Privacy policy

1. Data controller

The data controller is Eurobest-Holding (Tax ID 32991314E), located at C/ Sierra de las Nieves, nº 1, 1ºB, 41440 - Lora del Río, España.

You can contact us at: [contacto@jornadapp.es].

For data protection matters you may contact our Data Protection Officer (DPO) at: [contacto@jornadapp.es].

2. Purpose and legal basis

We process personal data in Jornadapp to:

• Platform and contractual management: registration of companies and users; authentication (including sign-in with Google or Microsoft (OAuth) and, where applicable, with digital certificate); employee management (onboarding, editing, sending credentials by email, assignment of schedules and geofence, employee photo); clock-in/out records with geolocation (clock-in, clock-out, breaks); absences and holidays (requests, approvals, balances and policies); report generation (CSV, PDF, payroll, SAGE); billing and subscriptions (Stripe, PayPal) and, where applicable, integration with external billing systems; clock-in reminders by email; configuration of breaks, projects and two-factor authentication (2FA). Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Live tracking (where the customer has subscribed to this extra): map view of workers’ location while they are clocked in. Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Push and in-app notifications: sending reminders and notifications in the mobile app (via Firebase Cloud Messaging or other technical means). Legal basis: contract performance or legitimate interest (Art. 6(1)(b) or 6(1)(f) GDPR).
• Legal compliance: retention of working time records and data required by applicable employment law. Legal basis: legal obligation (Art. 6(1)(c) GDPR).
• Commercial communications and service improvement: sending information about the service, updates or surveys, where you have given consent or we have a legitimate interest. Legal basis: consent or legitimate interest (Art. 6(1)(a) or 6(1)(f) GDPR).
• QR or NFC clock-in (where the company enables it): validation of the terminal or tag and recording of the clock event; on the web, the camera may be used only to read the QR code. Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Employment documents: storage of files uploaded by the company, assignment to employees and, where applicable, capture of signature (handwritten or similar) and signing timestamp. Legal basis: contract performance or legal obligation (Art. 6(1)(b) or 6(1)(c) GDPR).
• External calendar (optional): synchronisation or display of absences/events via OAuth with Google or Microsoft and/or an iCal-style subscription link, including processing of the necessary tokens. Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Webhooks and HTTP integrations (configured by the business customer): automatic sending of events (e.g. clock-in records created) to URLs specified by the customer controller. Legal basis: contract performance (Art. 6(1)(b) GDPR).
• Technical anti-fraud signals: storing scores or flags derived from the device or clock-in context (e.g. location accuracy, consistency between records, clock skew) to support auditing; they are technical indicators and do not by themselves prove fraud. Legal basis: legitimate interest or contract performance (Art. 6(1)(f) or 6(1)(b) GDPR).
• Wellbeing / mood check-in (if the company enables it): collection of a mood rating; the employer dashboard shows aggregated statistics; technically the response may be linked to the employee to prevent duplicate submissions on the same day. Legal basis: contract performance or legitimate interest as applicable (Art. 6(1)(b) or 6(1)(f) GDPR).
• Offline operation (PWA): temporary storage on the device of pending clock-ins until connectivity is restored. Legal basis: contract performance (Art. 6(1)(b) GDPR).

3. Data we collect

• Manager/company accounts: name, email, password (hashed), company name, tax ID, address; payment data where applicable (handled by providers such as Stripe/PayPal).
• Employees: name, surname, email, password (hashed), ID number, social security number, employing company; where applicable employee photo, geofence data (centre and radius of allowed area) and schedules; theme preferences (light/dark).
• Clock-in/out records: date and time of clock-in, clock-out and breaks; location (latitude, longitude and address) at the time of the record.
• Absence and holiday requests: dates, type of absence, status (pending, approved, rejected) and data associated with company policies.
• Reports and exports: generated reports (CSV, PDF) may contain employee and clock-in data; where digital signature for PDFs is used, certificate configuration data is stored on the Provider’s server as configured by the administrator.
• Technical use and security: IP addresses, browser type, sessions and cookies necessary for operation and security (session, language and theme preferences); on the mobile app, device identifiers for push notifications and, when enabled, tokens or results of device integrity validation (Play Integrity API) to combat fraud. We do not use third-party advertising cookies in restricted areas.
• QR, NFC and terminals: QR terminal tokens or codes, NFC tag identifiers and technical data related to the clock-in mode chosen by the company.
• Documents: metadata (title, type, recipients), uploaded files, signature image or data where applicable, and timestamps of signing or viewing.
• Calendar: OAuth or refresh tokens for Google/Microsoft and, if used, per-employee iCal subscription token.
• Webhooks: destination URL, HMAC signing secret, subscribed event types and technical delivery logs (attempts, HTTP codes, error messages) for operations and support.
• Anti-fraud: score, technical flags and reference to the related clock-in record.
• Wellbeing: mood score, date and link to company (and technically to the employee for the daily limit).
• Offline queue (browser / PWA): pending clock-ins or operations stored locally until synchronised with the server.

4. Recipients and transfers

Data is stored on servers located in the European Union (or in territories with an adequacy decision or appropriate safeguards). We do not sell personal data. We may share data with:

• Hosting and technical service providers acting as processors (under Art. 28 GDPR agreements).
• Payment providers (Stripe, PayPal) to process subscriptions, in accordance with their own policies.
• Google and Microsoft only if you use sign-in with Gmail or Microsoft (OAuth), in accordance with their privacy policies.
• Firebase (Google) for sending push notifications in the mobile app, in accordance with its privacy policy.
• Google Play Integrity API when the Android app sends device integrity validation, in accordance with Google’s terms.
• Third-party systems whose URL or endpoint the customer configures as a webhook destination: transmission is performed on the customer controller’s instructions, who must ensure lawful processing at the destination (processor agreements, legal bases, security measures).
• Google and Microsoft in connection with calendar APIs when the employee or company connects those accounts.

5. Retention

We retain data for as long as necessary for the stated purposes and to comply with legal obligations (e.g. working time and employment law). Clock-in and absence data is retained in accordance with applicable law. When you close your account, we will delete or anonymise data within legally permitted periods.

6. Your rights

You may exercise your rights against Eurobest-Holding:

• Access: obtain confirmation as to whether we process your data and a copy of it.
• Rectification: have inaccurate or incomplete data corrected.
• Erasure: request deletion where data is no longer necessary, you withdraw consent or object to processing, unless we must retain it by law.
• Restriction: request that processing be restricted in cases provided by law.
• Portability: receive your data in a structured, commonly used format where processing is based on contract or consent.
• Objection: object to processing based on legitimate interest.

You may send your request to [contacto@jornadapp.es]. You have the right to lodge a complaint with a supervisory authority (e.g. in Spain, AEPD).

7. Cookies and similar technologies

We use cookies and local storage necessary for the operation of the platform (session, language and theme preferences). We do not use third-party advertising cookies in restricted areas. The landing page may use basic analytics; you can manage preferences in your browser.

The installable web app (PWA) may use a service worker, browser cache and persistent storage (e.g. IndexedDB, localStorage) for performance, preferences and an offline clock-in queue. You can clear this data from your browser settings (site data).

8. Browser and device permissions (web and app)

Depending on features used by your employer and by you, the Platform may request or use system capabilities. Denying permission may prevent or limit GPS or QR/NFC clock-in or notifications.

• Location / GPS: precise position at clock-in, geofencing and, if subscribed, live tracking while clocked in.
• Camera (mainly in the browser): live capture to read terminal QR codes; we do not store photos of the environment as such beyond what the device needs to decode the code.
• NFC (Android or compatible devices): reading tags linked to clock-in on enabled terminals.
• Notifications: push via FCM on Android and, in supported browsers, web notifications for reminders or company messages.
• Network and internet: sending and receiving clock-ins, documents, webhooks and synchronising the offline queue.
• Local storage: see section 7; used for session, preferences and offline queue in the PWA.
• Device integrity (Android): when enabled, communication with Google Play Integrity to assess the app environment.

Permissions are managed in the operating system (Android, iOS, etc.) or browser settings (site, camera, location, notifications).

9. Security

We apply appropriate technical and organisational measures to protect your data (restricted access, encryption, hashed passwords, 2FA available).

10. Changes

We may update this policy. Material changes will be communicated by notice on the platform or by email. The date of the last update is shown at the bottom of the page.