Privacy Policy for the Open Working Hours App

1. Controller

The controller responsible for data processing is:

2. Overview of Data Processing

Open Working Hours is a privacy-first platform for healthcare workers to track and report working hours. We process personal data only to provide the service and to generate anonymous, aggregated statistics about working conditions in the healthcare sector.

Key principles:

• Data minimization: We collect only what is necessary
• Local-first: Most data stays on your device
• Pseudonymization: Your identity is protected by technical measures
• K-anonymity: Statistics are only published when groups meet minimum size thresholds

3. Data We Collect

3.1 Data Stored Only on Your Device (Not Transmitted)

The following data is stored locally on your device and never sent to our servers:

• GPS coordinates for geofencing (used only to detect when you enter/leave work locations)
• Shift templates and planned schedules
• Sick day and vacation records
• Work location names and coordinates
• Unconfirmed tracking sessions

3.2 Data Transmitted to Our Servers

When you confirm a day's working hours, the following data is transmitted:

• Email hash: A one-way cryptographic hash of your email address (the original email is not stored)
• Confirmed working hours: Date, planned minutes, actual minutes worked
• Profile information: Federal state (Bundesland), medical specialty, role level (e.g., resident, attending)
• Anonymous user ID: A randomly generated identifier

3.3 Data We Do NOT Collect

• Your name
• Your employer or hospital name
• Precise GPS coordinates (these never leave your device)
• IP addresses (not logged)
• Device identifiers
• Health data (sick days stay on your device)

4. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR Art. 6(1):

4.1 Contract (Art. 6(1)(b))

Processing necessary to provide the service you requested: account creation, authentication, storing your work events, and enabling data export and deletion.

4.2 Consent (Art. 6(1)(a))

Your contribution to aggregated, anonymized statistics about healthcare working conditions. You provide this consent when you accept the Terms of Service. You may withdraw consent at any time by deleting your account, which removes your data from future aggregations.

5. Recipients of Your Data

5.1 Service Providers (Processors)

We use the following service providers who process data on our behalf under Data Processing Agreements:

• Hetzner Online GmbH (Germany) — Server hosting
  Your data is stored on servers in Germany.
• Brevo (Sendinblue) (EU) — Email delivery
  Used only to send verification codes. Email addresses are not stored after verification.

5.2 Public Statistics

Aggregated, anonymized statistics may be published publicly or shared with healthcare unions, professional associations, and researchers. These statistics:

• Contain no personal data
• Are only published when groups meet minimum size requirements (k-anonymity)
• Include statistical noise to prevent re-identification (differential privacy)

5.3 No Employer Access

Your employer cannot access your data. Open Working Hours is not an employer tool. Employers cannot request access to individual user data, and we will not provide it.

6. Data Retention

• Account data and work events: Retained until you delete your account
• Verification codes: Automatically deleted after 15 minutes
• Aggregated statistics: Retained indefinitely (contains no personal data)
• Server backups: Retained for 30 days, then automatically deleted

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your data via the app's export function
• Right to rectification (Art. 16): Correct inaccurate data in the app
• Right to erasure (Art. 17): Delete your account and all associated data via the app
• Right to data portability (Art. 20): Export your data in JSON format via the app
• Right to withdraw consent (Art. 7): Withdraw consent by deleting your account
• Right to lodge a complaint: You may file a complaint with the Berlin data protection authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit)

Important Note on Aggregated Statistics

When you delete your account, all your personal data is permanently removed. However, aggregated statistics that were calculated before your deletion are retained. These statistics cannot be linked back to you because they:

• Contain only group-level information (e.g., "surgeons in Bavaria")
• Are based on groups meeting minimum size requirements
• Include statistical noise that masks individual contributions

Under GDPR, such properly anonymized data is not considered personal data and is therefore not subject to the right to erasure.

8. Security Measures

• Encryption in transit: All data transmission uses TLS 1.3
• Encryption at rest: Server data is encrypted
• Pseudonymization: Email addresses are hashed; users are identified by random IDs
• Access control: Strict access limitations to production systems
• EU data residency: All data is stored in Germany

9. International Data Transfers

Your data is processed and stored exclusively within the European Union (Germany). We do not transfer personal data to countries outside the EU/EEA.

10. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated through the app. The current version is always available at this URL.

11. Contact

For privacy-related questions or to exercise your rights, contact: