GDPR-compliant data processing for employee time tracking. EU servers, transparent data handling, full accountability.
NoBadge is an EU-hosted employee time tracking platform that processes personal data strictly in accordance with the General Data Protection Regulation (GDPR). All data is stored on servers located within the European Union. We collect only the minimum data necessary to provide attendance tracking services to SMEs with 5–100 employees.
Data Residency
Full Compliance
Breach Notification
Data Deletion on Request
The data controller for all personal data processed through the NoBadge platform is:
For any privacy-related enquiry or data subject request, please contact us at the email addresses above or via WhatsApp.
NoBadge processes only the minimum personal data required to deliver employee attendance tracking services. The following categories of data are collected depending on your role (employer/admin or employee):
NoBadge processes personal data under the following legal bases as established by GDPR Article 6:
Processing your account and billing data is necessary to provide the NoBadge service under our Terms and Conditions.
Processing usage and technical data to ensure platform security, stability, and improvement of our employee time tracking service.
Retaining billing and tax records as required by Italian and EU fiscal regulations. Compliance with Working Time Directive obligations for employers.
Where required (e.g. marketing communications, non-essential cookies), we obtain explicit consent which can be withdrawn at any time without penalty.
NoBadge collects GPS location data only at the moment an employee actively triggers a clock-in or clock-out event. We do not track employee location continuously.
This is a fundamental design principle of our GPS time tracking feature. Specifically:
Employer Responsibility: When using NoBadge for GPS attendance tracking, the employer acts as a data controller for their employees' personal data. Employers are responsible for informing their employees about GPS data collection in accordance with applicable labour law and GDPR requirements in their jurisdiction (e.g. Working Time Regulations UK, ArbZG Germany, RDL 8/2019 Spain).
NoBadge retains personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (employer) | Duration of contract + 2 years | Contractual |
| Attendance records (employees) | As set by employer (min. 2 years recommended) | Legal obligation (varies by country) |
| Billing & invoicing data | 10 years | Italian fiscal law (D.P.R. 633/1972) |
| GPS location snapshots | Same as attendance records | Contractual / Legal |
| Website analytics / logs | 13 months | Legitimate interest |
| Marketing consent records | Until consent withdrawn + 1 year | Consent |
Upon account deletion or termination of service, personal data is anonymised or securely deleted within 30 days, except where retention is required by law.
NoBadge does not sell, rent or trade personal data to third parties. We share data only in the following limited circumstances:
We use EU-based cloud infrastructure providers to host the NoBadge platform. All providers are GDPR-compliant and bound by data processing agreements (DPAs).
Billing information is processed by our certified payment processor. NoBadge does not store full payment card details on its servers. Transactions are encrypted and PCI-DSS compliant.
Transactional emails (account invitations, password reset, notifications) are sent via a GDPR-compliant email delivery service. Only necessary data (email address, name) is shared.
We may disclose personal data if required by law, court order or regulatory authority. We will notify affected users where legally permitted to do so.
"NoBadge processes employee attendance data exclusively within the European Union. No personal data is transferred to countries outside the EEA without appropriate safeguards in place."
Under GDPR, you have the following rights regarding your personal data. These rights apply to both employers/admins and employees whose data is processed through the NoBadge platform:
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data where there is no overriding legal basis for retention.
Request that we restrict processing of your data in certain circumstances.
Receive your personal data in a structured, machine-readable format (CSV/Excel export available directly from the platform).
Object to processing based on legitimate interest, including direct marketing communications.
How to exercise your rights: Send your request to info@nobadge.it or via WhatsApp. We will respond within 30 days. No fee is charged for standard requests.
You also have the right to lodge a complaint with your national data protection authority. In Italy: Garante per la Protezione dei Dati Personali (garante.it). In the UK: Information Commissioner's Office (ico.org.uk).
NoBadge implements industry-standard technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. Key measures include:
All data transmitted between your device and our servers is encrypted using TLS 1.2+.
Personal data stored in our EU databases is encrypted at rest using AES-256.
Role-based access control (Admin / Manager / Employee). Principle of least privilege enforced throughout.
GPS anti-spoofing layer and dynamic QR codes (regenerated every second) prevent fraudulent time entries.
All administrative actions are logged with timestamp and user identity for accountability.
Redundant EU infrastructure ensures continuous availability of your attendance data.
In the event of a personal data breach that poses a risk to individuals' rights and freedoms, NoBadge will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
When an employer (company or individual) uses NoBadge to track employee attendance, the employer acts as a data controller for their employees' personal data. NoBadge acts as a data processor on behalf of the employer.
This means employers are responsible for:
Data Processing Agreement (DPA): A Data Processing Agreement between NoBadge (as processor) and the employer (as controller) is available upon request. Contact info@nobadge.it to obtain a signed DPA.
The NoBadge website uses cookies and similar technologies. We use:
Session cookies required for platform login and security. Cannot be disabled.
Cookies that remember your preferences (language, display settings). Enabled by default but can be disabled.
Anonymised analytics to understand how visitors use the website and improve our service. Requires consent.
For full details, see our Cookie Policy. You can manage your cookie preferences at any time via the cookie settings banner.
NoBadge's infrastructure is hosted exclusively within the European Economic Area (EEA). We do not routinely transfer personal data outside the EEA.
In the limited cases where a third-party service provider may process data outside the EEA (e.g. certain analytics or communication tools), we ensure that appropriate safeguards are in place, including:
For UK users: following Brexit, NoBadge treats UK data subjects with the same protections as EEA data subjects. The UK GDPR applies in full to all processing of UK residents' personal data.
NoBadge may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will:
Continued use of the NoBadge platform after the effective date of any changes constitutes acceptance of the revised Privacy Policy.
Last updated: January 2025 | Version: 2.0 | Applies to: nobadge.eu and nobadge.it and all associated subdomains
Common questions about how NoBadge handles personal data and GDPR compliance for employee time tracking.
Yes. NoBadge is fully GDPR compliant. All data is stored on EU servers, we collect only the minimum data necessary, we have a 72-hour breach notification procedure, and we support all data subject rights (access, erasure, portability). A Data Processing Agreement is available for employers who require one.
No. NoBadge only captures a GPS coordinate at the precise moment an employee actively triggers a clock-in or clock-out. There is no continuous background tracking. This design minimises data collection and keeps the system proportionate and GDPR-compliant. Employees are always informed before each GPS stamp.
All NoBadge data is stored exclusively on servers located within the European Union. No personal data is transferred to countries outside the EEA without appropriate GDPR safeguards. UK users benefit from the same protections under the UK GDPR framework.
Yes. Under GDPR, employees have the right to erasure. Requests should be directed to the employer (as data controller) or to NoBadge at support@nobadge.it. Data is deleted within 30 days where there is no overriding legal obligation to retain it (e.g. labour law retention requirements in your country).
Yes. Employers acting as data controllers must inform employees about the use of NoBadge for attendance tracking before deployment. This includes informing them about GPS data collection, the purpose of processing, and their data subject rights. NoBadge provides a template employee information notice upon request.
Yes. A signed Data Processing Agreement between NoBadge (processor) and the employer (controller) is available upon request. Contact info@nobadge.it to obtain a DPA. This is recommended for all business customers and required under GDPR Article 28 when a controller engages a processor.
NoBadge gives SMEs a legally compliant, EU-hosted employee time tracking solution — no hardware, no complexity, no hidden costs. Start your 15-day free trial today.
No credit card required · EU servers · GDPR compliant · Setup in 2 minutes