Hubnity GDPR Compliance

1. Controller and processor roles

Hubnity acts in two capacities depending on the data involved:

• Data processor — for organization workspace data (time entries, activity, screenshots, reports) that Customers submit about their team members. The Customer (organization Owner) is the data controller and determines the purposes and lawful basis for processing.
• Data controller — for account registration data, billing information, support communications, and marketing preferences related to Hubnity accounts.

When you act on behalf of a company or provide personal data of others, you are the controller and must ensure lawful processing, appropriate notices, and valid agreements with processors. Hubnity's Data Processing Agreement (DPA) is available from Settings → Privacy → DPA download.

2. Legal basis for processing

We process personal data only where a lawful basis applies under GDPR Article 6, including:

• Contract — to provide the Services you or your organization subscribed to;
• Legitimate interests — to secure, improve, and operate the platform, prevent fraud, and communicate essential service updates, balanced against your rights;
• Consent — where required, for example optional marketing communications or certain monitoring features configured by your organization;
• Legal obligation — to comply with applicable laws, tax requirements, and lawful requests.

When processing is based on consent, you may withdraw it at any time by contacting info@hubnity.eu. Withdrawal does not affect processing that occurred before withdrawal.

3. Categories of personal data

Depending on how you use Hubnity, we may process:

• Identity and contact data — name, email, phone, job title, profile photo;
• Account and billing data — organization name, subscription plan, payment method metadata (full card numbers are not stored by Hubnity);
• Work activity data — time entries, projects, tasks, activity levels, optional screenshots, optional URL domains, optional location data;
• Technical data — IP address, device type, browser, app version, logs, and security events.

Hubnity does not record keystroke content, typed text, or clipboard data. Screenshot capture is optional and controlled by the organization Owner. Members are notified when capture is active.

4. Your GDPR rights

If you are in the EU, UK, or another jurisdiction that grants these rights, you may have:

• Right of access (Article 15) — obtain confirmation and a copy of your personal data;
• Right to rectification (Article 16) — correct inaccurate or incomplete data;
• Right to erasure (Article 17) — request deletion in certain circumstances;
• Right to restrict processing (Article 18) — limit how we use your data;
• Right to object (Article 21) — object to processing based on legitimate interests or direct marketing;
• Right to data portability (Article 20) — receive your data in a structured, machine-readable format;
• Right to lodge a complaint (Article 77) — contact your local supervisory authority.

If you access Hubnity through an employer or client organization, some requests must be directed to that organization as the data controller. Hubnity will assist controllers in responding to data subject requests as required by the DPA.

5. How to exercise your rights

Self-service in the product

• Update profile information from Profile → Settings.
• Export organization data: Settings → Privacy → Export data (Owners). Delivered within 48 hours in JSON and CSV formats.
• Delete organization data: Settings → Privacy → Delete organization data (Owners). Initiates a 30-day deletion process.
• Delete individual account: Profile → Privacy → Delete my account. Personal data is removed; time entries are anonymized.

Contact our privacy team

EU residents may submit formal requests by email to privacy@hubnity.eu or info@hubnity.eu. We will verify your identity and respond within the timeframe required by applicable law (generally one month under GDPR).

6. Data Processing Agreement

Hubnity offers a standard Data Processing Agreement incorporating GDPR Article 28 requirements, including processor obligations, sub-processor management, security measures, and assistance with data subject requests.

Organization Owners can download the current DPA from Settings → Privacy → DPA download. Enterprise customers may request customized DPA terms through sales@hubnity.eu.

7. Data storage and retention

Hubnity stores data in EU-based data centers (Frankfurt, Germany) by default. Enterprise customers may request specific data residency regions.

• Active accounts: data retained for the life of the subscription.
• After cancellation: data retained for 30 days, then permanently deleted.
• Screenshot and activity data: configurable retention from 3 to 36 months (Settings → Privacy → Retention).

We retain personal data only as long as necessary for the purposes described in our Privacy Policy, to comply with legal obligations, resolve disputes, or enforce agreements.

8. International data transfers

Hubnity may process or store data in the United States or other countries where we or our service providers operate. We transfer personal data only where legally permitted and apply appropriate safeguards.

Hubnity complies with the EU-U.S., UK-U.S., and Swiss-U.S. Data Privacy Frameworks. We may also rely on Standard Contractual Clauses (SCCs) approved by the European Commission. More information is available at dataprivacyframework.gov.

Unresolved complaints under the Data Privacy Framework may be referred to the BBB Data Privacy Framework Services at bbbprograms.org.

9. Security measures

We implement technical and organizational measures to protect personal data, including:

• TLS 1.2 or higher for data in transit;
• AES-256 encryption for data at rest;
• bcrypt password hashing with per-user salts;
• Role-based access controls within organizations;
• SSO and advanced security options on Enterprise plans;
• Limited access for Hubnity personnel on a need-to-know basis.

Report security concerns to security@hubnity.eu. Critical vulnerabilities are acknowledged within 24 hours.

10. Sub-processors

Hubnity does not sell, rent, or share customer data with third parties for marketing purposes. We use sub-processors only to operate the Services—for example cloud hosting, payment processing, email delivery, and customer support tools.

A current list of sub-processors is included in the DPA. We notify Customers of material sub-processor changes as described in the DPA and provide an opportunity to object where required.

11. Data Protection Impact Assessments (GDPR Arts. 35 & 36)

Customers conducting high-risk processing—such as systematic monitoring of employees—should perform a Data Protection Impact Assessment (DPIA) under Article 35 GDPR.

Hubnity provides documentation, security descriptions, and sub-processor information to support customer DPIAs on request via privacy@hubnity.eu.

Where processing is likely to result in a high risk that cannot be mitigated, the controller must consult the supervisory authority under Article 36.

12. Personal data breaches

We maintain incident response procedures to detect, investigate, and remediate security incidents. Where Hubnity acts as a processor, we notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and assist the Customer in meeting notification obligations to supervisory authorities and data subjects where required by GDPR Article 33 and 34.

13. Supervisory authorities

You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at ec.europa.eu. We encourage you to contact us first at privacy@hubnity.eu so we can address your concern.

14. Contact

For GDPR-related questions or requests:

• privacy@hubnity.eu
• info@hubnity.eu
• support@hubnity.eu
• +971 (72) 44-8022
• FENS Trade FZ-LLC, Trade License 5021517
• Unit Area 199, Alquisaidat Nakheel, Ras Al Khaimah, United Arab Emirates