SAFE HARBOUR PRIVACY POLICY

Timekit, Inc. respects your concerns about privacy. Timekit complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the European Economic Area (“EEA”) and Switzerland. Timekit has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Timekit’s certification, please visit export.gov/safeharbor or see our Safe Harbor Notice at timekit.io/safeharbor. For more information about Timekit’s processing of Personal Information, please visit Timekit’s Privacy Policy.

Please note that Timekit provides its clients with services that include processing personal data on its client’s behalf, such as where Timekit provides scalable scheduling and booking infrastructure for applications developed by our clients. In operating as a data processor on behalf of our client (the data controller), Timekit does not own or control personal data, rather such responsibility lies with the data controller. In such situations, Timekit typically has no contact with the individuals to whom such personal data relates and so is dependent upon its clients to comply with applicable EEA and/or Swiss data protection law at the time that the personal data is originally collected or received by its clients. As a data processor, Timekit is required to provide services to our clients in accordance with our contractual arrangement with our client and any requirements, instructions or provisions regarding data handling or privacy within such contracts.

In the limited circumstances where Timekit acts as a data controller (i.e., provided to Timekit by the company’s clients in connection with payment for Timekit’s services or in collection of data from Timekit website visitors), Timekit is subject to and complies with the Safe Harbor Privacy Principles.

This Safe Harbor Policy (“Policy”) is to be read subject to the above distinction.

Definitions

The following definitions will apply to the Policy:

“Agent” means any third party that collects or uses personal data under the instructions of, and solely for, Timekit or to which Timekit discloses personal data for use on our behalf.

“Data controller” means the person or body who determines the purposes and means of processing and retains responsibility for the data.

“Data processor” means the person or body which processes personal data on behalf of the data controller.

“Personal data” means information that (i) is transferred from the EEA or Switzerland to Timekit in the U.S. and (ii) relates to an identified or identifiable natural or legal person (to the extent a legal person is subject to national data protection law).

“Sensitive personal data” means information revealing medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or sex lives of individuals.

Notice

When acting as a data processor, Timekit may receive, hold and process personal data (including sensitive personal data) from our EEA or Swiss clients. The client, as the data controller, is responsible for ensuring that the personal data is processed in accordance with the rights and requirements of the individuals concerned under European data protection law.

Where Timekit directly collects personal data from individuals in the EEA or Switzerland it is acting in the role of data controller. As data controller, Timekit will inform individuals about the type of personal data collected, the purposes for which it collects and uses the personal data, the types of non-agent third parties to which Timekit may disclose personal data, and the choices and means Timekit offers individuals for limiting the use and disclosure of their personal data.

Choice

Where Timekit acts as data controller, Timekit will offer individuals the opportunity to choose (opt out) whether their personal data will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. Timekit will provide individuals with reasonable mechanisms to exercise their choices. As a data controller, Timekit does not process sensitive personal data.

Where Timekit acts as a data processor, Timekit’s clients are responsible for providing choice to individuals as to whether their personal data may be disclosed to third parties by Timekit or used for a purpose that is incompatible with the purpose(s) for which the information was originally collected or subsequently authorized by the individual.

Onward Transfer (Transfers to Third Parties)

Timekit will obtain assurances from its agents to safeguard personal data in conformance with this Policy. Such assurances may be in the form of the agent’s certification to the Safe Harbor Privacy Principles or a written agreement between Timekit and the agent requiring that the third party provide at least the same level of privacy protection as is required by the Safe Harbor Privacy Principles.

Access

Where Timekit acts as data controller, Timekit will grant individuals reasonable access to the personal data that we hold about them, and Timekit will take reasonable steps to permit individuals to correct, amend, and/or delete personal data that is demonstrated to be inaccurate, except where the rights of persons other than the individual would be violated.

Security

Timekit will take reasonable precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction where any such precautions are within Timekit’s control.

Data integrity

Regardless whether Timekit acts as data processor or data controller, Timekit will use personal data only for the purposes compatible with its original collection or as subsequently authorized for use by the individual. When specifically acting as data controller, Timekit will take reasonable steps to ensure that personal data is pertinent to its intended use, accurate, complete, and current.

Enforcement

Timekit reviews its compliance with this Policy to verify that the assertions made in it are true and that the practices the Policy contains are implemented correctly. Timekit will investigate any breach of this Policy that has been reported to the company.

How to Contact Us

In compliance with the US-EU and US-Swiss Safe Harbor Principles, Timekit commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss citizens with inquiries or complaints regarding this privacy policy should first contact Timekit by:

Contacting Timekit’s Chief Privacy Officer by email at privacy@timekit.io

Writing to:

Timekit, Inc.

Attention: Chief Privacy Officer

1355 Market St., 3fl.

San Francisco, CA 94103

USA

Timekit has further committed to refer unresolved privacy complaints under the US-EU and US-Swiss Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Timekit, please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.

This Safe Harbor Policy was last revised January 5, 2016.