Privacy Policy

Last updated: March 2026

1. Overview

Kairox UG (haftungsbeschränkt) ("Kairox", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Kairox Timesheet application and related services.

2. Information We Collect

Data Stored in SharePoint

Kairox Timesheet stores all user data directly in your Microsoft 365 tenant's SharePoint environment. This includes:

  • Time entries (date, hours, project, description)
  • Project and category configurations
  • User preferences and settings

Important: All this data remains within your organization's Microsoft 365 tenant. Kairox does not have access to this data and does not store it on external servers.

License and Subscription Data

When you subscribe to Kairox through Microsoft AppSource, Microsoft handles the licensing and subscription management. We receive only the information necessary to validate your subscription status.

Web App Authentication (OAuth)

When you sign up or log in to the Kairox Web App (app.kairox.de), you authenticate through a third-party identity provider. We support:

  • Microsoft (Azure AD) — via MSAL popup (scopes: openid, profile, email)
  • Google — via Google Identity Services (scopes: openid, profile, email)

We receive the following data from your identity provider:

  • Email address
  • Display name
  • Provider-specific user ID (e.g., Azure AD Object ID or Google Subject ID)

We do not receive or store your password, profile picture, contacts, calendar data, or any other data beyond what is listed above.

User Account Data

When you first authenticate via the Web App, we create a user account in our database containing:

  • Your email address and display name (from your identity provider)
  • Your authentication provider and provider user ID
  • Your team membership and role
  • Time entries you create within the application
  • User preferences and settings

This data is stored on our servers in Germany and is necessary to provide the Kairox Timesheet service.

Authentication Tokens

After authentication, we issue a Kairox-JWT (JSON Web Token) for API access. Refresh token hashes are stored server-side to enable session renewal. Tokens expire automatically and can be revoked by logging out.

3. How We Use Your Information

We use information for the following purposes:

  • To provide and maintain our service
  • To validate subscription and license status
  • To provide customer support
  • To improve our products and services

4. Data Storage, Hosting and Security

Your timesheet data is stored exclusively in your organization's SharePoint environment and is protected by Microsoft's enterprise-grade security measures. We do not have access to your SharePoint data.

For SaaS subscription management, we use secure, encrypted connections and follow industry best practices for data protection.

Cloudflare

We use services provided by Cloudflare Inc. (101 Townsend St, San Francisco, CA 94107, USA) to deliver and protect our web services:

  • Cloudflare Pages: All static content (marketing website, web apps, dashboards) is served via Cloudflare Pages as a content delivery network (CDN).
  • Cloudflare Tunnel: Our APIs (*.kairox.de) are served through encrypted Cloudflare tunnels (reverse proxy). Data processing occurs on our own servers in Germany — Cloudflare only routes traffic.

Cloudflare processes the following data: IP address, user agent, geolocation (country/region), request headers, and timestamps. This data is necessary for content delivery and DDoS protection.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — Cloudflare is used to protect our services from attacks (DDoS protection), ensure secure delivery, and optimize performance.

International data transfer: Cloudflare Inc. is certified under the EU-US Data Privacy Framework (DPF), ensuring an adequate level of data protection for transfers of personal data to the USA. More information: Cloudflare Privacy Policy.

Data processing agreement: We have entered into a Data Processing Addendum (DPA) with Cloudflare.

Server Log Files

Our hosting provider automatically collects and stores information in server log files that your browser transmits to us. This includes:

  • Browser type and version
  • Operating system
  • Referrer URL
  • Hostname of the accessing device
  • Time of the server request
  • IP address

This data is not combined with other data sources.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — server log files are necessary to ensure error-free operation of the website and to detect attacks.

Retention period: Server log files are automatically deleted after 90 days.

5. Data Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties. Your SharePoint data remains exclusively within your Microsoft 365 tenant.

Cloudflare acts as a data processor on our behalf for content delivery and security purposes (see section 4 above). No data is shared with other third parties.

6. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about your personal data processed by us.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate or completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your personal data.
  • Right to restriction of processing (Art. 18 GDPR): You can request restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR): You can request that we provide your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object at any time to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest).

Since your timesheet data is stored in your own SharePoint environment, you have full control over it through your Microsoft 365 admin center.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

7. Cookies and Local Storage

The Kairox SPFx Web Part operates within SharePoint and does not set its own cookies. Any cookies used are managed by the SharePoint platform according to Microsoft's policies.

The Kairox Web App (app.kairox.de) uses browser Local Storage to persist your authentication session (Kairox-JWT) and your cookie consent preference.

Google Analytics

We use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyze user behavior on our websites.

Google Analytics is only activated when you explicitly consent via the cookie banner (opt-in). Without your consent, no analytics data is collected. We use GA4 Consent Mode v2 technology to ensure that no personal data is transmitted to Google before you give consent.

When consent is given, the following data is collected:

  • Page views and usage behavior
  • Technical data (browser type, screen resolution, operating system)
  • Approximate location data (country/region, no precise location)
  • Session duration and interaction patterns

Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by clearing your browser cookies or local storage — the cookie banner will be shown again on your next visit.

IP anonymization: Google Analytics 4 anonymizes IP addresses by default — no complete IP addresses are stored.

Retention period: The data retention period in Google Analytics is set to 14 months. Data is automatically deleted after this period.

Right of withdrawal (Art. 7(3) GDPR): You can withdraw your consent to data collection by Google Analytics at any time with effect for the future by clearing your browser cookies or local storage.

International data transfer: Google Ireland Limited may transfer data to Google LLC (USA). Google LLC is certified under the EU-US Data Privacy Framework (DPF). More information: Google Privacy Policy.

Data processing agreement: We have entered into a Data Processing Agreement (DPA) with Google.

8. Telemetry (Anonymous Usage Statistics)

The Kairox Timesheet application collects anonymous usage statistics based on our legitimate interest in improving our software (Art. 6(1)(f) GDPR).

What data is collected?

Only anonymous, non-personal data is collected:

  • Features used (e.g., view switches, save operations)
  • Load times and performance metrics
  • Error messages without personal data
  • Browser type and screen resolution

What data is NOT collected?

  • No personal data (name, email, user ID)
  • No time entry data or project information
  • No IP addresses
  • No tracking cookies or persistent identifiers
  • No tenant or organization IDs

Opt-Out

You can opt out of data collection at any time by disabling telemetry in the application settings (Settings icon → "Telemetry").

Data processing

Anonymous data is processed on our own servers in Germany and automatically deleted after 90 days. No data is shared with third parties.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Kairox UG (haftungsbeschränkt)
Kühsee 4
93164 Brunn
Germany

Email: privacy@kairox.de

A data protection officer has not been appointed, as the requirements of § 38 BDSG (at least 20 persons regularly involved in automated data processing) are not met.