GDPR declaration
Last updated: June 2026
1. About this declaration
This GDPR declaration explains how SiteClockr (the service operated for organisation account holders) processes personal data in line with the EU General Data Protection Regulation (GDPR) and the UK GDPR where applicable.
It supplements our Privacy & cookies notice. For day-to-day cookie and employee-facing privacy information, see that page.
2. Roles under GDPR
- Your organisation (employer) is the data controller for employee clock-in data, site records, and HR-related information entered into SiteClockr.
- SiteClockr acts as a data processor, processing personal data only on documented instructions from the controller (your organisation) and for the purpose of providing the time-tracking service.
- For account billing, support, and service operation relating to organisation admins, SiteClockr may act as an independent controller for a limited set of contact and billing data.
3. Categories of personal data processed
| Category | Examples | Typical source |
|---|---|---|
| Identity & contact | Name, username, email, phone (if provided) | Employer / employee via the service |
| Working time records | Clock-in/out times, site, role, optional GPS coordinates | Employees using clock-in or admin entry |
| Organisation data | Company name, address, logo, site configuration | Organisation administrators |
| Technical & security | IP address, browser type, login timestamps, audit logs | Automatic when using the service |
| Billing (paid plans) | Subscription status, payment references via Stripe | Organisation account holder |
4. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing time-tracking and related features under your organisation’s account | Performance of contract (Art. 6(1)(b)) — between SiteClockr and the organisation; processing of employee data on the controller’s instructions (Art. 28) |
| Payroll, tax, and employment-law record-keeping by the employer | Determined by the employer as controller — typically legal obligation or legitimate interests |
| Service security, fraud prevention, and incident response | Legitimate interests (Art. 6(1)(f)) |
| Subscription billing and account management | Performance of contract (Art. 6(1)(b)) |
5. Data subject rights
Under GDPR, individuals may have the following rights, subject to conditions and exceptions in law:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision-making (SiteClockr does not use automated decisions with legal effect)
Employees and site workers: contact your employer (the data controller) in the first instance. They can export, correct, or delete records through SiteClockr admin tools where your organisation allows it.
Organisation account holders: email privacy@siteclockr.ie. We will respond within one month, or inform you if an extension is required.
6. Security and confidentiality
SiteClockr implements appropriate technical and organisational measures, including:
- Encrypted transport (HTTPS) for data in transit
- Access controls and authenticated sessions for admin and employee portals
- Logical separation of organisation (tenant) data
- Regular backups and monitored hosting environment
- Staff and contractor confidentiality obligations
In the event of a personal data breach likely to affect your organisation’s data, we will notify the controller without undue delay and assist with regulatory notification where required.
7. Sub-processors
SiteClockr uses the following categories of sub-processors to deliver the service:
- Hosting — application and database hosting in the deployment region
- Stripe — payment processing for paid subscriptions (organisation billing data only)
- Email delivery — transactional email (e.g. password reset), where configured
Sub-processors are bound by written agreements requiring GDPR-compliant data protection. Material changes to sub-processors will be communicated to organisation account holders.
8. International transfers
Personal data is primarily processed within the European Economic Area (EEA). Where a sub-processor transfers data outside the EEA, appropriate safeguards apply (such as Standard Contractual Clauses or an adequacy decision).
9. Retention
Clock-in and organisation data are retained for as long as the organisation’s account is active and as needed for the controller’s legal, payroll, and employment obligations. Organisation admins may export or delete records within the service where those features are available. Server and security logs are kept for a limited period.
10. Supervisory authority
You have the right to lodge a complaint with a supervisory authority. In Ireland, this is the Data Protection Commission (dataprotection.ie). UK residents may contact the Information Commissioner’s Office (ICO).
11. Contact
Data protection enquiries and organisation account requests: privacy@siteclockr.ie
12. Changes
We may update this declaration from time to time. The “Last updated” date at the top of this page will reflect material changes. Continued use of the service after an update constitutes acceptance of the revised declaration where permitted by law.