belsimple Just right.

Privacy policy

Version 1.1

1. Who we are

Maarnyka BV (enterprise number 0783.288.064), registered at Ganzeplas 23, 9880 Aalter, Belgium, operates the belsimple service. We are the data processor for personal data entered into belsimple by your organisation. Your organisation (the tenant) is the data controller.

2. What personal data we collect

We collect and process the following personal data:

  • Name and email address — for account creation, login, and communication. Provided by your organisation’s manager when inviting you.
  • Time entries (hours, dates, task descriptions) and classification data — core service functionality for R&D reporting and compliance documentation.
  • Uploaded documents (CVs, diplomas, certifications, grant proposals) — for inclusion in regulatory filing packages. Uploaded by managers.
  • Task, project, and scheduling data (titles, descriptions, date ranges, work schedule targets) — for organising and reporting time. Configured by managers.
  • Technical data — hashed password, session identifier, action timestamps, and user preferences (e.g. favourited tasks). Generated or set automatically to operate and secure the service.

We do not collect location data, device fingerprints, browsing history, data from third-party sources, or data for advertising or profiling purposes.

3. Why we process your data

  • Providing the belsimple service — performance of a contract (GDPR Art. 6(1)(b))
  • Maintaining an audit trail — legitimate interest (GDPR Art. 6(1)(f))
  • Service-related communications — performance of a contract (GDPR Art. 6(1)(b))
  • Legal obligations (e.g. accounting records) — legal obligation (GDPR Art. 6(1)(c))

We do not process your data for marketing, profiling, automated decision-making, or any purpose unrelated to delivering the belsimple service.

4. Where your data is stored

All data is stored and processed in Belgium, on Google Cloud Platform infrastructure in the europe-west1 region (St-Ghislain). Data is served over encrypted connections to users wherever they are located.

5. Who has access to your data

Within your organisation: managers can see all time entries and user data within your tenant. Employees can see their own time entries. No user can access data from other tenants.

Service providers (sub-processors): Google Cloud Platform — infrastructure hosting, database, and storage (Belgium, europe-west1). We do not sell, rent, or share your personal data with any other third parties.

6. How long we keep your data

  • During your subscription: all data is retained for the duration of the service.
  • After subscription ends: data is retained for a minimum of 30 days to allow export, then permanently deleted.
  • After a deletion request: data is removed from live systems promptly. Backups are purged within 90 days.
  • Accounting records: invoicing data may be retained for up to 7 years as required by Belgian law.

7. How we protect your data

Encryption in transit (TLS) and at rest, passwords hashed using Argon2, role-based access control with tenant isolation at the database level, automated backups with point-in-time recovery, and regular vulnerability scanning. See our security policy for details.

8. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion or anonymisation of your personal data (see below)
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interest

Since your organisation is the data controller, rights requests should first be directed to your organisation’s manager, who can use belsimple’s built-in features to fulfil most requests.

How erasure works in practice. belsimple is a time-tracking service where individual time entries form part of your organisation’s compliance records (e.g. for Belspo R&D tax filings). When an employee requests erasure, the manager can deactivate the user account and anonymise their records — removing the employee’s name and email while retaining the time entry data in anonymised form for the organisation’s reporting and legal obligations. This approach balances the employee’s right to erasure with the legitimate need to maintain accurate records (GDPR Art. 17(3)(b) — performance of a contract and compliance with legal obligations). Full deletion of all data, including anonymised records, is carried out when the entire tenant account is terminated.

9. Children

belsimple is a workplace tool. We do not knowingly collect personal data from anyone under the age of 16.

10. Cookies

belsimple uses a single session cookie required for the service to function. We do not use advertising, analytics, or third-party cookies. See our cookie policy for details.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated with at least 30 days’ notice. The current version is always available within the belsimple application.

12. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority:

Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussels
www.gegevensbeschermingsautoriteit.be