Privacy Policy

Last updated: March 13, 2026

RF Time Tracker ("the App") is operated by Rootforce ("we", "us", "our"). This privacy policy explains how we collect, use, store, and protect your personal data when you use our mobile and web application in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The App operates under a B2B model. Your employer or organization ("the Tenant") is the data controller for the time tracking data collected through the App. Rootforce acts as the data processor on behalf of the Tenant.

For questions about how your employer uses your data, please contact your organization's administrator.

2. Data We Collect

2.1 Account Information

DataPurposeLegal Basis
Email addressAuthentication and account identificationContract performance (Art. 6(1)(b) GDPR)
NameDisplay within the app to identify usersContract performance
PasswordAuthentication (stored as bcrypt hash, never in plain text)Contract performance

2.2 Time Tracking Data

DataPurposeLegal Basis
Time entry descriptionsRecord of work performedContract performance
Start and end timesWorking hours trackingContract performance
Project names and tagsWork categorizationContract performance
Break durationsAccurate working time calculationContract performance

2.3 Organization Data

DataPurposeLegal Basis
Tenant membershipAssociate users with their organizationContract performance
User role (user/admin)Access controlContract performance
Payroll information (hourly rate, salary)Timesheet calculations (if configured by admin)Contract performance

3. How We Use Your Data

We use your data exclusively to:

We do not:

4. Third-Party Services (Sub-Processors)

4.1 Google Cloud Platform (Data Storage)

All application data is stored on Google Cloud Platform (Firestore) in the Europe (europe-west1) region. Google provides encryption at rest and in transit. See Google Cloud Privacy.

4.2 Authentication Providers

The App offers sign-in via:

We only use the email and name provided by these services for authentication. We do not access your contacts, calendar, or other account data.

4.3 Sentry (Error Monitoring)

We use Sentry (sentry.io) to monitor application errors. When an error occurs, Sentry may receive:

We have configured Sentry to strip personal data (emails, passwords, authentication tokens) from error reports before they are sent. Sentry data is used solely to identify and fix bugs. See Sentry's Privacy Policy.

4.4 Complete Sub-Processor List

ServicePurposeData Location
Google Cloud Platform (Firestore)Data storageEurope (europe-west1)
Google Cloud RunApplication hostingEurope (europe-west1)
Sentry (Functional Software Inc.)Error monitoringEU

5. Data Storage and Security

6. Data Retention

Data TypeRetention Period
Active user accountsAs long as the account is active
Time tracking entriesAs long as the tenant account is active (minimum 10 years for business records per German tax law, AO §147)
Deleted user accountsAccount data is anonymized immediately upon deletion. Anonymized records are purged after 90 days.
Invite codesAutomatically expire after the configured period (default: 7 days)
Audit logsRetained for 1 year, then automatically deleted
Error reports (Sentry)90 days (Sentry default retention)

7. Your Rights (GDPR Articles 15-22)

As a data subject, you have the following rights:

To exercise any of these rights beyond what is available in the app, contact us at the address below.

Note: As your employer is the data controller, some requests may need to be directed to your organization's administrator.

8. International Data Transfers

All data is stored and processed within the European Union (Google Cloud europe-west1 region). We do not transfer personal data outside the EU/EEA. Sentry processes error data within the EU.

9. Children's Privacy

The App is a workplace tool not intended for use by children under 16 years of age. We do not knowingly collect personal data from children.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and affected individuals without undue delay (Art. 34 GDPR).

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of significant changes through the app or via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact

If you have questions about this privacy policy, your data, or wish to exercise your rights, contact us at:

Rootforce
Email: privacy@rootforce.com

For our Data Processing Agreement, see: Data Processing Agreement (DPA)