Employee Monitoring Notice (Template)
policies-customer-facing/employee-monitoring-notice-template.mdEmployee Monitoring Notice — Template for Customers
Version: 1.0 | Effective date: 2026-05-28
Purpose of this template. When you (the Customer) deploy TimerOS to your workforce, you have a legal obligation in every jurisdiction we cover to give each Worker clear written notice of the monitoring, before it begins. This template gives you the starting text. Adapt it. Translate it. Have your local labour-law adviser review it for the countries where your Workers are based. TimerOS is a service of Vezoft (a company registered in Bulgaria under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria) ("Vezoft", "we", "us"), and provides this template "as is" — it is not legal advice.
How to use this template
- Fill in the
[BRACKETED]placeholders. - Translate it into the language of each affected Worker. EU labour law typically requires notice in the Worker's working language.
- Add country-specific clauses from the Appendix below for any country where you have Workers (Germany, France, Italy, Netherlands, Austria, Belgium, Poland, Spain, Bulgaria, New York, Connecticut, Delaware, California). In Germany, France, Italy, the Netherlands and a few others, you must also consult the works council or staff representatives before deploying — this notice is not a substitute for that consultation.
- Distribute it to each Worker. Get a signed acknowledgement or recorded electronic acceptance.
- Keep a record of acknowledgements for the duration of employment plus 5 years.
Employee Monitoring Notice (Template)
Issued by: [CUSTOMER LEGAL NAME] Date: [DATE] Applies to: [SCOPE — e.g. "all employees and contractors of [Customer] using a [Customer]-managed computer"]
1. Purpose of this notice
[Customer] uses the TimerOS time-tracking and productivity software ("the Tool") to:
- record working hours for payroll, billing, and legal compliance;
- understand how time is spent across projects and clients;
- help managers allocate resources;
- give each of you a personal view of your own productive, idle, break, and overtime time.
This notice tells you how it works, what data is collected, who sees it, and your rights.
2. What the Tool does on your computer
When you start the timer, the Tool:
- Reads, every 5 seconds while the timer is active, the title of your current foreground window and the name of the running application (for example,
"Chrome — Inbox (3) – Gmail","Slack","VS Code — main.ts"), using your operating system's standard facilities. - Measures the time since your last keyboard or mouse activity, every 5 seconds, to detect idle and breaks.
- Detects when your operating-system session is locked.
- Feeds this information to a two-layer on-device classifier that runs entirely on your own computer. The first layer is a deterministic scored rule engine that matches the foreground application and window title against built-in lists of well-known work and non-work apps and websites. The second layer is a small on-device adaptive classifier that runs as a fallback when the rule layer has no confident match, and that learns from any corrections you record on your own workstation. The classifier produces one of two output labels — "productive" or "idle" — with a confidence score. The Tool then maps that label, together with idle-time and your shift schedule, to the timesheet bucket you see (productive, idle, break, overtime, or off_work). When the timer is not running, your activity status is recorded as "offline". There is no cloud AI service, no model download, no large language model, and no network call — both layers run on your device and are deterministic for a given installed version. [Customer]'s provider, Vezoft, maintains a model card and an EU AI Act applicability assessment for the classifier, available to competent authorities on request.
3. What is sent to [Customer]'s account on TimerOS
Only the following is sent:
- The activity category label (one of:
productive,idle,break,overtime,off_work,offline) at the moment it changes — this is the only "activity status" stored in your record. - Your aggregated timesheet hours every 5–30 minutes, grouped by canonical activity category (productive, idle, break, overtime, off_work). Each entry also carries a separate billable / non-billable flag that you or your manager set on the project or task — this flag is orthogonal to the activity category and is used only for invoicing and reporting, not for monitoring.
- Your clock-in and clock-out times.
4. What is not sent and not collected
- The actual titles of your windows never leave your computer.
- The actual names of the applications you used never leave your computer.
- We do not capture keystrokes, take screenshots, record your screen, record your audio or video, access your microphone, camera, or clipboard, log the URLs of websites you visit, or read the content of any document or message.
- The classifier processes window titles and application names locally in memory only; samples are discarded immediately after classification. They are not stored on disk, and they are not transmitted. The only on-disk artefacts produced by the classifier are (a) a cached copy of its weights (a few tens of kilobytes — not a large language model) and (b) a bounded local-only list of any corrections you record to teach the system — both stored only on your computer.
5. How decisions are made about you
The Tool's category labels are approximate, machine-generated tags. The classifier emits one of a short, fixed list of labels — "productive" or "idle" — with a confidence score, which the Tool then maps to your timesheet bucket (productive, idle, break, overtime, or off_work). They are intended for:
- Your personal review — so you can see your own productivity and break patterns.
- Manager resource allocation — so [Customer] understands roughly how much time is spent in which kind of work, at team level.
The category labels are not used as the sole basis for any decision affecting your employment, your pay, your discipline, your promotion, or any disciplinary process. Decisions about your work performance will be made by your manager based on a broader picture and following our standard people-management processes. You will always have a human reviewer. This is not solely-automated decision-making in the sense of GDPR Art. 22. You can also correct any classification at any time; corrections are stored only on your device and used to adapt the on-device classifier to your own workstation.
6. Who can see your data
- You — your own time, hours, and current activity status, in the TimerOS dashboard. The current activity status is a live, ephemeral label (see §7) — there is no browsable history of past automatic labels.
- Your manager and other authorised [Customer] staff — your time entries, your live activity status, and the audit log of manual edits to your entries (see §11) as needed to manage your work and process payroll. They see the audit trail of deliberate edits, not a minute-by-minute log of automatic labels.
- TimerOS, a service of Vezoft (EIK 202823109), as the technical service provider — to operate the service, with contractual restrictions in the Data Processing Agreement between [Customer] and Vezoft. TimerOS does not look at individual records unless [Customer] asks for support on a specific issue.
- TimerOS's primary storage sub-processor — your time entries, activity-classification labels, and employee personal data are stored in MongoDB Atlas, operated by MongoDB, Inc. (1633 Broadway, 38th Floor, New York, NY 10019, USA), with cluster data at rest pinned to the Ireland or Frankfurt region for EU tenants. MongoDB's Data Processing Agreement (https://www.mongodb.com/legal/data-processing-agreement) governs that processing and incorporates the EU 2021 Standard Contractual Clauses and the EU-US Data Privacy Framework as the lawful transfer mechanism. MongoDB Atlas in turn runs on a hyperscaler (Amazon Web Services, Google Cloud, or Microsoft Azure) and MongoDB affiliates including MongoDB Ltd. (Ireland) may access data for technical support under the SCCs. The current full sub-processor list is published at vezoft.com/legal/subprocessors.
7. How long we keep your data
- Automatic activity labels are ephemeral. The "productive"/"idle" label the classifier produces while the timer runs is a transient status: your current activity status is overwritten with each change, and we do not keep a history of past automatic labels. The window titles and application names that produced the label are discarded in memory immediately (see §4) and never stored at all.
- Manual edits are audit-logged and kept. By contrast, when you (or an authorised manager) manually create or edit a time entry, that action is recorded in the audit log described in §11, with the before/after values, who made the change, and a timestamp, and is retained for the payroll/recordkeeping retention period below. The audit log captures deliberate human edits to the timesheet — not the moment-to-moment automatic labels.
- Time entries are retained for [PERIOD — typically 5 years for payroll, 7 years for tax records in many EU countries, 4 years US].
- Payroll records are retained for [PERIOD — typically 7 years].
- When you leave [Customer], your records are archived and retained for the legally-required period and then deleted.
8. Your rights
You have the following rights, exercisable by emailing [CUSTOMER PRIVACY CONTACT]:
- See what data we hold about you ("access").
- Correct inaccurate data ("rectification").
- Have data deleted when no longer needed and where law permits ("erasure").
- Object to processing on grounds relating to your specific situation.
- Lodge a complaint with the data protection authority of your country.
[FOR EU WORKERS] These rights derive from the GDPR (Articles 13–22). [FOR CALIFORNIA WORKERS] These rights derive from the CCPA/CPRA.
9. Lawful basis
[Customer] processes your data on the lawful basis of:
- performance of your employment contract for time tracking, payroll, billing (GDPR Art. 6(1)(b));
- legitimate interests for managing the workforce and the business, balanced against your interests (Art. 6(1)(f));
- legal obligation for payroll, tax, and labour-law record-keeping (Art. 6(1)(c)).
[For US Workers, applicable state employment-monitoring statutes are the basis.]
10. How to opt out / disable
- You can stop the timer at any time. While the timer is stopped, no monitoring occurs.
- You can change the desktop app's Tracking mode (Settings → Activity Detection): Rule-based turns off the on-device AI/ML layer so only the deterministic rule layer classifies your activity, and Manual turns off automatic classification entirely so you set your own state. Every mode runs entirely on your own computer.
- If you have concerns about monitoring, raise them with [CUSTOMER HR CONTACT].
11. Manual and edited time entries
The Tool is not only a passive timer — you can also enter time entries manually (for example, when you forgot to start the timer, when you worked offline, or when you need to log work you did away from your computer) and you can edit existing time entries (for example, to correct the project, the task, the start/end time, or a note).
You should know that:
- Every manual entry and every edit is recorded in an append-only audit log — the original values, the new values, who made the change, and the exact timestamp are all kept. The log is append-only: no TimerOS interface (the dashboard or the API) can edit or delete an audit-log entry, and this is enforced at both the application and the database layer. (This is an application- and database-level guarantee rather than storage-level immutability — a privileged database operator with direct access could in principle alter the underlying records — so it is not described here as cryptographically tamper-proof.)
- Your manager (and other authorised [Customer] staff) can see this audit log for the entries on your account, in addition to the current value of the entry.
- Manual and edited entries are visibly marked with an "Edited" or "Manual" badge in your own dashboard, in your manager's dashboard, and in any client-facing portal view where the entry is exposed — so it is always transparent which time was captured automatically by the timer and which was entered or adjusted by hand.
- This audit trail exists to protect both you and [Customer]: it is the evidence that an entry is accurate, and it makes any later question about a timesheet answerable from the record itself.
12. Acknowledgement
I confirm I have read and understood this notice.
Name: ____________________ Signature: ____________________ Date: ____________________
Country-specific addenda — pick what applies
Germany
Die Mitarbeitenden-Vertretung (Betriebsrat) wurde gemäß § 87 Abs. 1 Nr. 6 BetrVG vor der Einführung des Tools konsultiert und hat zugestimmt durch [BETRIEBSVEREINBARUNG DATE / REFERENCE]. Die Verarbeitung erfolgt im Einklang mit § 26 BDSG.
(Required: prior works-council co-determination under §87(1)(6) BetrVG before any monitoring tool is introduced.)
France
Le comité social et économique (CSE) a été informé et consulté avant la mise en place de l'outil, conformément à l'article L2312-38 du Code du travail. Une déclaration au registre des activités de traitement a été effectuée. Cet outil ne permet pas de surveiller individuellement et en continu chaque salarié et ne sert pas de base unique à une décision RH, conformément à l'article L1121-1 du Code du travail.
(Required: CSE consultation; declaration in the processing register; alignment with CNIL guidance on workplace monitoring.)
Italy
Lo strumento è installato in conformità all'articolo 4 della Legge 300/1970 (Statuto dei Lavoratori), come modificato dal D.Lgs. 151/2015. La consultazione con le rappresentanze sindacali aziendali (RSA/RSU) è stata svolta in data [DATE] e ha portato all'accordo [REFERENCE]. In alternativa, è stata richiesta e ottenuta l'autorizzazione preventiva dell'Ispettorato Nazionale del Lavoro in data [DATE].
(Required: union/works-council agreement OR Inspectorate authorization before installation.)
Netherlands
De ondernemingsraad (OR) heeft op grond van artikel 27 lid 1 onder l WOR ingestemd met de invoering van dit instrument op [DATE].
(Required: works-council approval under Art. 27(1)(l) WOR.)
Austria
Der Betriebsrat hat gemäß § 96 Abs. 1 Z 3 ArbVG der Einführung dieser Maßnahme zugestimmt.
(Required: works-council consent under §96(1)(3) ArbVG.)
Belgium
Cet outil est conforme à la Convention collective de travail n° 81 du 26 avril 2002. Le comité pour la prévention et la protection au travail a été informé et la consultation des représentants des travailleurs a eu lieu en date du [DATE].
Poland
Pracownicy zostali poinformowani o monitorowaniu na piśmie zgodnie z art. 22³ § 4 Kodeksu pracy. Cele, zakres i sposób stosowania monitoringu zostały określone w niniejszym dokumencie.
(Required: prior written notice under Art. 223 §4 Kodeks pracy + inclusion in internal work-rules.)
Spain
El presente sistema cumple con el artículo 20.3 del Estatuto de los Trabajadores y la Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales. Los trabajadores han sido informados de forma expresa, clara y previa de las medidas de control implantadas.
Bulgaria / България
Работодателят информира писмено работника/служителя за въведения електронен контрол съгласно чл. 25з от Закона за защита на личните данни и във връзка с Регламент (ЕС) 2016/679 (ОРЗД). Контролът е насочен изключително към измерване на отработено време и обобщен преглед на работна активност и не служи като единствено основание за решения относно трудовото правоотношение. Целите, обхватът и начинът на прилагане на контрола са посочени в настоящия документ и във вътрешните правила на работодателя. Работникът/служителят има право на достъп, коригиране, изтриване, ограничаване на обработването и преносимост на личните си данни, както и право на жалба до Комисията за защита на личните данни (КЗЛД), гр. София.
ЕГН (Единен граждански номер) handling. За целите на трудовото правоотношение, ведомостта за заплати и осигурителните декларации работодателят обработва ЕГН на работника/служителя на основание чл. 6, пар. 1, букви „б" и „в" от ОРЗД (изпълнение на трудов договор и спазване на законово задължение). ЕГН се събира еднократно при назначаване, съхранява се в кадровото и заплащателното досие, и се предава единствено към НАП, НОИ и други държавни органи, когато това се изисква по закон. ЕГН не се използва от модула за следене на работното време като идентификатор за вход или вътрешен ключ — TimerOS използва вътрешен потребителски идентификатор за тази цел. ЕГН не се извежда в дневника за активност, не се изпраща към класификатора на работното време и не се споделя с клиенти през портала за клиенти. Достъп до полето ЕГН имат само персонал по човешки ресурси и заплати, изрично оправомощен от работодателя. Полето е маркирано като чувствителна категория данни в системата и достъпът до него се записва в одитен дневник.
The employer processes the employee's ЕГН (Bulgarian Uniform Civil Number) solely for the employment relationship, payroll, and statutory social-security/tax filings, on the basis of GDPR Art. 6(1)(b) and (c). The ЕГН is collected once at hiring, stored in the HR and payroll record, and disclosed only to NRA (НАП), NSSI (НОИ), and other public authorities when required by law. The ЕГН is not used by the time-tracking module as a login identifier or internal key — TimerOS uses an internal user identifier for that purpose. The ЕГН is not surfaced in the activity log, is not passed to the on-device activity classifier, and is not shared with clients via the client portal. Access to the ЕГН field is restricted to HR and payroll staff explicitly authorised by the employer; the field is tagged as a sensitive-category data element in the system and every access is recorded in an audit log.
(Required: written notice to the employee per PDPA Art. 25h; include the monitoring scope, purpose, and lawful basis in the employer's internal work rules / Правилник за вътрешния трудов ред. ЕГН processing must also be documented in the employer's Article 30 record of processing and limited to the purposes listed above.)
New York (US)
By signing below you acknowledge receipt of notice of [Customer]'s use of monitoring of employee electronic communications, in accordance with N.Y. Civil Rights Law § 52-c.
Connecticut (US)
Notice of electronic monitoring is provided in accordance with Conn. Gen. Stat. § 31-48d. Monitoring may include time-tracking software that produces summary activity classifications on the employee's device.
Delaware (US)
Notice of electronic monitoring is provided in accordance with Del. Code Ann. tit. 19, § 705.
California (US)
Notice is provided in accordance with California Labor Code §§ 435 and 638(g) and the California Consumer Privacy Act. You may direct CCPA / CPRA requests to [CUSTOMER PRIVACY CONTACT].