Privacy Policy

1. Introduction

This Privacy Policy explains how Kora ("we," "us," or "our") collects, uses, processes, and protects your personal data when you use our time tracking and workforce management application (the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

2. Data Controller

For any questions regarding this Privacy Policy or your personal data, please contact us at the above email address.

3. Personal Data We Collect

3.1 Information You Provide

• Account Information: Name, email address, password (encrypted), job title, department
• Profile Data: Profile photo, contact details, employee ID
• Time Tracking Data: Clock-in/out times, work hours, break times, shift schedules
• Leave Management: Vacation requests, sick leave, absence records
• Work Logs: Daily task descriptions, productivity ratings, work notes
• Communication Data: Messages, feedback, support requests

3.2 Automatically Collected Data

• Usage Data: IP address, browser type, device information, operating system
• Location Data: Approximate location based on IP address (not GPS tracking)
• Session Data: Login times, session duration, feature usage
• Technical Data: Cookies, log files, error reports

3.3 Data from Third Parties

• Authentication Providers: If you sign in via Google or other OAuth providers, we receive basic profile information (name, email, profile picture)
• Employer Data: Your employer may provide organizational data (department structure, reporting hierarchy)

4. Legal Basis for Processing

We process your personal data under the following legal bases:

4.1 Contractual Necessity (Article 6(1)(b) GDPR)

• Managing your employment relationship
• Providing time tracking and workforce management services
• Processing payroll-related information

4.2 Legitimate Interests (Article 6(1)(f) GDPR)

• Improving and optimizing our Service
• Preventing fraud and ensuring security
• Analyzing usage patterns for service enhancement
• Communicating service updates

4.3 Legal Obligation (Article 6(1)(c) GDPR)

• Complying with labor law requirements
• Maintaining records for tax and accounting purposes
• Responding to legal requests from authorities

4.4 Consent (Article 6(1)(a) GDPR)

• Sending marketing communications (where applicable)
• Using optional features requiring explicit consent
• Processing special categories of data (if any)

5. How We Use Your Data

5.1 Service Provision

• Recording and managing work hours
• Processing leave requests and approvals
• Generating timesheets and reports
• Managing shift schedules
• Facilitating supervisor-employee communication

5.2 Administrative Purposes

• User authentication and account management
• Providing customer support
• Sending service-related notifications
• Enforcing our Terms of Service

5.3 Analytics and Improvement

• Understanding usage patterns
• Identifying and fixing technical issues
• Developing new features
• Improving user experience

5.4 Compliance and Security

• Preventing unauthorized access
• Detecting and preventing fraud
• Complying with legal obligations
• Maintaining audit trails

6. Data Sharing and Disclosure

6.1 Within Your Organization

Your employer (the organization that provides you access to the Service) can access: your time tracking records, leave requests and approvals, work logs and productivity data, reports generated from your data.

6.2 Service Providers

We share data with trusted third-party service providers:

• Supabase (Database Hosting): Stores application data in EU data centers
• Vercel (Application Hosting): Hosts the application infrastructure
• Authentication Services: Google OAuth (if used)

All service providers are contractually bound to GDPR compliance and data protection standards.

6.3 Legal Requirements

We may disclose your data when required by law: in response to valid legal requests from authorities, to protect our rights, property, or safety, to enforce our Terms of Service, in connection with legal proceedings.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

7. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If data is transferred outside the EEA, we ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy Decisions for countries recognized as providing adequate protection
• Binding Corporate Rules where applicable

8. Data Retention

We retain your personal data only as long as necessary:

8.1 Active Employment

• Time tracking data: Duration of employment + 3 years (for legal compliance)
• Leave records: Duration of employment + 5 years
• Work logs: Duration of employment + 1 year

8.2 After Employment Termination

• Essential employment records: 10 years (for legal and tax purposes)
• Non-essential data: Deleted within 30 days of account closure

8.3 Legal Holds

Data subject to legal holds or ongoing investigations will be retained until the matter is resolved.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

To exercise your rights, contact us at: hello@koratrack.com

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

10.1 Technical Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Secure Infrastructure: Regular security audits and penetration testing
• Backup Systems: Encrypted backups with disaster recovery procedures

10.2 Organizational Measures

• Data Protection Policies: Comprehensive internal policies and procedures
• Employee Training: Regular privacy and security training for staff
• Incident Response: Documented breach notification procedures
• Vendor Management: Due diligence on all third-party processors

10.3 Data Breach Notification

In the event of a data breach affecting your rights and freedoms, we will: notify the relevant supervisory authority within 72 hours, inform affected individuals without undue delay, provide information about the breach and mitigation measures.

11. Cookies and Tracking Technologies

11.1 Essential Cookies

Required for authentication, security, and basic functionality.

11.2 Analytics Cookies

Used to understand usage patterns and improve the Service (requires consent).

11.3 Your Cookie Choices

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect Service functionality.

12. Children's Privacy

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If we become aware of such collection, we will delete the data immediately.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human intervention.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be: posted on this page with an updated "Last Updated" date, notified to users via email for material changes, effective 30 days after notification (unless immediate compliance is required).

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Information

You have the right to lodge a complaint with your national data protection authority. For a list of EU data protection authorities, visit: edpb.europa.eu

16. Additional Information for Specific Jurisdictions

16.1 European Union

This policy complies with GDPR requirements. EU users have all rights specified in Section 9.

16.2 United Kingdom

UK users are protected under UK GDPR and the Data Protection Act 2018.

16.3 California (CCPA)

California residents have additional rights under the California Consumer Privacy Act. Contact us for details.

17. Data Processing Agreement

If your organization is the data controller and we process data on your behalf, a separate Data Processing Agreement (DPA) governs our relationship in accordance with Article 28 GDPR.