Privacy Policy

1. Data Controller

Infrix acts as the data processor for employee data entered by your organization (the data controller). For account-level data (login credentials, account settings), Infrix is the data controller. Where Infrix acts as a processor, a Data Processing Agreement (DPA) governs the relationship. Our DPA is available at /dpa.

We have not appointed a Data Protection Officer (DPO) as this is not required given the current nature and scale of our processing activities. For all privacy-related inquiries, contact us at privacy@infrix.app.

2. Personal Data We Collect

2.1 Data You Provide

• Account data: name, email address, phone number, company name, job title, department.
• Time registration data: work hours, break times, clock-in/out times, project allocation.
• Schedule data: shift assignments, availability preferences, schedule templates.
• Absence data: leave requests, absence types, sick leave records.
• Project data: project assignments, task information, time allocation per project.

2.2 Special Categories of Personal Data

The Service processes sick leave records, which constitute health data under Article 9 GDPR. This data is processed solely for the purpose of absence management as required under Dutch employment law. Your employer (the data controller) is responsible for ensuring that the collection and processing of this data complies with the Dutch UAVG (Uitvoeringswet AVG) and applicable employment regulations. Infrix does not process medical diagnoses or detailed health information — only the type and duration of absence.

2.3 Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type.
• Usage data: pages visited, features used, actions performed within the Service.
• Error and diagnostic data: crash reports, error logs, and performance data collected via Sentry, which may include IP address and browser information in error context.
• Session data: authentication tokens, session identifiers, login timestamps.

3. Legal Basis for Processing

We process your personal data under the following legal bases (Article 6 GDPR):

• Contract performance (Art. 6(1)(b)): account management, service delivery, time tracking, scheduling, and absence management.
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, error monitoring (Sentry), service improvement, and aggregate analytics.
• Consent (Art. 6(1)(a)): optional marketing communications and beta feedback collection.
• Legal obligation (Art. 6(1)(c)): where data retention is required by Dutch or EU law.

For special categories of personal data (sick leave records), the legal basis is Article 9(2)(b) GDPR — processing is necessary for the purposes of carrying out obligations in the field of employment law, in conjunction with Article 30 of the Dutch UAVG.

4. How We Use Your Data

• Providing and maintaining the Service (time tracking, scheduling, absence management, reporting).
• Authenticating users and managing access control.
• Generating timesheets, reports, and workforce analytics.
• Sending service notifications (schedule changes, absence approvals, reminders).
• Monitoring errors and improving service reliability.
• Responding to your support requests.
• Improving and developing new features based on aggregated usage patterns.
• Ensuring the security of the Service and preventing abuse.
• Complying with legal obligations.

5. Data Sharing and Sub-processors

5.1 Within Your Organization

Your time entries, schedules, and work data may be visible to administrators, managers, and other authorized members of your organization based on role-based access controls.

5.2 Sub-processors

We use the following third-party services to operate the Service. Each processes data on our behalf under contractual data processing agreements:

• Google Firebase (Google LLC) — Authentication, Firestore database, Cloud Storage. Data stored in EU region (europe-west4).
• Stripe (Stripe Inc.) — Payment processing and payroll disbursement (to be activated). When this feature becomes available, Stripe will process payment-related personal data including bank account details. Data may be processed in the United States under the EU-US Data Privacy Framework.
• Sentry (Functional Software Inc.) — Error tracking and performance monitoring. May process IP addresses and browser data in error context.
• Resend (Resend Inc.) — Transactional email delivery for notifications, reminders, and service communications.
• Railway (Railway Corp.) — Application hosting and infrastructure.

We will update this list when sub-processors are added or changed and notify customers in advance of any changes.

5.3 Data Processing Agreement

Where Infrix processes personal data on behalf of your organization, a Data Processing Agreement (DPA) in accordance with Article 28 GDPR governs our relationship. Our standard DPA is available at /dpa.

5.4 Legal Requirements

We may disclose your data when required by law, court order, or in response to valid requests from public authorities.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change via email.

6. International Data Transfers

Your primary data is stored in Google Firebase in the EU region (europe-west4, Netherlands). Some sub-processors (Stripe, Sentry, Resend) may process data in the United States. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as the EU-US Data Privacy Framework or Standard Contractual Clauses, in compliance with Articles 44-49 GDPR.

7. Data Retention

• Account and service data: retained for the duration of your account. Upon account deletion, data is removed within 90 days, unless longer retention is required by applicable law (e.g., Dutch fiscal retention obligations).
• Time tracking and schedule data: retained for the duration of your account to allow for reporting and audit purposes. Your employer may be required to retain certain employment records for up to 7 years under Dutch fiscal law.
• Error logs (Sentry): retained according to Sentry's default retention period (typically 90 days).
• Session data: session tokens expire after a period of inactivity; cached user data is short-lived and refreshed automatically.

When the beta program ends, we will provide reasonable notice and an opportunity to export your data before deletion.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted connections (TLS) for all data in transit.
• Encryption at rest provided by Google Firebase.
• Role-based access control with company-scoped data isolation (multi-tenancy) — each organization's data is logically separated within our database, enforced at the database level by Firestore security rules.
• Secure session management with Firebase Auth.
• Content Security Policy (CSP) headers to prevent cross-site scripting.
• CSRF protection on all mutation endpoints.
• Rate limiting on sensitive operations.

While we strive to protect your data, no method of electronic storage or transmission is 100% secure.

9. Data Breach Notification

In the event of a personal data breach, we will notify the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay via email.

10. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of your personal data.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your personal data, subject to applicable legal retention requirements (e.g., Dutch fiscal law, employment law).
• Right to restriction (Art. 18): restrict how we process your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format (JSON or CSV).
• Right to object (Art. 21): object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at privacy@infrix.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

11. Cookies

We use essential cookies required for the Service to function:

• Session cookie: authenticates your login session (HttpOnly, Secure, SameSite=Lax).
• CSRF token: protects against cross-site request forgery attacks.

We do not use advertising, tracking, or third-party marketing cookies.

12. Automated Decision-Making

The Service includes an AI-powered schedule optimization feature. This feature generates schedule suggestions based on employee availability, qualifications, and business constraints. All AI-generated schedules require human review and approval by a manager or administrator before taking effect. No automated decisions are made that produce legal or similarly significant effects on individuals without human oversight.

Your organization's data is used solely to generate scheduling suggestions for that organization. We do not use your data to train machine learning models or share it with other organizations.

13. Data Protection Impact Assessment

Given that the Service processes employee data including special categories (health data in the form of sick leave records), we conduct Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR to identify and mitigate risks to data subjects' rights and freedoms.

14. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will delete that data promptly.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or an in-app notification. We encourage you to review this policy periodically.

16. Contact

For questions about this Privacy Policy or to exercise your data rights:

Supervisory authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl