Privacy Policy
1. Data Controller Information
Company Name: Axeri Labs Bt.
Registered Office: 2120 Dunakeszi, BrassΓ³i utca 7., Hungary
Company Registration Number: 13-06-060656
Tax Number: 22531300-2-13
EU VAT Number: HU22531300
Representative: MΓ‘rton LΓ‘szlΓ³ Attila, Managing Director
Email:
2. Data We Collect
When you use CADENSA, we collect the following personal data:
2.1. Registration Data
- Full name - for identification purposes
- Email address - login and communication
- Password - stored as bcrypt hash
- Language preference - UI customization
- Timezone - accurate time display
2.2. Usage Data
- Time entries - start/stop times, description, project
- Projects and workspaces - name, description, members
- Settings - user preferences (theme, notifications)
- Team memberships - roles, permissions
2.3. Technical Data
- IP address - security purposes (audit log)
- User-Agent - device and browser identification
- Cookie-k - session management, preferences (details: Cookie Policy)
3. Legal Basis (GDPR)
- Contract performance (GDPR Article 6.1.b) - providing CADENSA service
- Consent (GDPR Article 6.1.a) - marketing, non-essential cookies
- Legal obligation (GDPR Article 6.1.c) - accounting law (time entry retention); invoicing is handled via external providers (e.g. Billingo)
- Legitimate interest (GDPR Article 6.1.f) - security audit logging
4. Data Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| User accounts | Until user-initiated deletion | GDPR storage limitation |
| Time entries | 8 years Anonymized after account deletion | Hungarian Accounting Act (Act C of 2000) |
| Billing records | Deleted on account deletion VAT invoices remain in external providers (e.g. Billingo) | External provider retention rules apply |
| Audit logs | 2 years | Legitimate interest (security) |
| Marketing consent | Until withdrawn | Consent |
5. Third-Party Data Processors
To securely store your data and operate the service, we use the following third-party processors. We have GDPR-compliant Data Processing Agreements (DPA) with all of them:
π₯οΈ Hetzner Online GmbH
Purpose: Server hosting, MongoDB database storage
Location: Germany (EU)
ποΈ Wasabi Technologies, LLC
Purpose: Encrypted database backup storage in S3-compatible object storage
Location: Germany β Frankfurt (eu-central-2 region, EU)
Data stored: AES-256-GCM encrypted archives (encrypted before upload β Wasabi cannot access the data)
Retention: 90 days (daily), 52 weeks (weekly), 12 months (monthly)
π³ Mollie B.V.
Purpose: Payment processing, subscription management
Location: Netherlands (EU) β Amsterdam
DPA: Automatic upon registration (GDPR Art. 28 β EU-based processor)
π§ Tarhely.eu (EZIT Kft.)
Purpose: SMTP email delivery (notifications, password reset)
Location: Hungary (EU)
DPA: Tarhely.eu ΓSZF (GDPR compliance declared)
π Vercel Inc.
Purpose: Landing page hosting, CDN (static content)
Location: Global (with EU edge nodes)
DPA: Vercel DPA
π§Ύ Billingo Technologies Zrt.
Purpose: Electronic invoice issuance for subscriptions + mandatory NAV Online SzΓ‘mla 3.0 reporting
Location: Hungary (EU)
Data transferred: customer name, billing address, tax / EU VAT number, email, invoice line items and amounts
Retention: 8 years (mandatory under Hungarian Accounting Act Β§169)
π Plausible Analytics OΓ
Purpose: Cookie-free website analytics (page views, traffic sources β no individual user identified)
Location: Estonia (EU) β Plausible OΓ
Legal basis: No consent required β collects no personal data, cookie-free
DPA: Not required (not personal data under GDPR)
π Google LLC (Google Calendar)
Purpose: Optional Google Calendar integration β user-initiated only
Location: USA β οΈ (transfer outside EU)
Legal basis: GDPR Art. 6(1)(a) β explicit consent (shown before activation, revocable at any time)
DPA: Google Cloud Data Processing Amendment
β οΈ Google Calendar integration is optional. A notice about US data transfer is shown before activation. Revocable at any time in Settings β Integrations.
6. Your Rights (Under GDPR)
Under GDPR, you have the following rights. You can exercise these rights in the CADENSA settings menu or via email:
6.1. Right to Access (GDPR Article 15)
Request a copy of all personal data we hold about you in machine-readable format.
π Export formats:
- JSON: Machine-readable, complete data structure
- CSV: Human-readable, Excel-compatible
βοΈ How to: Settings β Privacy β Export Data
π Instant download (no waiting time)
6.2. Right to Rectification (GDPR Article 16)
Correct inaccurate or incomplete personal data.
βοΈ How to: Settings β Profile β Edit
Or send email to:
6.3. Right to Erasure ("Right to be Forgotten") (GDPR Article 17)
Request immediate deletion of your data. After deletion request, there is a 7-day grace period during which you can cancel.
β° 7-day grace period:
- You can cancel deletion within 7 days after request
- You will receive email notification about deletion date
- After 7 days, data is permanently deleted
β οΈ Exceptions (legal obligations):
- Time entry data: 8 years (Accounting Act, anonymized)
- Billing records: removed from Cadensa systems; VAT invoices remain with external providers (e.g. Billingo)
- Security logs: 90 days
βοΈ How to: Settings β Danger Zone β Delete Account
π Immediate effect, with 7-day cancellation option
6.4. Right to Restriction of Processing (GDPR Article 18)
Request restriction of processing in the following cases:
- Contesting accuracy: You contest the accuracy of your data
- Unlawful processing: Processing is unlawful but you oppose erasure
- No longer needed: We no longer need data but you need it for legal claims
- Objection pending: You objected to processing and we are verifying
π What happens during restriction?
- We store your data but do not actively process it
- Your account remains active with limited functionality
- You can still access and export your data
- You can lift restriction at any time
βοΈ How to: Settings β Privacy β GDPR Rights β Request Data Processing Restriction
π GDPR Article 18.3: We inform you before lifting restriction
6.5. Right to Data Portability (GDPR Article 20)
Export your data in machine-readable format to transfer to another service.
π¦ Exported data:
- Profile data (name, email, settings)
- Time tracking entries (start/stop, description)
- Projects and workspaces
- Invoices and payments
- Email and notification preferences
βοΈ How to: Settings β Privacy β Export Data β Select format (JSON/CSV)
6.6. Right to Object (GDPR Article 21)
Object to data processing based on different legal grounds:
6.6.1. Direct Marketing - Article 21(2)
π‘οΈ Absolute right - no justification needed. This is the strongest user right in GDPR.
β What happens:
- Marketing emails stop immediately
- Transactional emails (invoices, alerts) continue
βοΈ How to: Settings β Privacy β GDPR Rights β "Object to Direct Marketing"
π Immediate effect
6.6.2. Profiling (for Marketing) - Article 21(3)
Object to profiling for direct marketing purposes (e.g., behavior analysis for advertising).
β What happens:
- Marketing profiling stops
- Service functionality analysis continues
βοΈ How to: Settings β Privacy β GDPR Rights β "Object to Profiling"
π Immediate effect
6.6.3. Processing Based on Legitimate Interests - Article 21(1)
If processing is based on legitimate interests, you can object if you have grounds relating to your particular situation.
π Justification required: You must provide reason for objection
β What happens:
- Your objection is reviewed within 30 days
- Temporary restriction applied during review
- If we have no compelling legitimate grounds, we stop processing
βοΈ How to: Settings β Privacy β GDPR Rights β "Object to Data Processing" β Provide reason
π 30-day response time
6.7. Withdraw Consent (GDPR Article 7.3)
Withdraw consent at any time without justification (cookies, marketing emails).
βοΈ How to:
- Cookie-k: Settings β Privacy β Cookie Preferences
- Marketing: Settings β Privacy β Email Preferences
π Immediate effect
6.8. Right to Lodge a Complaint (GDPR Article 77)
If you believe we have violated your data protection rights, you can lodge a complaint with the supervisory authority.
ππΊ Hungary:
NAIH - National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Email: ugyfelszolgalat@naih.hu
Website: naih.hu
π§ How to exercise your rights?
Most GDPR rights can be exercised directly in CADENSA settings. If you need assistance:
Email:
π Response time: 30 days (GDPR Article 12.3). We will verify your identity for security purposes.
7. Data Security
We implement the following technical and organizational measures to protect your data:
- Encryption: HTTPS/TLS for all data transmission, bcrypt password hashing
- Access control: Role-based access control (RBAC), JWT tokens
- Audit logging: All critical operations logged (login, data modification)
- Regular backups: Automated MongoDB snapshots (encrypted)
- Server hardening: Firewall, SSH key-based access, regular updates
8. International Data Transfers
Data is primarily stored within the European Union (Germany, Hungary). Transfers outside the EU only occur with GDPR-compliant safeguards:
- Google LLC β Google Calendar (USA): GDPR Art. 6(1)(a) β explicit consent; Google Cloud Data Processing Amendment (EU-US DPF). Only when the optional Google Calendar integration is activated by the user.
All other data processors operate within the EU, EEA, or GDPR-equivalent jurisdictions: Hetzner (DE), Mollie (NL), Billingo (HU), Wasabi eu-central-2 (DE), Tarhely.eu (HU), Plausible (EE), Formbricks self-hosted (Hetzner DE). Transfer outside the EU occurs only for the voluntarily activated Google Calendar integration.
9. Children's Privacy
CADENSA is not intended for children under 16 years of age. We do not knowingly collect data from individuals under 16. If we become aware of such registration, we will immediately delete the account.
10. Changes to This Policy
We reserve the right to update this Privacy Policy from time to time. We will notify you of significant changes via email. The "Last updated" date indicates the most recent revision.
11. Contact Us
If you have questions about data privacy or want to exercise your GDPR rights:
Email:
Postal address:
Axeri Labs Bt.
2120 Dunakeszi, BrassΓ³i utca 7.
Hungary
π Response time: 30 days (as per GDPR Article 12.3)
β GDPR Compliance
This Privacy Policy complies with the European Union General Data Protection Regulation (EU 2016/679) and the Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information.