Privacy Policy

1. Introduction

Welcome to Tapora!

Tapora is an online service that helps you track and log your work hours, whether you're using a recurring schedule, checking in and out of a work zone, or starting a timer manually. We’ve built Tapora to make work hour registration simple, accurate, and compliant — without the usual headaches.

This Privacy Policy explains how we collect, use, and protect your personal data when you use Tapora. It applies to all types of users: employees, freelancers, and organisations. Whether you’re logging hours for yourself or managing a team, we want you to understand what data we process and why.

We’re based in Denmark, which means your data is protected under strong EU privacy laws. If you're looking for detailed information about how we comply with the General Data Protection Regulation (GDPR), we also maintain a separate GDPR Policy.

What you should know

Tapora is a work hour registration tool for individuals and teams.
This policy explains how we handle your personal data.
It applies to employees, freelancers, and organisation admins.
We're based in Denmark and follow EU privacy rules.
GDPR-specific details are in a separate document.

2. Who We Are

Tapora is developed and operated by Tapora, a company registered in Denmark.

If you have questions about this Privacy Policy or how we handle your personal data, you're always welcome to get in touch. For data protection matters — including accessing or deleting your data — just contact us using the details below.

Company details:

  • Legal name: Tapora
  • Business address: Vissevej 121, 9210 Aalborg SØ, Denmark
  • Email: support@tapora.eu
  • Privacy-specific contact: Same as above

What you should know

Tapora is run by a Danish company.
You can contact us anytime at support@tapora.eu.
That's also the email to use for privacy-related requests.

3. What Data We Collect

We only collect the personal data we need to provide Tapora's core functionality — no more, no less. Below is an overview of the data we collect about you when you use the service.

a) Account Information

  • Full name
  • Email address
  • Timezone and language preferences
  • Country of residence
  • Avatar image (if provided)

b) Work Hour Logs

  • Start and end times of your work sessions
  • How each entry was created (schedule, geofence, or manual timer)
  • Break periods (start and end times)
  • References to the schedule or work zone used (if applicable)

c) Onboarding and Lifecycle Events

  • Your onboarding progress (e.g., which step you're on, whether onboarding is complete)
  • Key lifecycle events such as account creation, deletion, or policy acknowledgments

What you should know

We collect your name, email, and basic profile details.
We log when you start and stop work, take breaks, and how those entries were created.
If you use zone-based logging, we don't track or store your location — detection happens entirely on your device.
We track onboarding status and important account events (like sign-up).

4. Why and How We Use Your Data

We collect and use your personal data to make Tapora work smoothly and legally. Here's how we use your data, and why we're allowed to do so under EU law (specifically the General Data Protection Regulation — GDPR):

a) To Provide the Core Tapora Service

We use your data to log your work hours, display your activity, and manage your account. Without this, Tapora wouldn't function.

Legal basis:

  • Performance of a contract (Article 6(1)(b) GDPR)

b) To Comply with Legal Obligations

EU labour laws require that work time is registered in a reliable and accessible way. If you're employed by an EU company, our service helps your employer meet those legal requirements.

Legal basis:

  • Legal obligation (Article 6(1)(c) GDPR)

c) To Improve the User Experience

We track your onboarding progress and lifecycle events to help you get started and provide support where needed.

Legal basis:

  • Legitimate interest (Article 6(1)(f) GDPR) — to offer helpful and efficient onboarding

d) To Respond to Support Requests

If you contact us, we use the details you provide to follow up, resolve your issue, and keep a record of the interaction.

Legal basis:

  • Legitimate interest (Article 6(1)(f) GDPR) — to provide user support

e) To Manage Your Organisation's Settings and Users

If you're part of a team, we use your data to assign you to the correct organisation, team, or manager and apply the right settings to your account.

Legal basis:

  • Performance of a contract (Article 6(1)(b) GDPR)

We don't use your data for advertising, profiling, or resell it to third parties — ever.

What you should know

We use your data to run Tapora, help your employer comply with work hour laws, and guide you through onboarding.
We use legal grounds like "contract," "legal obligation," and "legitimate interest."
We don't sell your data or use it for advertising.

5. How and Where We Store Your Data

We store your personal data securely in the European Union using modern infrastructure and strong access controls. We apply a "privacy by design" approach from the ground up.

a) Where Your Data Is Stored

All personal data you enter into Tapora — including time logs, account details, and team assignments — is stored in our primary database located in Frankfurt, Germany. The Tapora website is also hosted in Frankfurt.

b) How We Keep Your Data Secure

We use a layered approach to security to keep your data safe:

  • Encrypted connections using TLS (certificates issued by Let's Encrypt)
  • Encrypted storage at rest
  • Row-Level Security to make sure users and organisations only access their own records
  • Role-based access controls and strict permissions on backend systems
  • Audit logging for sensitive actions
  • Minimal access to production systems based on least privilege
  • Regular software updates and vulnerability patches

c) How Long We Keep Your Data

We retain your data only as long as necessary to:

  • Provide Tapora's services
  • Comply with EU labour laws or other legal requirements
  • Resolve disputes or enforce our terms

By default, work hour data is retained for five (5) years. If your organisation deletes its account, personal data will be permanently removed from our systems within 30 days, unless we're required by law to retain it longer.

What you should know

Your data is stored in Frankfurt, Germany.
We use encryption, Row-Level Security, and access controls to keep it safe.
Work logs are retained for 5 years by default.

6. Who We Share Your Data With

We don't sell your data. Ever.

We only share your personal data with trusted service providers who help us deliver Tapora. These providers act as data processors on our behalf and are contractually obligated to handle your data securely and in accordance with EU privacy laws.

We currently share data with the following types of providers:

a) Hosting and Infrastructure

We use secure cloud infrastructure to host Tapora and store your data. These providers ensure reliability, speed, and data durability.

b) Authentication and Access Management

We rely on external tools to manage user authentication, identity verification, and secure login processes.

c) Email and Notifications

We send transactional emails — like onboarding guidance, password resets, and activity summaries — through a third-party provider. When we do this, we share your email address and, where applicable, your first name to personalize the message.

d) Billing and Payments

If your organisation subscribes to a paid plan, we use a payment processor to handle billing and invoicing. We do not store payment card details — only references to your customer and subscription ID.

All providers we use:

  • Are GDPR-compliant
  • Operate under a Data Processing Agreement (DPA)
  • Are only allowed to use your data for the specific service they provide

What you should know

We share limited data with providers that help run Tapora (like hosting, login, email, and billing).
For emails, we may include your first name to personalize the message.
All our partners are GDPR-compliant and legally bound to keep your data safe.
We never sell or trade your data. Period.

7. Your Rights

As an individual using Tapora — whether as an employee, freelancer, or admin — you have rights under the EU General Data Protection Regulation (GDPR). Here's what that means for you:

a) Right to Access

You can request a copy of the personal data we hold about you at any time.

b) Right to Rectification

If any of your data is incorrect or outdated (like a name or email address), you can ask us to fix it.

c) Right to Erasure ("Right to be Forgotten")

In some cases, you can ask us to delete your personal data — for example, if you close your account or we no longer need the data for its original purpose.

d) Right to Restrict Processing

You can ask us to temporarily stop using your data in certain situations — for example, if you're disputing its accuracy.

e) Right to Data Portability

You can request an export of your personal data in a structured, commonly used format (e.g., JSON or CSV), which you can move to another service.

f) Right to Object

You can object to us processing your data if you believe we don't have a legitimate reason to do so.

g) Right to Withdraw Consent

If we rely on your consent for any part of our processing (e.g., optional features), you can withdraw that consent at any time.

h) Right to Lodge a Complaint

If you have concerns about how we handle your data, you can file a complaint with your local Data Protection Authority (DPA). In Denmark, that's the Datatilsynet.

To exercise any of these rights, just send us an email at support@tapora.eu — we're here to help. We may ask for proof of identity before processing your request, to protect your privacy.

What you should know

You can access, fix, delete, or export your personal data.
You can object to how we process your data or ask us to pause.
If we ever rely on your consent, you can withdraw it.
For anything, just email support@tapora.eu — we're here to help.

8. International Data Transfers

We store and process all personal data within the European Union, and we do not transfer your data outside the EU/EEA.

Our infrastructure is hosted in Frankfurt, Germany, and we work exclusively with service providers who process data within the EU or offer equivalent legal protections under GDPR.

If we ever need to transfer your data outside the EU in the future (for example, to enable a feature or integration), we will:

  • Only work with providers that offer adequate protection (e.g., under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses),
  • Update this Privacy Policy accordingly, and
  • Give you clear notice before doing so.

What you should know

Your data stays in the EU — we don't send it abroad.
If that ever changes, we'll make sure it's secure and lawful under GDPR — and we'll let you know.

9. Changes to This Policy

We may update this Privacy Policy from time to time — for example, if we add new features, change how we handle data, or need to meet updated legal requirements.

When we make significant changes, we'll let you know. That might be through an email, an in-app notification, or a banner on the site. For smaller updates (like clarifying wording), we'll simply update the version date below.

We encourage you to check this page occasionally so you always know what's happening with your data.

Last updated: 07/04 2025

What you should know

We may update this policy if laws change or we add new features.
We'll notify you if the changes affect your rights or data.
You can always come back here to review the latest version.

10. Contact

If you have any questions about this Privacy Policy, your personal data, or how we handle privacy at Tapora, we'd love to hear from you.

Just send us a message at support@tapora.eu, and we'll get back to you as soon as we can.

If you're located in the EU and want to raise a concern with a data protection authority, you can contact your local authority — or reach out to Datatilsynet, the Danish Data Protection Agency.

What you should know

Questions about your privacy? Email us at support@tapora.eu
We're happy to help.
You can also contact a data protection authority if needed — for EU users, that includes Datatilsynet in Denmark.