Data Processing Agreement

Last Updated: February 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and TimeIn.one ("Processor"), pursuant to Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions and Roles

  • "Controller" means the customer (you) who determines the purposes and means of processing personal data through use of the TimeIn.one service.
  • "Processor" means Štěpán Kameník, operating as TimeIn.one (IČO: 05097215), who processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on personal data, as defined in Article 4(2) GDPR.

2. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the TimeIn.one time tracking and productivity service. Processing begins when the Controller creates an account and continues until the account is deleted and all associated data is removed in accordance with our retention policy.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • Providing and maintaining the time tracking service
  • User authentication and account management
  • Generating reports, dashboards, and analytics for the Controller
  • AI-powered weekly summaries and productivity insights (using OpenAI)
  • Integration with third-party services at the Controller's request (GitLab, Resource Guru, Google Calendar)

4. Types of Personal Data and Data Subjects

Categories of data subjects: Users of the Controller's TimeIn.one account, including employees whose time is tracked.

Types of personal data processed:

  • Identity data: name, email address
  • Authentication data: hashed passwords, OAuth tokens
  • Work data: time entries, project names, work descriptions, timer records
  • Integration data: GitLab URLs, Resource Guru project mappings
  • Technical data: IP addresses, browser information

5. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by EU or member state law
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security assessments
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach
  • Delete or return all personal data upon termination of the service, at the Controller's choice, and delete existing copies unless EU or member state law requires retention
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR obligations

6. Sub-Processors

The Controller provides general written authorization for the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list and provide the Controller with an opportunity to object.

Sub-ProcessorPurposeLocation
Vercel Inc.Application hosting, CDN, serverless functions, analyticsUnited States
Neon Inc.PostgreSQL database hostingEU (Frankfurt)
OpenAI, L.L.C.AI-powered weekly summaries and productivity insightsUnited States
Google LLCOAuth authentication (when used by Controller)United States
GitLab Inc.Issue metadata retrieval (when integration enabled by Controller)United States
Resource Guru Ltd.Scheduling data sync (when integration enabled by Controller)United Kingdom

7. International Data Transfers

Where personal data is transferred to sub-processors outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • EU-US Data Privacy Framework: Where applicable, the Processor relies on sub-processors' participation in the EU-US Data Privacy Framework (DPF), recognized by the European Commission as providing an adequate level of data protection. The Processor verifies sub-processors' current DPF certification status and applies alternative safeguards where certification cannot be confirmed.
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply or a sub-processor's DPF certification cannot be confirmed, the Processor relies on the European Commission's Standard Contractual Clauses as the transfer mechanism.

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and during normal business hours.

9. Data Deletion

Upon termination of the service or at the Controller's request, the Processor shall delete all personal data within 30 days. Database backups containing personal data are retained for up to 90 days before automatic deletion. The Controller may export their data at any time before account deletion.

10. Contact

For questions about this DPA or to exercise your rights under it, contact us at stepan@kamest.dev.

Štěpán Kameník

Nad Stadionem 1310, Nové Město nad Metují, 549 01

Czech Republic

IČO: 05097215

Privacy PolicyTerms of ServiceLegal / Imprint