Privacy & Protection

Open Working Hours is designed in compliance with GDPR. Privacy is not a feature added later, but an integral part of the technical architecture (Privacy by Design, Art. 25 GDPR).

Privacy by Design

Data minimization: We collect only what's necessary for aggregation. No names, no precise locations, no employer identifiers.
Pseudonymization: Users are identified by random tokens, not personal information. We store only a one-way cryptographic hash of your email address for account integrity — the original email is not retained.
Encryption in transit: All communication between the app and our servers uses TLS 1.3. Data at rest is encrypted on the server.
K-anonymity protection: Statistics are only published when a sufficient number of individuals contribute to a group. Small groups are suppressed entirely.
User controls: Export all your data or delete your account at any time. Deletion is permanent and cascades to all associated records.
No employer access: This is not an employer tool. Your employer cannot see your data, cannot request access, and is not part of the system.

What we collect

Collected

  • Daily working hours (net, after breaks)
  • Federal state (Bundesland)
  • Medical specialty category
  • Role level (e.g., resident, attending)
  • Anonymous usage token

Not collected

  • Your name
  • Hospital or employer name
  • Precise location coordinates
  • IP address (not stored)
  • Device identifiers
  • Contacts, calendar, or other app data

Protection against re-identification

Even with anonymized data, small groups could potentially be identified. We implement multiple safeguards:

Minimum group size: Statistics require a minimum number of contributors (k-anonymity)
Cell suppression: Groups below the threshold are completely hidden, not approximated
Statistical noise: Aggregates include calibrated noise (Laplace mechanism, ε=1.0) to prevent inference attacks

Data Flow

Data Flow: Your Device → Secure Backend → Public Dashboard

Individual data → encrypted transmission → k-anonymized aggregation → public statistics

Deletion & export

GDPR grants you rights over your data. We make these easy to exercise:

Export

Download all your submitted data in JSON format from the app settings.

Deletion

Delete your account from the app. All personal data and work events are permanently removed. Previously aggregated statistics (which contain no personal data) are retained.

For the complete legal privacy policy, see our formal Privacy Policy.