zeity

Privacy Policy

Information about data protection and the processing of personal data when using Zeity.

Privacy Policy

Last updated: February 16, 2026

1. Data Controller

The data controller for this website is:

Alexander Friesen (Sole Proprietorship)
Triftstraße 9
33175 Bad Lippspringe
Germany
Email: info@zeity.co

2. Hosting and Data Processors

This website is hosted in Germany with OVH. The server location is in Europe.

Hosting Provider (Data Processor under Art. 28 GDPR):
OVH GmbH
Dudweilerstr. 1
66111 Saarbrücken
Germany

A Data Processing Agreement (DPA) has been concluded with OVH to ensure the protection of your data.

Processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and efficient provision of our website).

3. Data Collected and Purpose of Processing

3.1 User Account

When registering and using Zeity, we process the following data:

  • Name: For identification and personalization
  • Email Address: For authentication and communication
  • Profile Picture (optional): To personalize your account
  • Email Verification Status: To ensure the validity of your email address
  • Timestamps: Account creation and last update

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)

3.2 Authentication

We use modern authentication methods:

  • Passkeys/WebAuthn: Public keys, counters, and device transport information
  • One-Time Passwords (OTP): Temporary codes for secure login
  • OAuth Providers: Account IDs and scopes from third-party providers (e.g., Google, Apple, Microsoft)

Note on OAuth Providers: When using OAuth logins (Google, Apple, Microsoft), data is transmitted to third-party providers, some of which are based in third countries (e.g., USA). The transfer is based on Standard Contractual Clauses under Art. 46 GDPR or adequacy decisions. You can decline the use of OAuth providers and use Passkeys or email authentication instead.

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Art. 6 para. 1 lit. f GDPR (legitimate interest in security)

3.3 Organizations and Teams

For collaboration in organizations, we store:

  • Organization Data: Name, image, quotas
  • Memberships: User roles in organizations
  • Teams: Team name, description, permissions
  • Invitations: Email addresses for organization invitations

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)

3.4 Time Tracking

Core functionality of the application:

  • Time Entries: Type, start time, duration, notes
  • Projects: Project name, status, notes
  • Assignment: Links to user, project, and organization

Access within the Organization: Organization members with appropriate permissions (depending on their role) can view working hours to fulfill employment contract and project-related billing obligations as well as for business analysis purposes. Access is granted exclusively within the scope of assigned permissions.

Legal Basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)

3.5 Contact Form

When you send us a message via the contact form, we process the following data:

  • Name: For personal address
  • Email Address: To respond to your inquiry
  • Company (optional): For better classification of your inquiry
  • Phone Number (optional): For follow-up questions
  • Subject and Message: Content of your inquiry
  • Timestamp: Time of the message
  • IP Address: For abuse prevention

The data is used exclusively to process your inquiry and is sent to info@zeity.co. Emails are sent via Proton Mail (see section 3.6).

Retention Period: Contact inquiries are deleted after processing and expiration of legal retention periods, at the latest after 3 years.

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in processing inquiries) or Art. 6 para. 1 lit. b GDPR for contract initiation.

3.6 Email Delivery (Proton Mail)

For sending emails (transactional emails, invitations, notifications, contact form responses), we use Proton Mail.

Service Provider:
Proton AG
Route de la Galaise 32
1228 Plan-les-Ouates
Geneva, Switzerland Website: https://proton.me/mail

Processed Data:

  • Email addresses (sender and recipient)
  • Email content (encrypted)
  • Timestamps
  • Metadata (subject, size)

Privacy: Proton Mail offers end-to-end encryption and is based in Switzerland, which has an adequate level of data protection (EU Commission adequacy decision).

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in secure email delivery) or Art. 6 para. 1 lit. b GDPR for contract-related emails.

3.7 Server Logs

When visiting our website, the following data is automatically stored in server log files:

  • IP address (shortened/anonymized)
  • Date and time of request
  • Requested page
  • HTTP status code
  • Amount of data transferred
  • Referrer URL
  • Browser and operating system

Purpose: Ensuring system security, error analysis, and abuse detection.

Retention Period: Server logs are automatically deleted after 14 days.

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in IT security).

4. Data Sharing and Data Processors

Your data will only be shared in the following cases:

  • Hosting Provider (OVH): For technical provision of services (Data Processor under Art. 28 GDPR)
  • Email Service Provider (Proton Mail): For sending emails (Switzerland, adequate level of data protection)
  • Organization Members: Other members of your organization with appropriate role permissions can view relevant time tracking data to fulfill employment contract and project-related billing obligations as well as for business analysis purposes
  • Legal Obligations: In response to legally justified requests from authorities

Data transfer to third countries outside the EU/EEA only occurs:

  • When using OAuth providers (Google, Apple, Microsoft) based on your consent
  • With Proton Mail (Switzerland) based on the EU Commission adequacy decision

5. Retention Period

  • Active Accounts: Data is stored as long as your account is active
  • Deleted Accounts: After account deletion, personal data will be deleted within 30 days
  • Contact Inquiries: 3 years after processing
  • Server Logs: 14 days
  • Legal Retention Requirements: Potentially longer storage if legally required (e.g., invoices 10 years under German tax law)
  • Authentication Challenges: Automatic deletion after expiration
  • OTP Codes: Automatic deletion after expiration

6. Your Rights

You have the following rights under GDPR:

  • Access (Art. 15 GDPR): Information about your stored data
  • Rectification (Art. 16 GDPR): Correction of incorrect data
  • Erasure (Art. 17 GDPR): Deletion of your data ("right to be forgotten")
  • Restriction (Art. 18 GDPR): Restriction of processing
  • Data Portability (Art. 20 GDPR): Receive your data in a structured format
  • Objection (Art. 21 GDPR): Object to processing
  • Withdrawal (Art. 7 para. 3 GDPR): Withdraw given consents

Right to Complain: You have the right to lodge a complaint with a data protection supervisory authority.

Competent Supervisory Authority:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
P.O. Box 20 04 44
40102 Düsseldorf
Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de

7. Data Security

We implement technical and organizational security measures:

  • Encryption: HTTPS/TLS encryption for data transmission
  • Modern Authentication: Passkeys and two-factor authentication
  • Access Control: Role-based permissions in organizations
  • Server Location: Hosting in Germany with high security standards

8. Web Analytics with Plausible Analytics

We use Plausible Analytics, a privacy-friendly web analytics software, to analyze the usage of our website. The software is self-hosted and runs on our own servers.

Data Collected:

  • Anonymized IP addresses (not fully stored)
  • Visited pages
  • Referring website
  • Browser type and device information
  • Geographic region (at country level)

Privacy-Friendly Features:

  • No cookies or local storage
  • No tracking across multiple websites
  • No collection of personal data
  • Complete anonymization of data

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in anonymous analysis of user behavior to optimize our website)

9. Cookies and Local Storage

Zeity uses essential cookies and local storage for application functionality.

Cookies Used:

Cookie NamePurposeDurationType
sessionSession management, authenticationSession (until logout)Essential
localeLanguage setting1 yearFunctional

Local Storage (localStorage/IndexedDB):

  • Time tracking data for offline use (PWA)
  • User settings and preferences
  • Cached data for performance optimization

You can delete data stored in your browser at any time via browser settings.

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in functionality)

10. Automated Decision-Making and Profiling

We do not use automated decision-making within the meaning of Art. 22 GDPR. No profiling takes place that produces legal effects or similarly significantly affects you.

11. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changes in legislation or changes to our services. The current version can always be found on this page.

Copyright © 2026