Privacy Policy

Last updated 5 July 2026

This Policy explains how FiveForty SAS, a société par actions simplifiée (SAS) incorporated in France processes personal data when you use Hourdeck. We act as data controller for account and service data, and as processor for the content you submit on behalf of your organisation. We are committed to the EU GDPR and the French Data Protection Act.

Data we process

Account & identity: name, email/UPN and organisation from your Microsoft sign-in. Service data: time entries, comments, activities and the Azure DevOps metadata you sync (projects, work items, iterations, assignees). Usage & diagnostics: feature usage, and feedback you send. Billing: subscription and metering records (via Microsoft). We do not intentionally collect special-category data.

Sources

Directly from you; from Microsoft Azure DevOps when you connect and sync; and, only if you choose to connect one, from a third-party time-tracking tool using the credentials you provide.

Why we process it (legal bases)

To provide and secure the service and perform our contract (Art. 6(1)(b)); for our legitimate interests in improving and protecting the service and light-touch analytics (Art. 6(1)(f)); to comply with legal obligations (Art. 6(1)(c)); and on consent where required (e.g. optional AI features) (Art. 6(1)(a)).

AI features

When you use AI features (estimate, recaps, approval review, comment assist), the relevant time-tracking text is sent to our AI provider, Anthropic, to generate a response in real time. Under Anthropic's commercial terms, this data is not used to train their models. You can avoid this by not using AI features, or by configuring your own AI key.

Sub-processors

Microsoft (identity, Azure DevOps, marketplace, hosting), our cloud hosting and database providers, and Anthropic (AI). Where you connect another time-tracking tool, data flows from that tool to us at your instruction. A current sub-processor list is available on request.

International transfers

Where data is processed outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

Retention & security

We keep data for as long as your organisation uses the service and as needed for legal/accounting purposes, then delete or anonymise it. Secrets (integration tokens, keys) are encrypted at rest (AES-256-GCM); data is encrypted in transit (TLS). Access is role-based and scoped per organisation.

Your rights

Subject to law, you may request access, rectification, erasure, restriction, portability, and object to certain processing. Contact support@fiveforty-group.com. You also have the right to lodge a complaint with your supervisory authority (in France, the CNIL). For content processed on behalf of your employer, please contact your organisation's administrator.

Cookies

We use only strictly-necessary cookies/storage required to sign you in and run the app. We do not use advertising trackers.

Contact

Data protection enquiries: support@fiveforty-group.com · https://fiveforty-group.com