Privacy Policy
Last updated: 9 April 2026
InvoTrack is a business-to-business (B2B) service for companies that need to track employee time and generate invoices and payslips. This privacy policy explains how personal data is handled within the service.
1. Roles: Data Controller and Data Processor
Under GDPR, responsibilities are split between two parties:
- Your organisation (the company that signs up and uses InvoTrack) is the data controller for all business data stored in the system — including employee records, time logs, invoices, and payslips. Your organisation decides what data is entered, how long it is kept, and to whom it relates.
- Allegro IT ApS acts as the data processor, storing and operating the service on your organisation's behalf under the contractual terms you accepted when signing up.
Allegro IT ApS, CVR 34593701, Fyrrelien 8, 8920 Randers NV, Denmark. Phone +45 22 31 55 02. Website: allegroit.dk.
2. What Data Is Stored
InvoTrack stores the following data on behalf of each customer organisation:
- Account information — name, email address, and hashed password for each user who signs in
- Organisation information — company name, address, official ID (CVR/VAT), phone, email, bank details
- Employee records — name, address, official ID, phone, email, hourly rate, owned by the employer
- Time tracking data — dates, hours worked, work descriptions, billing rates
- Invoice and payslip records — generated from time tracking data
Employee records and time tracking data belong to the employing company, not to the individual employee. This is standard for B2B workforce management tools.
3. Purpose and Legal Basis
Allegro IT processes this data on behalf of your organisation strictly to provide the InvoTrack service. The legal basis is a combination of contractual necessity (the processing agreement between Allegro IT and your organisation) and your organisation's own lawful basis for processing employee data (typically contract of employment or legitimate interest).
4. Data Storage and Security
All data is stored on servers operated by Hetzner Online GmbH in Helsinki, Finland (EU). Data is encrypted in transit (TLS/HTTPS). No data is transferred outside the European Economic Area.
5. Third-Party Sharing
Allegro IT does not share data with any third parties. No analytics services, advertising networks, or external processors receive data from InvoTrack.
6. Cookies
InvoTrack uses only essential authentication cookies required to keep you signed in. No analytics cookies, tracking cookies, or third-party cookies are used.
7. Rights Under GDPR
Because InvoTrack is a B2B service, the route for exercising GDPR rights depends on who is asking and about what data:
- If you are an employee and your request concerns your employment-related data (time logs, employee profile, payslips), contact the administrator of your organisation. Allegro IT does not control this data and cannot act on individual employee requests directly.
- If you are the tenant administrator, you can exercise data portability at any time via Organisation Data, which exports the entire organisation's dataset as a JSON file. To have your organisation permanently removed from InvoTrack, contact Allegro IT directly.
- If your request concerns your login account itself (email address, password), contact Allegro IT at the address above.
- Rectification of data within the organisation is done directly through the InvoTrack application by an authorised user.
- Complaint — you may lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.
8. Data Retention
Allegro IT retains data for as long as your organisation's account is active. When an organisation is removed from InvoTrack, all data associated with it is deleted from the active database. The customer organisation is responsible for satisfying its own statutory retention obligations — for Danish customers, this typically means retaining bookkeeping records for at least 5 years under Bogføringsloven. You can export a complete copy of your organisation's data at any time via Organisation Data to satisfy these obligations independently.
9. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated through the application.
