Beebole Project Time Tracking Software

GDPR Compliance

Effective as of June 8, 2026

Beebole and the GDPR

Beebole s.r.l. (“Beebole”) is a B2B SaaS time-tracking and planning provider based in Brussels, Belgium. We are committed to the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

This page explains the GDPR features built into the product and how we handle personal data. It complements — and should be read together with — our:

Our roles under the GDPR

  • Controller — for our own employee data, account/registration data, and website-visitor data.

  • Processor — for the Customer Data (timesheets, absences, project records) we process on behalf of our B2B customers, who are the controllers of that data.

Our lead supervisory authority is the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit, “APD-GBA”). You may also have the right to lodge a complaint with the supervisory authority in your own country.

Data Processing Agreement (DPA) — now public and auto-applied

Our DPA is public and automatically applies to every customer. It is incorporated by reference into our Terms of Service, so you receive its Article 28 protections without signing a separate agreement or emailing a request.

  • Read it here: Data Processing Agreement

  • It defines Beebole’s obligations as a processor, including purpose limitation, security measures, sub-processing terms, audit rights, and data-subject-rights assistance.

  • It commits Beebole to notify the customer (controller) of a personal-data breach within 24 hours of becoming aware of it. (Under GDPR Art. 33, the controller then has 72 hours to notify its supervisory authority where required.)

  • Our current sub-processors are listed in the Sub-processors list, which also sets out the change-notice and 30-day objection process under Art. 28(2).

Previously the DPA was available only on request by email. That is no longer the case — it is public and auto-applied.

Data Protection Officer

Beebole has appointed an external (outsourced) Data Protection Officer. You can reach our DPO for any GDPR question, request, or concern at:

dpo@beebole.com

Within the product, customers can also designate their own data officer to manage data-subject requests for their account (see below).

GDPR features in the product

Beebole gives account administrators the tools to meet GDPR obligations directly from within the application.

Assignable data officer

  • Account administrators can assign a data officer in the account settings. This in-app role is available by default and is responsible for handling data-subject requests within the customer’s account.

Access and portability — download user data

  • Administrators and data officers can download a user’s data as JSON or CSV on request, supporting the rights of access (Art. 15) and data portability (Art. 20).

Erasure and “Right to be Forgotten”

  • A user can be deleted immediately from the account. On deletion, the user’s data is removed, and any copies in backups and logs are erased within 90 days.

  • This deletion mechanism is how Beebole supports the Right to be Forgotten (Art. 17).

Audit-trail control

  • Audit trails are part of the Customer Data in your account. You can review and delete audit-trail entries at any time from the account settings; they are not subject to a separate retention period. (On the legacy V1 platform, audit trails were stored on a separate server with a 90-day option; on the current platform, they are simply part of your Customer Data.)

Retention periods

Data type

Retention

Customer Data (including audit trails)

Retained while your account exists — including after a subscription ends, so you can return and reactivate. You can delete it at any time; on termination, it is deleted or returned at the customer’s election (per the DPA). We do not automatically delete Customer Data on termination.

Technical / usage data

90 days

Logs

90 days

Backups

30 days

Billing/accounting data

10 years (Belgian statutory requirement)


These periods are consistent with the Privacy Policy and the DPA. Billing and accounting records are retained for 10 years to comply with Belgian statutory bookkeeping obligations, which override shorter deletion periods.

Data-subject rights

Where Beebole is the controller (e.g., website visitors, account contacts), and to support our customers where Beebole is the processor, the following GDPR rights apply:

  • Access (Art. 15) — obtain confirmation and a copy of personal data.

  • Rectification (Art. 16) — correct inaccurate or incomplete data.

  • Erasure / “Right to be Forgotten” (Art. 17).

  • Restriction of processing (Art. 18).

  • Data portability (Art. 20) — receive data in a structured, machine-readable format (JSON or CSV in-product).

  • Objection (Art. 21).

  • Withdraw consent at any time, where processing is based on consent, without affecting prior processing.

  • Lodge a complaint with a supervisory authority — the Belgian APD-GBA, or the authority in your own country.

Beebole does not carry out automated decision-making that produces legal or similarly significant effects (Art. 22).

Where Beebole acts as processor, data-subject requests are handled through the customer (controller) and the in-product tools described above. For other requests, contact legal@beebole.com.

Website privacy

Our marketing website and documentation site are designed to minimize the personal data collected from visitors:

  • Analytics: We use PostHog (EU-hosted) for analytics. PostHog processes personal data as a sub-processor; session replay is not enabled.

  • In-app product analytics tracks signed-in users only for operational and product-improvement purposes. This first-party, behind-login processing is carried out on the basis of our legitimate interests and is documented in our Privacy Policy.

  • Website analytics on our commercial website runs only after you consent via the cookie banner and is documented in our Cookie Policy.

  • No third-party tracking scripts are loaded on our website.

  • Static share buttons are used (no tracking-enabled social widgets).

  • No targeted advertising — we do not serve or facilitate targeted ads.

Google Analytics has been retired and is no longer used; PostHog is our sole analytics tool.

For details on cookies and visitor data, see the Privacy Policy and the Cookie Policy.

Security and certifications

Beebole applies appropriate technical and organizational security measures to protect personal data, including encryption in transit and access controls.

  • ISO 27001 and SOC 2 certifications are in progress via Vanta. Beebole is not currently certified to either standard; we will update this page when certification is achieved.

  • Beebole’s services are DCAA-compliant, relevant for US government contractor customers.