GDPR Compliance

How Clocky complies with the General Data Protection Regulation (GDPR) and protects your data rights.

Overview

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that protects personal data and privacy for individuals within the EU and European Economic Area (EEA).

Key dates:

  • Enforcement date: May 25, 2018
  • Applies to: EU/EEA residents (and organizations processing their data)
  • Fines for non-compliance: Up to €20 million or 4% of global revenue

Clocky's commitment

We are fully committed to GDPR compliance:

  • ✅ Data protection by design and default
  • ✅ Transparent data practices
  • ✅ Respect for user rights
  • ✅ Secure data processing
  • ✅ Minimal data collection
  • ✅ Clear consent mechanisms

Your GDPR Rights

Article 15: Right to Access

What it means: You have the right to know what personal data we hold about you.

How to exercise:

/data-export

What you'll receive:

  • Complete copy of your data in JSON format
  • Delivered via DM within 24 hours
  • Includes all sessions, breaks, preferences
  • Machine-readable and portable

Free of charge: First request per year is free. Subsequent requests may incur reasonable fees.

Article 16: Right to Rectification

What it means: You can request correction of inaccurate or incomplete data.

How to exercise: Contact support via /support or privacy@clocky.bot

What we'll do:

  • Review your request within 7 days
  • Correct inaccurate data
  • Complete incomplete data
  • Notify you when done

Examples:

  • Incorrect session timestamps due to bug
  • Missing break records
  • Wrong timezone settings

Article 17: Right to Erasure ("Right to be Forgotten")

What it means: You can request deletion of your personal data.

How to exercise:

# Delete from current server
/data-delete current-server

# Delete from all servers
/data-delete all-servers

Timeline:

  • Immediate deletion (immediate policy)
  • Grace period deletion (7-365 days)
  • Approval required deletion (up to 30 days)

Exceptions (when we may refuse):

  • Legal retention requirements (employment law, tax law)
  • Pending legal claims
  • Compliance with legal obligations

Article 18: Right to Restriction of Processing

What it means: You can request we temporarily stop processing your data.

How to exercise: Contact privacy@clocky.bot

When applicable:

  • You contest accuracy of data (while we verify)
  • Processing is unlawful but you don't want deletion
  • We no longer need data but you need it for legal claims
  • You've objected to processing (while we verify)

Effect:

  • Data stored but not processed
  • Not included in stats or leaderboards
  • Not accessible to admins
  • Can be lifted when reason no longer applies

Article 20: Right to Data Portability

What it means: You can receive your data in a structured, machine-readable format and transfer it to another service.

How to exercise:

/data-export

Formats available:

  • JSON (machine-readable, best for transfers)
  • CSV (Excel, Google Sheets compatible)
  • PDF (Premium only, human-readable reports)

What's included:

  • All work sessions with timestamps
  • Break records
  • User preferences
  • Statistics metadata

Article 21: Right to Object

What it means: You can object to processing of your data.

How to exercise:

  • Object to leaderboard participation: /public visibility:off
  • Object to all processing: /data-delete

When it applies:

  • Processing based on legitimate interests
  • Direct marketing (if applicable)
  • Public interest or official authority

Our response:

  • Stop processing immediately unless we have compelling legitimate grounds

Article 22: Rights Related to Automated Decision Making

What it means: You have rights regarding automated decisions significantly affecting you.

Clocky's position:

  • ❌ We do NOT make automated decisions that significantly affect you
  • ❌ We do NOT use profiling
  • ❌ We do NOT use AI/ML for decisions about users
  • ✅ All admin actions require human review

Data Processing

Legal basis for processing

Under Article 6 of GDPR, we process data based on:

1. Contract performance (Article 6(1)(b)):

  • Providing time tracking service
  • Essential service functionality
  • Examples: Recording check-ins, calculating hours

2. Legitimate interests (Article 6(1)(f)):

  • Service improvement
  • Bug fixes and security
  • Fraud prevention
  • Our assessment: Interests don't override your rights

3. Consent (Article 6(1)(a)):

  • Leaderboard participation (explicit opt-in)
  • Marketing communications
  • Withdrawal: Can withdraw consent anytime

4. Legal obligation (Article 6(1)(c)):

  • Tax and accounting records (7 years)
  • Responding to lawful requests
  • Duration: Only as long as legally required

Data minimization (Article 5(1)(c))

We only collect data necessary for our service:

What we collect:

  • ✅ Discord User ID (to identify you)
  • ✅ Check-in/out timestamps (to track time)
  • ✅ Break times (to calculate worked time)
  • ✅ Leaderboard preference (to respect privacy)

What we don't collect:

  • ❌ Message content
  • ❌ Voice chat
  • ❌ IP addresses
  • ❌ Device info
  • ❌ Location data
  • ❌ Browsing history

Purpose limitation (Article 5(1)(b))

We only use data for stated purposes:

Primary purpose: Time tracking for Discord users

We do NOT:

  • ❌ Sell your data
  • ❌ Use for advertising
  • ❌ Share with third parties (except processors)
  • ❌ Use for AI training
  • ❌ Repurpose without consent

Storage limitation (Article 5(1)(e))

Data is only kept as long as necessary:

TierRetentionReason
Free1 yearService provision
Premium5 yearsService provision
Pro10 yearsService provision
LifetimeUnlimitedContractual agreement
Billing7 yearsLegal obligation

Data security (Article 32)

We implement appropriate technical and organizational measures:

Technical:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Row-level security (RLS)
  • Regular security audits
  • Automated vulnerability scanning

Organizational:

  • Access controls (least privilege)
  • MFA required for database access
  • Security training for staff
  • Incident response plan
  • Data processing agreements with processors

Data protection by design (Article 25)

Built-in privacy:

  • Default to private (leaderboards opt-in)
  • Minimal data collection
  • Encryption by default
  • User-controlled deletion
  • Transparent processing

Exercising Your Rights

How to make requests

Automated (instant):

  • /data-export - Access your data
  • /data-delete - Erase your data
  • /public visibility:off - Object to leaderboards

Manual (within 7 days):

Our response timeline

GDPR requirement: 1 month maximum

Our commitment:

  • Automated requests: Instant to 24 hours
  • Manual requests: Within 7 days
  • Complex requests: Within 30 days
  • Extension notification: If we need more time

Identity verification

To protect your data, we may verify your identity:

For automated commands:

  • Discord authentication (you're logged in)
  • No additional verification needed

For email requests:

  • Discord username and User ID
  • Server where you use Clocky
  • Approximate last check-in date

We will NOT ask for:

  • ❌ Passwords
  • ❌ Payment details
  • ❌ Social security numbers
  • ❌ Government IDs (except where legally required)

No fee for reasonable requests

Free:

  • First data export per year
  • Deletion requests
  • Rectification requests
  • Objection requests

Possible fees:

  • Manifestly unfounded or excessive requests
  • Repeated requests (more than 1 per year)
  • Requests requiring disproportionate effort

We'll inform you: Before charging any fee

Data Protection Officer

Contact our DPO:

DPO responsibilities:

  • Monitor GDPR compliance
  • Handle data protection inquiries
  • Advise on data protection
  • Cooperate with supervisory authorities

Supervisory Authority

If you believe we're not complying with GDPR, you can lodge a complaint with your supervisory authority.

EU residents: Find your authority: edpb.europa.eu

Our lead supervisory authority:

  • Location: Will be determined based on operations

Before filing a complaint: Please contact us first at privacy@clocky.bot. We're committed to resolving issues directly.

Data Processing Agreements

Sub-processors

We use these sub-processors:

Supabase (Database):

  • Purpose: Data storage
  • Location: United States (AWS)
  • DPA: Standard Contractual Clauses (SCCs)
  • Security: SOC 2 Type II certified

Stripe (Payments):

  • Purpose: Payment processing
  • Location: United States
  • DPA: Available upon request
  • Security: PCI DSS Level 1

AWS (Infrastructure):

  • Purpose: Hosting, backups
  • Location: us-east-1
  • DPA: AWS GDPR DPA
  • Security: Multiple certifications

International transfers

Primary location: United States

EU data transfers:

  • Standard Contractual Clauses (SCCs)
  • Supplementary measures per Schrems II
  • Regular transfer impact assessments
  • EU data residency option (coming soon)

Frequently Asked Questions

Does GDPR apply to me if I'm not in the EU?

GDPR applies to EU/EEA residents, but we provide the same rights to all users globally.

How long does data deletion take?

Depends on your server's deletion policy. Can be instant, or up to 30 days for approval-required mode.

Can I delete data from just one server?

Yes. Use /data-delete current-server to delete only from the current server.

What if I withdraw consent?

For consent-based processing (leaderboards), withdrawal takes effect immediately. For contract performance, you'd need to stop using the service.

Will you notify me of data breaches?

Yes, within 24 hours if your data is affected.

Privacy Policy

Data Export Guide

Data Deletion Guide

User Commands

Was this page helpful?