1. Data controller
The data controller for personal data collected through the timepax website and service is:
IXIR SOFTWARE SOLUTIONS SRL
Șos. Mihai Bravu 123-135, Bl. D11 Sc. B Et. 1 Ap. 4, Postal code 021314, Sector 2, Bucharest, Romania
Email: office@ixir.ro
Phone: +40 729 153 071
For the B2B workforce tracking service, the Client (employer) may act as a separate controller for employee data; Section 8 explains this relationship.
2. Scope
This policy applies to website visitors, persons who contact us via forms, newsletter subscribers, and users of the timepax platform (administrators and employees invited by Clients).
It does not apply to third-party websites linked from our pages; those sites have their own privacy notices.
3. Categories of personal data
Depending on how you interact with timepax, we may process:
- Identification and contact: name, email address, telephone number, company name.
- Account and authentication: account identifiers, activity logs, language preferences.
- Workforce and HR operations: clock-in/clock-out times, approximate location (where GPS features are enabled), workplace/location assignments, leave records, shift data — as configured by the Client.
- Technical data: IP address, device type, application identifiers, cookies (see our Cookie Policy).
- Communications: content of messages sent via contact forms or support channels.
4. Purposes and legal bases (Art. 6 GDPR)
We process personal data on the following bases:
- Performance of a contract (Art. 6(1)(b)) — providing the timepax service, account management, technical support.
- Legitimate interests (Art. 6(1)(f)) — security, fraud and abuse prevention, product improvement, aggregated statistics, responding to enquiries (balanced against your rights).
- Consent (Art. 6(1)(a)) — newsletter, non-essential cookies, and other processing where consent is required.
- Legal obligation (Art. 6(1)(c)) — retention of accounting/tax records, responses to competent authorities.
5. Recipients and processors
Personal data may be accessed by infrastructure providers (hosting, email delivery), analytics tools (if enabled with consent), and legal or professional advisers, under contracts that impose confidentiality and security measures consistent with Art. 28 GDPR.
We do not sell personal data. Sub-processors are engaged only where necessary to deliver the service and are bound by written agreements.
6. Retention periods
We retain data for as long as the account is active and thereafter in accordance with legal obligations or applicable limitation periods. Technical logs may be kept for limited periods for security and troubleshooting.
Contact form and newsletter data: until consent is withdrawn or the request is resolved, plus any applicable statutory retention periods.
After termination of a Client subscription, Client data may be deleted or returned in accordance with the DPA and contractual terms, subject to legal retention requirements.
7. Your rights (Arts. 15–22 GDPR)
Subject to GDPR conditions, you have the right to:
- Access (Art. 15) — obtain confirmation and a copy of your personal data;
- Rectification (Art. 16) — correct inaccurate data;
- Erasure (Art. 17) — request deletion where applicable (“right to be forgotten”);
- Restriction (Art. 18) — limit processing in certain circumstances;
- Data portability (Art. 20) — receive data in a structured, machine-readable format where applicable;
- Objection (Art. 21) — object to processing based on legitimate interests;
- Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing before withdrawal.
8. Controller and processor roles (employer Clients)
When your employer uses timepax for workforce tracking, the employer is typically the data controller for employee personal data and determines what is collected and for which operational purposes. IXIR SOFTWARE SOLUTIONS SRL acts as data processor on the employer’s instructions, under a data processing agreement.
To exercise rights relating to clock-in data, leave, or other HR information, contact your employer first. We will assist the employer technically upon their request. For data we control directly (e.g. website visitors, account administrators), contact us at office@ixir.ro.
9. Security measures
We implement appropriate technical and organisational measures, including encryption in transit (HTTPS), access controls, device-based authentication where configured, logging, and internal procedures. No system is completely secure; please report incidents to office@ixir.ro.
Clients are responsible for configuring access rights, training Users, and using the service in compliance with employment and data protection law applicable to their organisation.
10. International transfers
Personal data is primarily processed within the European Economic Area (EEA). Where transfers outside the EEA are necessary (e.g. cloud infrastructure or support tools), we ensure appropriate safeguards under Chapter V GDPR, such as EU Standard Contractual Clauses, adequacy decisions, or other mechanisms permitted by law.
You may request further information on transfer safeguards by contacting us.
11. Supervisory authorities and complaints
You have the right to lodge a complaint with a supervisory authority. In Romania, the competent authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, Bucharest.
If you are located in another EU/EEA Member State, you may also lodge a complaint with your local data protection authority. A list of authorities is published by the European Data Protection Board: edpb.europa.eu.
12. Children
The service is not directed at persons under 16 years of age. We do not knowingly collect personal data from children without a valid legal basis. If you believe we have collected a minor’s data unlawfully, contact us and we will delete it after verification.
13. Changes to this policy
We update this policy periodically. The date at the top of this page indicates the last revision. Material changes may be communicated by email or in-platform notice where appropriate.
For cookie-specific information, see our Cookie Policy.