certain conditions or to always reject them, or to automatically delete cookies when closing your browser. Disabling cookies may limit the functionality of this website.

Cookies which are necessary to allow electronic communications or to provide certain functions you wish to use (such as the shopping cart) are stored pursuant to Art. 6 paragraph 1, letter f of DSGVO. The website operator has a legitimate interest in the storage of cookies to ensure an optimized service provided free of technical errors. If other cookies (such as those used to analyze your surfing behavior) are also stored, they will be treated separately in this privacy policy.

Server Hosting and location

The service runs on the Cloud of the Hetzner Online GmbH (Germany). Server location is Falkenstein, Germany.

Server log files

The website provider does not collects or store any personal information in “server log files”. Only in cases of errors the request time and error reason is stored. This data will be automatically deleted after 7 days. This data will not be combined with data from other sources. The basis for data processing is Art. 6 (1) (b) DSGVO, which allows the processing of data to fulfill a contract or for measures preliminary to a contract.

Registration

In order to use the Kimai time tracking software, you must register via the website. The information required for registration can be found in the registration form. The provision of the data, which is marked as mandatory, is mandatory for the registration to be completed. If you register via an authentication provider (such as Google or GitHub), the data will be automatically transferred to me by this provider, through a process called OAuth. If you register manually via email, a Recaptcha verification needs to be solved which is served by Google. The authentication provider used will be notified of each login process on the website that you perform using this provider. The data provided will be processed for the purpose of providing the service. The processing is based on the legal basis of Art. 6 para. 1 sentence. 1 b DSGVO.

Order of a Kimai-Cloud plan

If you should decide for a chargeable plan, your invoice and payment data is processed for the purpose of contract fulfilment. The provision of invoice and payment data is mandatory for the conclusion of the contract. Insofar as it is necessary for the fulfilment of the contract, data is also transmitted to third parties (e.g. to the payment service provider or the commissioned credit institution). The legal basis for data processing is Art. 6 Para. 1 S. 1 b DSGVO.

Emails and Newsletter

We use Brevo to send newsletters and emails regarding our services (both for plugins and cloud).

By logging into the system and creating a Kimai Cloud, your email address and name is processed for the purpose of fulfilling the contract. Insofar as it is necessary for the fulfilment of the contract, data is also transmitted to third parties (e.g. to the email provider).

If you sign up to receive our newsletter, the data requested during the registration process (your email address) will be processed by Brevo. For this your IP address and the date of your registration will be saved along with the time. As a further part of the registration process, your consent to the sending of the newsletter will be obtained, the content will be described in concrete terms and reference made to this data protection declaration.

The newsletters sent by Brevo contain technologies by which we can analyse whether and when an email was opened and whether and which links contained in the newsletter were followed. We save this data in addition to the technical data (system data and IP address) so that the respective newsletter can be best tailored to your wishes and interests. The data thus collected is used to continuously improve the quality of our newsletters.

The legal basis for data processing is Art. 6 Para. 1 S. 1 b DSGVO.

Consent to the newsletter being sent can be revoked at any time with future effect in accordance with Art. 7 Para. 3 GDPR. To do this, you only have to inform us of your revocation or click the unsubscribe link contained in each newsletter.

YouTube

The website uses plugins from YouTube, which is operated by Google. The operator of the pages is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. If you visit one of the pages featuring a YouTube plugin, a connection to the YouTube servers is established. Here the YouTube server is informed about which of the pages you have visited. If you’re logged in to your YouTube account, YouTube allows you to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. YouTube is used to help make the website appealing and transfer knowledge about Kimai. Further information about handling user data, can be found in the data protection declaration of YouTube under https://policies.google.com/privacy. This constitutes a justified interest pursuant to Art. 6 (1) (f) DSGVO.

Simple Analytics

To get critical information about the behavior of our visitors, we use Simple Analytics. This analytics software gives us insight about our visitors only in general, but not about individuals per say, as it does not track visitors and does not store any personal identifiable information. Go to their documentation to find out what Simple Analytics collects (and most importantly what they don’t).

Google Fonts

For uniform representation of fonts, this page uses web fonts provided by Google. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. The use of Google Web fonts is done in the interest of a uniform and attractive presentation of our website. This constitutes a justified interest pursuant to Art. 6 (1) (f) DSGVO.

Gumroad

When you want to buy a plugin and click the “Buy” buttons in the shop, you are redirected to the software selling platform Gumroad.

For purposes of European data protection legislation, Gumroad is the controller of personal information that are collected for their own business purposes during the shopping and payment process.

LemonSqueezy

When you want to buy a plugin and click the “Buy” buttons in the shop, you are redirected to the software selling platform Lemon Squeezy.

For purposes of European data protection legislation, Lemon Squeezy is the controller of personal information that are collected for their own business purposes during the shopping and payment process.

Hetzner Cloud

The service runs on the Cloud of the Hetzner Online GmbH (Germany). Server location is Falkenstein, Germany.

Duration of storage

Unless otherwise stated in the previous information, your data will only be stored for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise from commercial or tax law regulations.

Subprocessor

We are using the following service providers (also called sub-processors) to assist with data processing:

Brevo: Emails, Newsletter, Link, Privacy policy, Info
Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany

GitHub: OAuth login, Link, Privacy policy
GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA

Google: OAuth login, YouTube Videos, Re-captcha verification, Link, Privacy policy
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Gumroad: Plugin Marketplace Link, Privacy policy
Gumroad, Inc., 548 Market St, San Francisco, CA 94104-5401, USA

Hetzner: Server Hosting, Link, Privacy policy
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

Lemon Squeezy: Plugin Marketplace Link, Privacy policy
Lemon Squeezy, 222 Main Street Suite 500 , Salt Lake City, UT 84101, USA

Simple Analytics: Anonymous statistics, Link, Privacy policy
Simple Analytics B.V., Jacob van Lennepstraat 78 H, 1053 HM Amsterdam, Netherlands

Stripe: Payment and contract management, Link, Privacy policy
Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA

Change history

• 18.03.2024: Replaced “Sendinblue France” with “Brevo Germany”, added Simple Analytics for transparency reasons
• 14.11.2023: Recaptcha verification via Subprocessor “Google” re-added
• 25.04.2021: Recaptcha verification via Subprocessor “Google” removed
• 01.01.2021: Change of contact details after moving from Germany to Austria
• 18.12.2020: Removed “Gumroad” and “Google” (Email), added “SendInBlue” (Email), added details to “Subprocessor”
• 14.10.2020: Recaptcha verification via Subprocessor “Google” added
• 04.12.2019: Added “Hetzner” (Hosting), added section “Emails” and “Subprocessor”