Privacy Policy
Dualtime · dualtime.app
Effective date: March 24, 2026 · Last updated: March 24, 2026
Dualtime is operated by Javier Castaño Candela, a self-employed professional (autónomo) based in Huelva, Spain. Dualtime is a SaaS platform that helps businesses manage employee schedules and record attendance via a web dashboard (for managers) and a mobile app (for employees).
This Privacy Policy explains how we collect, use and protect personal data in connection with our website (dualtime.app), the web dashboard and the mobile application.
We are committed to complying with the EU General Data Protection Regulation (GDPR) and applicable Spanish data protection law (LOPDGDD).
1. Our Role as Data Controller and Data Processor
Dualtime can act in two different capacities depending on whose personal data is involved:
| Role | When it applies |
|---|---|
| Data Controller | When processing data of our Clients (managers) — such as name, email and billing information. We determine the purposes and means of processing. |
| Data Processor | When processing data of employees on behalf of our Clients — such as clock-in/out records and shift assignments. We act on the Client's instructions. The Client is the Data Controller for employee data. |
This Privacy Policy primarily addresses our role as Data Controller (Client data). The processing of employee data on behalf of Clients is governed by our Data Processing Agreement (DPA), available at dualtime.app/dpa.
Contact: Javier Castaño Candela · [email protected] · Huelva, Spain
2. Personal Data We Collect
2.1 Data you provide directly (Clients / Managers)
When you create an account or use the Service as a manager, we collect:
- Name
- Email address
- Billing information (processed by Polar, our payment provider — we do not store card details)
2.2 Data collected automatically
When you visit our website or use the Service, we may automatically collect:
- Log data: IP address, browser type and version, pages visited, timestamps
- Usage data: actions taken within the Service, feature usage patterns (via PostHog)
- Technical data: device type, operating system, error logs
This data is used to operate and improve the Service. Where possible, it is collected in an anonymised or aggregated form.
2.3 Data about employees (processed on behalf of Clients)
When a Client invites employees to use the Service, the following employee data is processed by Dualtime on the Client's behalf:
- Name and email address
- Clock-in and clock-out timestamps
- Assigned shifts and schedules
Dualtime has no direct relationship with employees and processes this data solely according to the Client's instructions and in accordance with our DPA. If you are an employee and have questions about how your employer uses your data, please contact your employer directly.
3. How We Use Personal Data
The following table summarises how we use Client (manager) personal data and the legal basis for each processing activity under the GDPR:
| Data | Purpose | Legal Basis |
|---|---|---|
| Name and email | Account creation and authentication (passwordless login) | Performance of a contract (Art. 6(1)(b)) |
| Name and email | Sending transactional emails (OTPs, magic links, service notices) | Performance of a contract (Art. 6(1)(b)) |
| Billing information | Processing subscription payments via Polar | Performance of a contract (Art. 6(1)(b)) |
| Usage data | Product analytics via PostHog to improve the Service | Legitimate interests (Art. 6(1)(f)) |
| Log data | Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Name and email | Responding to support enquiries | Legitimate interests (Art. 6(1)(f)) |
| Any personal data | Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your personal data for direct marketing without your explicit consent, and we do not sell personal data to third parties.
4. Cookies
We use cookies and similar technologies to operate the Service and collect usage information. Please refer to our Cookie Policy at dualtime.app/cookies for full details on what cookies we use and how to control them.
5. Third-Party Service Providers
We share personal data with the following trusted third-party providers to the extent necessary to deliver the Service:
| Provider | Service | Data shared | Location |
|---|---|---|---|
| Scaleway | Cloud hosting | All Service data (encrypted) | France (EU) |
| PostHog | Product analytics | Anonymised usage data | EU / EEA |
| Polar | Payment processing | Name, email, billing info | International |
| Resend | Transactional email | Name, email address | International |
All third-party providers are bound by data processing agreements and are required to implement appropriate technical and organisational measures to protect personal data. We do not share personal data with third parties for their own marketing purposes.
We may also disclose personal data to courts, regulators or law enforcement where required by applicable law.
6. International Transfers
Our primary infrastructure is hosted by Scaleway in France (EU), meaning most data stays within the European Economic Area (EEA). Where any of our service providers are located outside the EEA, we ensure that transfers are carried out in accordance with Chapter V of the GDPR, relying on:
- Adequacy decisions by the European Commission; or
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- Other appropriate safeguards as permitted by the GDPR.
7. Data Retention
| Data type | Retention period |
|---|---|
| Client account data | For the duration of the subscription, plus 30 days after cancellation |
| Employee data (on behalf of Client) | For the duration of the Client's subscription, plus 30 days after cancellation |
| Billing records | As required by applicable tax and accounting law (typically 5–7 years in Spain) |
| Log and usage data | Up to 12 months, unless needed for security investigation |
| Support correspondence | Up to 2 years after last interaction |
Note: Billing records may be retained beyond account deletion to comply with Spanish tax law. These records will be anonymised where possible.
8. Security
We implement appropriate technical and organisational measures to protect personal data:
- Encryption of data in transit using TLS 1.2/1.3 (HTTPS)
- Encryption of data at rest on Scaleway servers
- Passwordless authentication (Email OTP and Magic Links)
- Role-based access controls within the Service
- Regular backups with a 30-day retention period
No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
9. Children's Privacy
The Service is intended for use by businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately at [email protected].
10. Your Rights under the GDPR
As a data subject, you have the following rights in relation to your personal data:
- Right of access. You may request a copy of the personal data we hold about you.
- Right to rectification. You may request that we correct inaccurate or incomplete personal data.
- Right to erasure. You may request that we delete your personal data, subject to any legal retention obligations.
- Right to restriction. You may request that we restrict the processing of your data in certain circumstances.
- Right to data portability. You may request a copy of your data in a structured, machine-readable format.
- Right to object. You may object to processing based on our legitimate interests.
- Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Authority:
Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Phone: +34 912 663 517
11. Note for Employees
If you are an employee who has been invited to use the Dualtime mobile app by your employer, your personal data (name, email, attendance records) is processed by Dualtime on behalf of your employer. Your employer is the Data Controller for this data.
To exercise your data protection rights in relation to this data, please contact your employer in the first instance. If you have unresolved concerns, you may contact us at [email protected].
12. Business Transfers
In the event that Dualtime or its assets are transferred to a third party, personal data may be included among the assets transferred. We will notify you in advance of any such transfer and the new entity will be required to honour the terms of this Privacy Policy.
13. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or a prominent notice within the Service.
15. Contact Us
Dualtime (Javier Castaño Candela)
Email: [email protected]
Website: dualtime.app
Location: Huelva, Spain