Traceback

Privacy Policy

1. Introduction

At Dharma Web Studio (hereinafter, "we", "our" or "the Controller"), with Tax ID ES39425922N, we take the privacy and protection of your personal data very seriously. This Privacy Policy describes how we collect, use, share, and protect the personal information of Traceback users (hereinafter, "the Service" or "the Application").

By using Traceback, you accept the practices described in this Privacy Policy. If you do not agree with any aspect of this policy, you should not use the Service.

This policy has been prepared in compliance with:

  • General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • Spanish Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (LOPDGDD)
  • Applicable Spanish and European legislation on data protection

2. Data Controller

Controller Identity:
Dharma Web Studio
Tax ID: ES39425922N
Email: info@traceback.work
Website: https://traceback.work

3. Information We Collect

3.1 Data Provided Directly by User

When registering and using the Service, we collect:

Registration and Profile Data:

  • First and last name
  • Email address
  • Password (stored using secure cryptographic hash)
  • Profile picture (optional)
  • Time zone and language preferences
  • Preferred date, time, and number formats

Team and Organization Data:

  • Team or company name
  • Roles and permissions within the team
  • Invitations sent and received

Project and Activity Data:

  • Project names and descriptions
  • Time records (frames): date, start time, end time, duration
  • Task and activity descriptions
  • Custom tags
  • Billing configurations and hourly rates
  • Time rounding strategies

Integration Data:

  • Authentication tokens for external services (Asana, etc.)
  • Project and workspace mapping configurations
  • Associated external resource IDs

3.2 Automatically Collected Data

Technical and Usage Information:

  • IP address
  • Browser type and version
  • Operating system
  • Screen resolution and device type
  • Pages visited within the Service
  • Date and time of access
  • Session duration
  • Interactions with Service features
  • Referrer (origin page)

Cookies and Similar Technologies:

  • Session and authentication cookies
  • User preference cookies
  • Authentication tokens (Sanctum)
  • Browser LocalStorage and SessionStorage

3.3 Third-Party Data

We may receive limited information from:

  • Social authentication services: If you use OAuth to log in (Google, GitHub, etc.), we receive basic profile information authorized by you
  • Third-party integrations: Data synchronized from Asana or other services you voluntarily connect

4. Legal Basis and Processing Purposes

4.1 Legal Bases (GDPR)

We process your personal data based on:

a) Performance of a contract (Art. 6.1.b GDPR):

  • Provide and operate the Service
  • Manage your account and authentication
  • Enable time tracking and project management

b) Legitimate interests (Art. 6.1.f GDPR):

  • Improve and optimize the Service
  • Prevent fraud, abuse, and security violations
  • Perform aggregated statistical analysis
  • Transactional communications about the Service

c) Explicit consent (Art. 6.1.a GDPR):

  • Sending commercial communications or newsletters (if applicable)
  • Non-essential cookies (analytics, personalization)
  • Processing special categories of data (if applicable)

d) Compliance with legal obligations (Art. 6.1.c GDPR):

  • Respond to legal or judicial requirements
  • Comply with fiscal, accounting, or regulatory obligations

4.2 Processing Purposes

We use your personal data to:

Service Operation:

  • Create and manage your user account
  • Authenticate your identity and maintain secure sessions
  • Allow you to record time, create projects, and collaborate in teams
  • Process invitations and manage permissions
  • Synchronize with external services you authorize
  • Generate reports, statistics, and personalized exports

Improvement and Optimization:

  • Analyze usage patterns to improve features
  • Identify and correct technical errors
  • Develop new features based on user needs
  • Optimize performance and user experience

Security and Fraud Prevention:

  • Detect and prevent unauthorized access
  • Identify suspicious or malicious activities
  • Protect data integrity and the Service
  • Comply with security investigations

Communications:

  • Send transactional notifications (password reset, team invitations, security alerts)
  • Provide technical support and customer service
  • Inform about changes to the Service, Terms, or Policies
  • Send commercial communications (only with prior consent)

Legal Compliance:

  • Respond to court orders or legal requirements
  • Comply with applicable regulations
  • Exercise or defend legal rights

5. Sharing and Disclosing Information

5.1 We Do Not Sell Your Data

We never sell, rent, or commercialize your personal data to third parties.

5.2 Disclosure to Third Parties

We may share personal information in the following circumstances:

a) Service Providers (Data Processors):

We work with external providers who process data on our behalf under strict confidentiality and data protection agreements (GDPR Art. 28):

  • Hosting and infrastructure: Servers where the application is hosted
  • Email services: Sending transactional emails
  • File storage: Storage of profile pictures and attachments
  • Monitoring services: Error and performance analysis tools
  • Security services: Protection against DDoS attacks and threats

All providers comply with GDPR or approved international transfer mechanisms.

b) Within Your Team:

If you belong to a team or company within Traceback:

  • Other team members can view your time records and shared projects
  • Team administrators have access to team statistics and aggregated data
  • Team owners can manage permissions and access

c) Authorized Integrations:

When you connect third-party services (Asana, etc.):

  • Information necessary for integration is shared according to the permissions you grant
  • Read the privacy policies of these external services

d) Legal Compliance:

We may disclose information if:

  • Required by law, court order, or competent authority
  • Necessary to prevent fraud, protect rights or security
  • Necessary to investigate violations of our Terms
  • A merger, acquisition, or asset sale occurs (with prior notice)

6. International Data Transfers

If we use providers or infrastructure outside the European Economic Area (EEA), we guarantee adequate protection through:

  • Standard Contractual Clauses (SCC) approved by the European Commission
  • Adequacy decisions by the European Commission (countries with adequate level)
  • Recognized certifications (Privacy Shield - if applicable)
  • Explicit user consent (when required)

You can request information about guarantees implemented in international transfers by contacting us.

7. Data Security

7.1 Implemented Security Measures

We implement appropriate technical and organizational measures to protect your data:

Technical Measures:

  • Data encryption in transit (HTTPS/TLS)
  • Password encryption using cryptographic hash (bcrypt)
  • Authentication via secure tokens (Sanctum)
  • Protection against common attacks (XSS, CSRF, SQL Injection)
  • Firewalls and intrusion detection systems
  • Regular and encrypted backups
  • Role-based access and principle of least privilege

Organizational Measures:

  • Internal security and privacy policies
  • Ongoing staff training on data protection
  • Periodic security audits
  • Data access control with multi-factor authentication
  • Incident response procedures

7.2 Security Limitations

Despite our efforts, no system is 100% secure. You should also:

  • Keep your access credentials secure
  • Use strong and unique passwords
  • Not share your account with third parties
  • Report suspicious activity immediately

8. Data Retention

8.1 Retention Period

We retain your personal data while:

  • Your account remains active
  • It is necessary to provide the Service
  • Required by legal, accounting, or fiscal obligations
  • Necessary to resolve disputes or enforce our agreements

8.2 Retention Criteria

Active account data: While the account is in use

Data after account cancellation:

  • Immediate deletion: Session tokens, temporary cache data
  • 30 days: Recoverable data in case of cancellation error
  • Up to 90 days: Automatic backups
  • Legal period: Data required by fiscal or legal obligations (generally 6 years in Spain)

Anonymized data: We may retain indefinitely completely anonymized and aggregated data for statistical analysis.

8.3 Data Deletion

You can request deletion of your data at any time by exercising your right to erasure (see section 10).

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device that help us improve the Service.

9.2 Types of Cookies We Use

Strictly Necessary Cookies:

  • Authentication and session management
  • Security (CSRF tokens)
  • Language preferences
  • Legal basis: Performance of contract - Does not require consent

Functionality Cookies:

  • Remember user preferences (time zone, date format)
  • Personalized interface configuration
  • Legal basis: Legitimate interests - Optional consent

Performance/Analytics Cookies (if applicable):

  • Aggregated usage and behavior analysis
  • Performance optimization
  • Legal basis: Prior consent - Can be rejected

9.3 Cookie Management

You can manage cookie preferences through:

  • Your browser settings (block/delete cookies)
  • Cookie settings panel in the Service (if available)
  • Third-party service opt-out tools

Rejecting non-essential cookies may affect Service features.

9.4 LocalStorage and SessionStorage

The Service uses browser LocalStorage and SessionStorage for:

  • Temporary storage of session data
  • User configuration cache
  • Performance and experience improvement

You can clear this data from your browser settings.

10. Your Rights (GDPR)

As a user in the European Union, you have the following rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we maintain about you, including information about processing.

10.2 Right to Rectification (Art. 16 GDPR)

You can update or correct inaccurate or incomplete data at any time from your profile or by contacting us.

10.3 Right to Erasure/"Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data when:

  • They are no longer necessary for the purposes collected
  • You withdraw consent (if it is the legal basis of processing)
  • You object to processing and there are no overriding legitimate interests
  • The data has been unlawfully processed
  • Required by legal obligation

Limitations: We may retain data if necessary to comply with legal obligations, exercise legal rights, or public interest.

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we restrict use of your data while:

  • Data accuracy is verified (after rectification request)
  • Processing is unlawful but you prefer restriction instead of erasure
  • We no longer need the data but you need it for legal claims
  • It is verified if our interests prevail after objection to processing

10.5 Right to Data Portability (Art. 20 GDPR)

You can request a copy of your data in structured, commonly used, machine-readable format (JSON, CSV, etc.) to transfer to another service.

Applies to: Data provided by you and processed automatically based on consent or performance of contract.

10.6 Right to Object (Art. 21 GDPR)

You can object to data processing based on legitimate interests, including:

  • Profiling or behavior analysis
  • Direct marketing (absolute objection)
  • Processing based on legitimate interests (if you have particular reasons)

10.7 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or significantly affect you, except legal exceptions.

Note: Currently, Traceback does not make automated decisions of this type.

10.8 Right to Withdraw Consent

When processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to consent.

10.9 Exercise of Rights

To exercise any of these rights:

  1. Contact us at info@traceback.work
  2. Include in your request:
    • Full name and account email
    • Right you wish to exercise
    • Copy of identification document (to verify identity)
  3. We will respond within 1 month (extendable to 3 months in complex cases, with prior notification)

At no cost except manifestly unfounded or excessive requests.

10.10 Right to Lodge a Complaint with Supervisory Authority

If you consider we have not adequately addressed your rights, you can lodge a complaint with:

Spanish Data Protection Agency (AEPD)
C/ Jorge Juan, 6
28001 Madrid
Phone: 901 100 099 / 91 266 35 17
Website: www.aepd.es
Electronic office: https://sedeagpd.gob.es

11. Minors

Traceback is not directed to minors under 18 years of age (or the legal age in your jurisdiction). We do not knowingly collect data from minors without verifiable parental consent.

If you are aware that a minor has provided personal data without authorization, contact us immediately to proceed with its deletion.

12. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or Service improvements.

Change Notification:

  • Minor changes: Publication in the Service with new "Last updated" date
  • Material changes: Email notification or prominent banner 30 days in advance

We recommend reviewing this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Business Transfer

In case of merger, acquisition, reorganization, or asset sale:

  • Your personal data may be transferred to the new owner
  • We will notify you in advance about the transfer
  • The new entity must comply with this Policy or request new consent
  • You can exercise your rights (including erasure) before the transfer

14. Privacy Outside Our Service

This Privacy Policy does not apply to:

  • Third-party websites: External links, integrations, or third-party services have their own policies
  • Actions of other users: We do not control how other team members treat shared data
  • Social networks: Social authentication platforms (Google, GitHub) have their own policies

Review third-party privacy policies before sharing information with them.

15. Contact and Data Protection Officer

For any questions, inquiries, or requests related to this Privacy Policy or processing of your personal data:

Dharma Web Studio
Tax ID: ES39425922N
Email: info@traceback.work
Subject: "Privacy - Traceback"

Data Protection Officer (DPO): [If applicable - required if processing sensitive data at large scale]

We commit to responding to all inquiries in a timely manner and in compliance with applicable legislation.

16. Summary of Privacy Commitments

  • We never sell your personal data
  • End-to-end encryption and security
  • Full compliance with GDPR and LOPDGDD
  • Transparency in data processing
  • Absolute respect for your privacy rights
  • Data minimization: we only collect what is necessary
  • You maintain control over your data at all times

By using Traceback, you confirm that you have read, understood, and accepted this Privacy Policy.

Last review: March 22, 2026