Last updated: May 16, 2026
Privacy policy
This policy describes how SUDOSU, the publisher of TimeReport, processes the personal data of users and customers. It complies with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the French "Informatique et Libertés" Act as amended.
1. Data controller
The data controller for data collected on timereport.app is:
- SUDOSU — SASU, share capital €100.00
- 8 rue Jules Vallès, 69100 Villeurbanne, France
- Lyon trade register 931 107 916
- Email: contact@timereport.app
2. Data collected
We collect the following categories of data:
- Account data: first name, last name, email, password (hashed), interface preferences, locale.
- Business data: trade name, SIRET, VAT number, address, bank details (only if entered for billing), information about your clients entered in the Service.
- CRA and invoicing data: days worked, missions, amounts, invoices, signers.
- Payment data: processed directly by Stripe; we do not store any bank data. We receive and store a Stripe customer ID and the billing metadata required.
- Technical data: IP address, browser type, access logs, application events (for security and debugging purposes).
- Cookies and analytics: see our cookies policy.
3. Purposes and legal bases
| Purpose | Legal basis | Retention period |
|---|---|---|
| Account creation and management | Performance of contract (Terms) | Account lifetime + 3 years after last activity |
| Service provision (CRA, invoices, signatures) | Performance of contract | Account lifetime |
| Billing and payment | Performance of contract + legal obligation | 10 years (accounting obligation) |
| Transactional emails (confirmation, reminders, invoices) | Performance of contract | Account lifetime |
| Newsletter and marketing communications | Consent | Until consent is withdrawn |
| Audience measurement | Consent (analytics cookies) | Up to 13 months |
| Security, fraud prevention, logs | Legitimate interest | 12 months |
| Support and responses to requests | Legitimate interest | 3 years after last exchange |
4. Recipients and processors
Data is accessible to authorized internal teams at SUDOSU (administration, support, accounting). It is also transmitted to the following processors, governed by contracts compliant with article 28 of the GDPR:
- Hostinger International Ltd (Cyprus, hosting in Paris) — hosting of the application and database.
- Stripe Payments Europe Ltd (Ireland) — processing of card payments.
- Mailjet SAS (France) — sending of transactional emails.
- Google Ireland Ltd (Ireland) — audience measurement (Google Analytics), subject to your consent.
- [TO COMPLETE: other processors, e.g. error monitoring service, CDN, support tool.]
5. Transfers outside the EU
Some of our processors (e.g. Google) may process data outside the European Union, particularly in the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission and, where applicable, by the Data Privacy Framework (DPF) for transfers to the United States.
6. Your rights
Under articles 15 to 22 of the GDPR, you have the following rights regarding your data:
- Access: obtain a copy of the data we hold about you;
- Rectification: correct inaccurate or incomplete data;
- Erasure: delete your data in the cases provided for by law ("right to be forgotten");
- Restriction: temporarily restrict processing;
- Objection: object to processing based on legitimate interest or for prospecting purposes;
- Portability: receive your data in a structured, machine-readable format;
- Withdrawal of consent: at any time, without retroactive effect;
- Post-mortem directives: determine what happens to your data after your death.
To exercise these rights, write to contact@timereport.app, specifying the nature of your request. Proof of identity may be requested in case of reasonable doubt.
You also have the right to lodge a complaint with the French data-protection authority (CNIL) — www.cnil.fr.
7. Security
SUDOSU implements technical and organizational measures to protect your data: HTTPS/TLS encryption, hashed passwords, restricted and logged access, regular backups, environment isolation, security updates. Despite these measures, no transmission over the Internet is completely secure; we cannot guarantee absolute security.
8. Cookies
The use of cookies is detailed in our cookies policy.
9. Minors
The Service is not intended for persons under 16. We do not knowingly collect data from minors. If you notice the presence of such data, please report it to contact@timereport.app.
10. Changes
This policy may be updated to reflect changes to the Service or to regulations. The applicable version is the one published on the date of your visit. Material changes will be notified to you by email or via the Service.