Privacy policy
This privacy policy describes how Monto Bleu BV, owner and operator of TimeTic, processes personal data in the context of the TimeTic time-tracking service. It has been drawn up in accordance with the General Data Protection Regulation (GDPR, Regulation EU 2016/679) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Who are we?
Monto Bleu BV
Heidebergstraat 14, 3120 Tremelo, Belgium
Company registration number (CBE) / VAT: BE 0543.842.970
Privacy contact: privacy@timetic.app
Website: https://timetic.app, Application: https://app.timetic.app
In this policy we refer to ourselves as "TimeTic", "we" or "us".
2. To whom and to what does this policy apply?
This policy applies to:
- visitors to timetic.app (including the contact form);
- customers and account administrators of app.timetic.app (employers, directors, managers);
- employees who record their hours via TimeTic;
- partners participating in our partner programme;
- prospects and persons who contact us.
3. Our role under GDPR – data processor or data controller?
Our role differs depending on the data stream in question:
| Who / what | Our role | Data controller |
|---|---|---|
| Employee data (hours, GPS, employee account data) | Data processor | The employer using TimeTic |
| Company account, administrators, billing | Data controller | TimeTic |
| Partner accounts and commission payments | Data controller | TimeTic |
| Visitors to timetic.app + contact form | Data controller | TimeTic |
For employee data, the employer is the data controller and TimeTic acts solely as data processor pursuant to art. 28 GDPR. The employer determines the purpose ("recording hours in compliance with the statutory obligation") and the means ("via TimeTic"). The terms under which TimeTic processes this data are set out in the Data Processing Agreement in Annex A of this document, which forms an integral part of our service agreement with each business customer.
4. What personal data do we process?
4.1 Employees (TimeTic = data processor)
| Category | Data | Collection point |
|---|---|---|
| Identification | First name, surname, gender, date of birth | When employee is added by the employer |
| Contact (optional) | Email address | Only if web login is required |
| Authentication | Personal PIN code (stored as a cryptographic hash) | Upon activation |
| Time registration | Timestamps for start, pause and stop | At each clock-in event |
| Location | GPS coordinates (see §6) | At each clock-in event via mobile app |
| Audit | Date/time of login, method used (QR + PIN, tablet, web) | Continuously |
Gender and date of birth are requested in order to unambiguously distinguish employees with identical or similar names in reports and exports.
4.2 Company account holders and administrators (TimeTic = data controller)
- Name, email address, job title (optional)
- Company details (company name, company registration number (CBE)/VAT number, address)
- Login credentials (email + cryptographic hash of authentication data)
- Billing and payment data (processed via Stripe)
- Communication with our support team
4.3 Partners
- Company details (company name, company registration number (CBE)/VAT number, address)
- Contact person (name, email)
- Payment details for commissions (processed via Stripe Connect)
- Assigned referrals and associated commissions
4.4 Visitors to timetic.app (contact form)
- Name, email address, message content
- Any additional fields you voluntarily complete (phone, company name, etc.)
5. Purposes and legal bases
| Purpose | Legal basis | Controller |
|---|---|---|
| Time registration and reporting | Legal obligation (Social Criminal Code; working time registration) | Employer |
| GPS verification at clock-in | Legitimate interest of the employer (accurate time registration, mobile employees), framework of CBA No. 81 | Employer |
| Provision of the TimeTic service to the employer | Performance of a contract | TimeTic |
| Company account management and billing | Performance of a contract + legal obligation (Accounting Act) | TimeTic |
| Partner programme and commission | Performance of a contract | TimeTic |
| Marketing email (newsletter, product updates) | Consent (opt-in at registration) | TimeTic |
| Handling contact form submissions | Legitimate interest / pre-contractual steps | TimeTic |
| Security, fraud detection and abuse prevention | Legitimate interest | TimeTic |
Consent for marketing can be withdrawn at any time via the unsubscribe link in any email or via privacy@timetic.app.
6. GPS location data – special provisions
When an employee clocks in (start, pause, stop) via the mobile application, the GPS location of the device is read at that moment. This location data:
- is read only at the moment of a clock-in event: not continuously;
- is stored together with the employer's time registration reports;
- is accurate to within a few metres;
- is visible only to the employer and their designated administrators.
Device-level consent: Operating systems (iOS / Android) explicitly ask the employee for permission to share location with the TimeTic app. Without that permission, it is not possible to clock in via the mobile app. Alternatively, employees may clock in using a shared device (tablet) at the workplace with a personal PIN code, to the extent that this fits within the employer's organisational arrangements.
Employer obligations: The employer is responsible for complying with the Belgian rules on employee monitoring, in particular CBA No. 81 and the principle of prior, transparent information to employees. TimeTic merely provides the technical framework; the employer must fulfil its own internal procedures, communication obligations and any consultation requirements.
Comparison with predefined workplaces: The employer may configure one or more workplaces in their account where employees are expected to clock in. At each clock-in event, TimeTic compares the transmitted GPS coordinates with those workplaces and displays the result to the employer via a colour code in the reports (for example green when the clock-in falls within the expected zone, amber or red in the event of a deviation). TimeTic does not automatically block clock-in events based on this check; the employer decides independently how to handle deviations.
7. Retention periods
| Data | Retention period |
|---|---|
| Time registrations (incl. GPS) | 5 years: statutory retention obligation |
| Employee account (basic data) | For as long as the account is active with the employer; thereafter pseudonymised within the 5-year retention period applicable to time registrations |
| Employee web-login email address | For as long as the account is active (the employer decides when to close it) |
| Company account (customer) | For the duration of the agreement + 7 years for billing data (Accounting Act) |
| Partner account | For the duration of the partnership + 7 years for payout data |
| Contact form messages | Maximum 24 months, unless a customer relationship has arisen |
| Access and security logs | 12 months |
| Backups | Maximum 90 days, then automatically overwritten |
| Marketing consents | Until consent is withdrawn, then immediately removed from the mailing list |
Termination by the employer: When an employer cancels their TimeTic account, we provide the complete time registration history (up to 5 years) for all employees to the primary account administrator via a secure channel. This enables the employer to comply with their statutory retention obligation. We then delete the active data from our production system (taking into account our backup cycle). It is the employer's responsibility to handle this data securely after transfer.
"Deletion" by an administrator: When an administrator removes an employee within the account, the account is closed but the time registrations (and the minimum identification data associated with them) are retained for as long as the statutory retention obligation runs. Full deletion follows upon expiry of that period.
8. With whom do we share personal data? (sub-processors)
We share personal data only with sub-processors that apply security standards equivalent to or stricter than our own, and solely for the purposes listed below.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc., via EU region) | Database and authentication | EU |
| Resend (Resend Inc.) | Sending transactional emails (welcome emails, magic links) | EU |
| Stripe Payments Europe Ltd. | Payment processing and partner payouts | Ireland (EU), may involve limited international transfer for fraud prevention |
| Vercel Inc. | Hosting of app.timetic.app (frontend and API) | EU region with SCCs for support from the US |
| Cloudflare Inc. | DNS, security and bot protection (Turnstile) | Global edge network with SCCs |
We never sell personal data to third parties and do not use it for advertising or profiling.
9. Transfers outside the European Economic Area
Our primary infrastructure (database, hosting, mailing) is located in the EU. For certain sub-processors (Stripe, Vercel, Cloudflare), limited ancillary processing outside the EEA may take place. In such cases, the transfer is based on the Standard Contractual Clauses (SCCs) of the European Commission, supplemented by appropriate technical measures (encryption in transit and at rest).
10. Security
We implement appropriate technical and organisational measures to protect personal data against loss, misuse or unauthorised access. These include:
- Encryption in transit: all communication runs over TLS;
- Encrypted authentication: PIN codes and passwords are stored only as cryptographic hashes, never in readable form;
- Access control on a least-privilege basis, with separate environments for production and testing;
- Audit logging of administrative actions;
- Monitoring of suspicious activity and automated bot protection on login and registration forms;
- Periodic review and updates of our security measures.
Specific technical details are not shared publicly in order to avoid creating an attack surface. If you suspect a data breach or misuse, please email us immediately at privacy@timetic.app.
11. Cookies
app.timetic.app currently places only strictly necessary and functional cookies. We do not currently deploy analytics, marketing or tracking cookies on the application. If that changes in the future (for example for measuring conversions or optimising our website), we will update this policy and provide (where legally required) a prior consent mechanism as described in article 11.4.
11.1 Strictly necessary cookies
| Name | Purpose | Lifetime |
|---|---|---|
sb-…-auth-token |
Stores your Supabase session so that you remain logged in | 30 days |
sb-…-auth-token-code-verifier |
Cryptographic verifier for magic-link sign-in | Session (max 1 h) |
cf_* |
Cloudflare Turnstile bot protection on login / registration | Short-lived |
11.2 Functional cookies
| Name | Purpose | Lifetime |
|---|---|---|
referral_code |
Remembers which partner introduced you to TimeTic, for commission attribution | 90 days |
referral_sig |
Cryptographic signature to prevent tampering with referral_code |
90 days |
First-party cookies are, where possible, Secure, HttpOnly and SameSite=Lax.
11.3 Why no cookie consent banner?
Under art. 5(3) of the ePrivacy Directive (in Belgium: art. 129 §2 of the Electronic Communications Act) consent is not required for cookies that are strictly necessary for the service explicitly requested by the user. All cookies listed above fall within that exception.
11.4 Future cookies
Should we in the future place cookies that do require consent (such as analytics or conversion tracking), we will introduce a prior cookie consent banner and update this policy accordingly.
11.5 Management
You can always delete cookies via your browser settings. Without the Supabase session cookie you will not be able to remain logged in and will need to sign in again.
12. Your rights
Under the GDPR you have the following rights:
- Right of access to your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten"), subject to statutory retention obligations (see §7)
- Right to restriction of processing
- Right to data portability
- Right to object to processing based on legitimate interest
- Right to withdraw consent (for processing based on consent)
- Right not to be subject to automated decision-making with legal effects: we do not carry out any such processing
How do you exercise these rights?
- Are you an employee wishing to exercise rights over time registration or GPS data? Please contact your employer in the first instance, as the data controller is the appropriate point of contact. We support employers in handling any well-founded request.
- Are you a customer, partner or visitor? Email us at privacy@timetic.app. We will respond within 30 days, in accordance with art. 12 GDPR.
Complaints
If you are dissatisfied with the way we handle your data, you may at any time lodge a complaint with the Belgian Data Protection Authority (DPA):
Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be, www.gegevensbeschermingsautoriteit.be
13. Changes to this policy
We may update this policy, for example in the event of changes in legislation, new functionalities or new sub-processors. The current version is always available on timetic.app (in every available language version of the site) with version number and date. We will proactively communicate material changes to our customers.
14. Contact
For all privacy-related questions, data subject rights, complaints or data breach notifications: privacy@timetic.app. Email is our sole channel for this purpose, ensuring everything remains traceable.
15. Governing law and jurisdiction
This privacy policy is governed by Belgian law. In the event of a dispute, the courts of the district of Leuven shall have exclusive jurisdiction, without prejudice to the right of consumers to lodge a complaint with the competent supervisory authority or the court of their place of residence where the law mandates this.
Annex A: Data Processing Agreement (DPA)
This Data Processing Agreement (hereinafter the "DPA") forms an integral part of the agreement between Monto Bleu BV ("Processor") and the business user of TimeTic ("Controller"), hereinafter jointly referred to as the "Parties".
A.1 Subject matter
The Controller instructs the Processor to process personal data in the context of delivering the TimeTic time-tracking service for employees.
A.2 Nature, duration and purpose of the processing
- Nature: storage, retrieval, structuring, export and deletion of time registration data and associated employee data.
- Purpose: enabling the Controller to comply with its statutory obligations relating to working time registration and the management of employee working time.
- Duration: for the duration of the agreement between the Parties, plus any applicable statutory retention obligations thereafter.
A.3 Categories of data subjects and data
- Data subjects: employees, freelancers and other persons engaged by the Controller.
- Data: as described in §4.1 of the privacy policy (identification, authentication, time registration, GPS, audit logs).
A.4 Obligations of the Processor
The Processor shall:
- process personal data solely on the basis of documented instructions from the Controller, unless otherwise required by law;
- ensure that persons authorised to process personal data are bound by an obligation of confidentiality;
- implement appropriate technical and organisational measures in accordance with art. 32 GDPR (see §10 of the privacy policy);
- engage sub-processors only with prior general authorisation (see §8 of the privacy policy); the Controller may object to the addition of a new sub-processor within 14 days of notification;
- assist the Controller with data subject requests, data breaches (art. 33 GDPR) and data protection impact assessments (art. 35 GDPR);
- notify the Controller of a data breach within 48 hours of becoming aware of it, with the information necessary for the Controller to fulfil its notification obligation to the DPA;
- upon termination of the agreement, delete or return all personal data, subject to statutory retention obligations;
- make available to the Controller all information necessary to demonstrate compliance with art. 28 GDPR, and allow for audits on reasonable notice and at the Controller's expense.
A.5 Obligations of the Controller
The Controller shall:
- ensure that a valid legal basis exists for the processing;
- inform its employees about the processing in accordance with art. 13 GDPR and CBA No. 81 where applicable;
- comply with consultation procedures with the works council or trade union delegation where required by law;
- use TimeTic in accordance with the terms of use;
- be responsible for the secure storage of exported data after termination.
A.6 Sub-processors
General authorisation is granted for the sub-processors listed in §8 of the privacy policy. The Processor may update this list subject to prior notice of at least 14 days via email or in-app notification.
A.7 Transfers outside the EEA
Transfers outside the EEA take place only under the conditions set out in §9 of the privacy policy (SCCs and supplementary technical measures).
A.8 Liability
The liability of the Parties under this DPA is subject to the liability limitations set out in the main agreement, subject to statutory exceptions under art. 82 GDPR.
A.9 Governing law
This DPA is governed by Belgian law. Disputes fall within the exclusive jurisdiction of the courts of Leuven.
Version 1.0 – 6 May 2026 – Monto Bleu BV