Clood-X is a business app for employees. We only process the data your employer needs for shift planning, time tracking, and internal communication. There is no tracking, no advertising, and no third-party data sharing. Location data is captured only at the moment you clock in or out.
The data controller within the meaning of the EU General Data Protection Regulation (GDPR) is your employer, who is a tenant of the Clood-X platform. Please contact your employer's data protection officer for any access requests.
Technical platform operator (data processor under Article 28 GDPR):
[Company Name] [Street and Number] [Postal Code, City] Germany Email: datenschutz@clood-x.com
Email address (set by your employer)
Password (stored only as a bcrypt hash — never in plain text)
Authentication token issued after successful login
Service number (Dienst-Nr.), first name, last name
Optional: phone number, work area, assignment region
Employment data maintained by your employer (hourly wage, leave days, qualifications)
Planned and recorded assignments (date, time, site, customer)
Clock-in and clock-out timestamps, breaks
Notes you add yourself
Location is captured only at the moment of clocking in or out to verify that you are within 100 meters of your assigned worksite. We record:
Latitude and longitude at the time of stamping
Accuracy of the GPS reading
Calculated distance to the worksite in meters
There is no continuous or background location tracking. The app does not access your location outside the clock-in/out action.
Time period and type of absence (e.g., requested day off, vacation)
Reason, if you provide one
Status of processing by your dispatcher
Message content
Timestamps and read status
Optional attachments (e.g., timesheets)
The push token issued by your device (Google FCM on Android, Apple APNs on iOS)
Used only to deliver notifications about new shifts, request responses, and chat messages
IP address, timestamp, and user-agent in server logs (kept for a maximum of 14 days for operational security)
No advertising IDs, no cross-app tracking, no third-party analytics SDKs
Fulfilling the employment relationship between you and your employer
Shift planning, dispatching, and workforce management
Time recording and payroll
Communication between you and dispatch
Compliance with statutory record-keeping obligations (in particular § 16 of the German Working Hours Act)
Art. 6 (1) (b) GDPR — performance of the employment contract
Art. 6 (1) (c) GDPR — compliance with legal obligations (working-time records)
§ 26 (1) of the German Federal Data Protection Act (BDSG) — data processing for the purposes of the employment relationship
Art. 6 (1) (f) GDPR — legitimate interest in operating a secure and stable app (logs, tokens)
Your data is processed exclusively by:
Your employer as data controller
The technical operator named above as data processor
The hosting provider (server location: Germany)
Push delivery providers Google (Firebase Cloud Messaging) and Apple (APNs) — only to deliver the notification itself
No data is transferred to countries outside the EU/EEA, with the exception of the technically necessary push delivery through Google and Apple. This transfer is based on the EU Standard Contractual Clauses pursuant to Article 46 GDPR.
Login and profile data: for the duration of your employment relationship
Time-tracking data: for the statutory retention period (generally 2 or 6 years under German law)
Location data: stored together with the corresponding clock-in/out record
Messages: until deleted by your employer
Push tokens: until you log out or uninstall the app
Server logs: 14 days
Internet — to connect to the clood-x.com server
Location (fine and coarse) — used only when you clock in or out, to confirm your presence at the worksite
Push notifications — to deliver shift, request, and chat alerts
Wake lock — to prevent the device from sleeping while a shift timer is running
You can revoke any individual permission at any time in your device settings. If you do, the related feature (for example, location verification when clocking in) will no longer be available.
All data is transmitted with strong encryption (TLS 1.2 or higher)
Passwords are hashed with bcrypt and never stored in plain text
Strict tenant isolation: each company has its own separate database
Authentication uses randomly generated tokens (Laravel Sanctum)
Servers receive regular security updates
You may exercise the following rights against the data controller at any time:
Right of access to the data we hold about you (Art. 15 GDPR)
Right to rectification of inaccurate data (Art. 16 GDPR)
Right to erasure, subject to statutory retention obligations (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
The competent supervisory authority for your employer is: [Name and address of the relevant state authority].
Clood-X contains no advertising, no advertising identifiers (AAID/IDFA), no third-party analytics SDKs, and no cross-app tracking. No data is processed for marketing or profiling purposes.
Clood-X is intended for adult employees and is not directed at persons under the age of 16. We do not knowingly collect data from children.
We update this policy when the app or the legal situation changes. The current version is always available at https://clood-x.com/datenschutz-app.
For data protection questions, please contact your dispatcher first, or write to:
Email: editimghub@gmail.com