Manual Time Entry Notice
policies-public/manual-time-entry-notice.mdManual Time Entry Notice
Version 1.0 - Effective 2026-05-28 - Last reviewed 2026-06-17 - Owner: Vezoft (a company registered in Bulgaria under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria) ("Vezoft", "we", "us") - Status: Published
This notice explains how manual time entries and edits work in TimerOS, what is recorded when someone creates or changes a time entry, who can see those changes, and the rights you have over the audit trail that is kept about you.
It is intentionally short and written in plain English. It is published as a standalone document so that workers, clients, works councils, and data-protection authorities can read it on its own; it is also referenced from the Employee Monitoring Notice that each TimerOS Customer is asked to distribute to its workforce before turning on activity tracking.
For the wider context — what TimerOS is, who controls which data, and the full list of rights and recipients — please read the Privacy Policy and the Subprocessors page.
1. What "manual time entry" means
TimerOS is not only a passive timer. In addition to the time captured automatically when you press Start, you (or, depending on your employer's permissions, your manager) can:
- Create a time entry by hand — for example, when you forgot to start the timer, when you worked offline, when you took a call you only remembered to log afterwards, or when you need to backfill a missing day.
- Edit an existing time entry — for example, to correct the project, the task, the client, the note, the start time, the end time, or the duration.
- Delete a time entry — subject to your employer's permissions; deletion is itself recorded in the audit log (see Section 3) so the entry is never truly invisible.
We refer to all three together as "manual changes" in this notice.
2. Who can create, edit, or delete an entry
Three roles can make manual changes, and the rules differ by role:
- The worker the entry belongs to can create their own entries and edit their own entries, up to the cut-off configured by their employer (typically: until the payroll period containing the entry has been locked). After the cut-off, edits must go through a manager.
- Authorised managers and administrators at the employer's organisation can create, edit, and delete entries for any worker in their scope. They can also reopen a previously-locked period when a correction is genuinely required.
- Clients viewing the Client Portal can never create, edit, or delete an entry. They can only view entries that the employer has chosen to expose to them, with the badges described in Section 4 visibly attached.
TimerOS staff do not create or edit time entries on a Customer's behalf except on the Customer's explicit written instruction, recorded as a support ticket and reflected in the audit log as a third-party action.
3. The append-only audit log
Every manual change — every create, every edit, every delete — is written to an append-only audit log that lives alongside the time entry itself. Each audit-log record captures:
- Who made the change (the user account; for Customer staff, their organisational role; for TimerOS support, the support-ticket reference).
- When the change was made, as a UTC timestamp accurate to the millisecond.
- What changed — the full before-and-after value of every affected field (start time, end time, duration, project, task, client, note, billable flag, approved flag).
- Where the change came from — desktop app, web dashboard, Client Portal (impossible by design), API, or support tool.
- Why, when a reason is required by the employer's policy (for example, edits to a locked period typically require a free-text justification).
The audit log is append-only: no TimerOS interface — UI or API — can edit or delete an entry. This is enforced at the application and database layer: the API surface exposes no PATCH or DELETE route for audit-log records, and the data-access (ORM) layer rejects any update or delete via pre-hooks. There is no button, screen, or API endpoint in TimerOS that lets anyone alter the trail. The audit log is not storage-level immutable hardware (a privileged database operator with direct access to the raw collection could in principle alter it); direct database access is restricted to a small number of named TimerOS engineers and is logged at the infrastructure level.
The audit log exists so that any later question about a timesheet — by you, by your manager, by your client, by an auditor, by a court — can be answered from the record itself. It is the evidence that an entry is accurate. It also makes the right to rectification under GDPR Art. 16 meaningful: when you ask for a correction, you can see that the correction was made, by whom, and to what.
4. The visible "Edited" and "Manual" badges
Transparency about which time was timer-captured and which was entered or adjusted by hand is built into every surface that displays a time entry:
- In your own TimerOS dashboard, manual entries carry a "Manual" badge and edited entries carry an "Edited" badge next to the entry. Hovering the badge shows the most recent change (who, when).
- In your manager's dashboard, the same badges appear, plus a link to open the full audit-log timeline for the entry.
- In the Client Portal, when an entry is exposed to a client, the badge appears on the row the client sees. Clients cannot edit and cannot see the full audit log — they see only that the entry was adjusted by the supplier.
- In exported reports (CSV, PDF, payroll exports), a column flags manual and edited entries so the badge survives outside the user interface.
The badges are deliberately persistent. There is no application setting that hides them, and removing them is not a feature TimerOS will build on request.
5. Lawful basis for keeping the audit log
The audit log of manual time entries is not optional metadata; it is part of how TimerOS satisfies legal duties owed by both your employer and TimerOS itself.
- Contract (GDPR Art. 6(1)(b)). Keeping an honest record of working time is a core obligation of the employment relationship — it is how you get paid the right amount and how your employer meets its side of the contract.
- Legitimate interests in payroll integrity (GDPR Art. 6(1)(f)). Your employer and TimerOS both have a clear and limited interest in being able to demonstrate that any number that flows into payroll, client billing, or a regulator-facing report was either captured by the timer or adjusted by a named person at a named time, with the original value preserved. Without the audit log this interest cannot be served, because an unverified entry is indistinguishable from a fabricated one. Your interest in not being unfairly accused of inaccurate timekeeping, and in being able to prove your own version of events, points the same way.
- Legal obligation (GDPR Art. 6(1)(c)). Wage-and-hour, payroll, social-security, and tax laws in the EU (including the Bulgarian Labour Code and Accountancy Act, Council Directive 2003/88/EC on working time, and the CJEU ruling in CCOO v. Deutsche Bank C-55/18 requiring objective, reliable working-time records) and equivalent statutes in the US (Fair Labor Standards Act §11(c) and 29 C.F.R. §516 requiring employers to make, keep, and preserve records of wages, hours and conditions of employment) require employers to keep verifiable records of working time. An audit log of every change to those records is the standard evidence that the underlying record is accurate.
- Accuracy principle (GDPR Art. 5(1)(d)). The accuracy principle does not just permit corrections — it requires personal data to be accurate and, where necessary, kept up to date, and inaccurate data to be erased or rectified without delay. The "Edited" badge and the audit log are the mechanism that makes this principle operational without losing the trail of what was changed.
Note specifically on automated decisions: the audit log is a record-keeping system. It does not, by itself, produce any decision about you. The classifier that labels your foreground activity as productive or idle is a separate, on-device feature — covered in Section 3 of the Privacy Policy — and is not used as the sole basis for any decision affecting your employment under GDPR Art. 22.
6. How long the audit log is retained
The audit log for a time entry is kept for as long as the underlying time entry itself — that is, aligned to the statutory retention period for the payroll record it feeds into. This is so the evidentiary trail for any pay calculation remains intact for as long as the calculation can be queried.
In practice that means:
- EU tenants — typically 5 years for payroll source records (varies by Member State; up to 10 years for some accounting and social-security obligations, and 50 years for the underlying employment file in some jurisdictions such as Bulgaria for personnel records under the Labour Code).
- UK tenants — 6 years (HMRC PAYE) for payroll records; longer for some pension and statutory-sick-pay evidence.
- US tenants — 4 years under the FLSA payroll-record rule and IRS Reg. §31.6001-1, with state-level variations (e.g. New York 6 years).
- Bulgarian (Vezoft home) tenants — payroll source documents retained per the Accountancy Act and the Labour Code; the audit log inherits the longest applicable period.
When the underlying time entry is lawfully deleted at end of retention, the audit-log records for that entry are deleted with it. Audit-log records are not kept past the retention of the entry they describe.
A legal hold issued by the Customer or by a competent authority (litigation hold, regulator request, criminal investigation, works-council dispute) pauses deletion for the entries in scope until the hold is lifted. Legal holds are themselves recorded in a separate platform-level audit log.
For the full schedule and the rules on backups and hard-deletion, see Section 6 of the Privacy Policy.
7. Your right to see the audit log about you
You have the right to see every audit-log record that concerns a time entry on your own account. Concretely:
- In the desktop app and the web dashboard, every time entry you can see has an "Audit history" action that opens the full timeline of changes for that entry — who, when, before, after — for your own entries.
- By data-subject access request. If you want a machine-readable export of all audit-log records relating to your time entries (for example, to take with you when leaving an employer, to give to a labour lawyer, or to file with a data-protection authority), you can request it under GDPR Art. 15 (right of access) and Art. 20 (data portability) — or the equivalent right under CCPA/CPRA, Colorado Privacy Act, Virginia CDPA, and the other US state laws covered in Section 7 of the Privacy Policy.
- Who to ask. Because your employer is the controller of your time-tracking data, send the request to your employer's privacy contact first. TimerOS will support your employer in fulfilling the request within the statutory deadline (30 days under GDPR; 45 days under CCPA, extendable once). If your employer is unresponsive, you may contact privacy@timeros.ai and we will help escalate; we may not be able to release the data to you directly without the controller's authorisation, but we can confirm that the data exists and is preserved.
- No charge for the first copy. As required by GDPR Art. 15(3), the first copy of your audit-log records is free.
You also have the right to:
- Object to a specific audit-log entry being wrong (for example, if it attributes an edit to you that you did not make). This is itself a rectification request; the correction will appear in the audit log too.
- Restrict processing while a dispute is being resolved (GDPR Art. 18). Restriction does not require us to delete the audit log; it requires us to mark it and stop using it for any other purpose until the dispute is resolved.
- Lodge a complaint with your local data-protection authority. You do not need to contact us or your employer first.
8. What is not in the audit log
To be explicit about the limits of the record:
- The audit log does not contain the raw foreground window titles or application names that the on-device classifier looked at. Those never leave your device — see the Privacy Policy for detail.
- The audit log does not contain screenshots, screen recordings, keystrokes, audio, video, or URLs you visited. TimerOS does not collect any of those.
- The audit log does not contain the contents of any document, message, or email you were working on. Only the fields of the time entry itself are logged — start, end, duration, project, task, client, note, billable flag, approved flag, plus the metadata of the change.
- The audit log does not record the automatic activity-classification labels. Those labels (
productive,idle, and the derived status) are ephemeral: the current value is overwritten as your status changes and only the current status plus aggregated hour totals are kept — there is no historical log of automatic labels. The audit log is exclusively about manual create / edit / delete actions on a time entry; it captures the human change, not the classifier's moment-to-moment output.
9. Where the audit log is stored
Audit-log records are stored in the same MongoDB Atlas tenant database as the time entries themselves, in a dedicated append-only collection per organisation. For EU tenants, that database is pinned to an EU region (Ireland aws-eu-west-1 or Frankfurt aws-eu-central-1) and is governed by the MongoDB DPA with EU 2021 SCCs and EU-US Data Privacy Framework as the lawful international-transfer mechanisms. The full sub-processor chain — including MongoDB, Inc. and the hyperscaler region MongoDB Atlas runs on — is disclosed at the Subprocessors page.
10. How to opt out — and what cannot be opted out of
We want to be honest about what is and is not available:
- You can choose not to make manual entries. If you only ever rely on the timer, no manual-entry audit records will exist for you. There is no obligation to use the feature.
- You can ask your employer to restrict who, in their organisation, has permission to edit entries on your behalf. Most Customers configure manager-only edits for locked periods.
- You can ask your employer to keep certain entries out of the Client Portal view if a particular client does not need to see them. The badge will still appear in any view where the entry is exposed.
- You cannot opt out of the audit log itself for entries that are created or edited. The audit log is required by the lawful bases in Section 5 (contract, payroll-integrity legitimate interest, legal obligation, accuracy principle) and removing it would defeat each of those bases. Where you believe a specific record is unlawful, exercise the rectification, restriction, or complaint rights in Section 7 — that is the appropriate route, and TimerOS will support it.
11. Questions and contact
- If you are an employee or contractor of a TimerOS Customer: contact your employer's privacy or HR contact first. They are the controller of the data this notice describes.
- If your employer is unresponsive, or if you have a question about how TimerOS itself implements this feature: email privacy@timeros.ai.
- To report a security concern: email security@timeros.ai.
- Postal address: Vezoft, with registered office in Kardzhali, Bulgaria (see Imprint for the full registered address).
12. Document control
| Field | Value |
|---|---|
| Document ID | VZF-LEG-PUB-MTE-001 |
| Version | 1.0 |
| Effective date | 2026-05-28 |
| Last reviewed | 2026-06-17 |
| Owner | Vezoft |
| Status | Published |
| Related documents | Privacy Policy, Employee Monitoring Notice, Subprocessors, Terms of Service, Cookies |
| Review cadence | Annual, or on material change to the audit-log schema, the retention schedule, or the lawful-basis analysis |