GDPR Rights
Last Updated: February 2, 2026
Learn how to exercise your GDPR rights directly in CADENSA. All major data protection rights are available in your Settings menu.
Overview
Under the General Data Protection Regulation (GDPR), you have several rights regarding your personal data. CADENSA provides self-service tools to exercise most of these rights instantly.
Quick Access: Settings → Privacy → GDPR Rights
1. Right to Access (Article 15)
Export Your Data
Download a complete copy of all your personal data in machine-readable format.
Available Formats:
- JSON: Machine-readable, complete data structure (ideal for developers or data migration)
- CSV: Human-readable, Excel-compatible (ideal for viewing and analysis)
What's Included:
- Profile information (name, email, preferences)
- Time tracking entries (all start/stop times, descriptions)
- Projects and workspaces
- Invoices and payment history
- Email and notification preferences
How to Export
- Navigate to Settings → Privacy → Export Data
- Choose format: JSON or CSV
- Click "Download Export"
- File downloads instantly (no waiting time)
Example Export:
{
"exportMetadata": {
"dataVersion": "2.0",
"emailNote": "The emailHash is a SHA256 hash of your email address (privacy-by-design).",
"processingPurposes": "Time tracking, billing, GDPR compliance",
"supervisoryAuthority": "NAIH (National Authority for Data Protection)"
},
"profile": {
"emailHash": "SHA256 hash of your email",
"status": "active",
"twoFactorEnabled": false,
"metadata": { "timezone": "Europe/Budapest", "preferredLanguage": "en" },
"dataProcessingObjections": { "directMarketing": false },
"processingRestricted": false
},
"timeEntries": [ /* all your entries */ ],
"ownMemberships": [ /* your workspace membership records */ ],
"auditLogs": [ /* last 2 years */ ]
}
2. Right to Rectification (Article 16)
Update Your Information
Correct any inaccurate or incomplete personal data.
Editable Fields:
- First name, Last name
- Email address
- Phone number
- Profile picture
- Language preference
- Timezone
How to Update
- Navigate to Settings → Profile
- Click "Edit Profile"
- Update your information
- Click "Save Changes"
Need help? Contact support@cadensa.io if you cannot edit certain fields.
3. Right to Erasure (Article 17)
Delete Your Account
Request permanent deletion of your account and all associated data.
After requesting deletion, you have 7 days to change your mind. After 7 days, deletion is permanent and cannot be undone.
What Happens During Deletion
Immediate Effect:
- Your account is marked for deletion
- Email confirmation sent with deletion date
- You can still log in to cancel deletion
After 7 Days:
- All personal data permanently deleted
- Projects, time entries, and reports removed
- Account cannot be recovered
Exceptions (Legal Obligations)
Some data is retained for legal compliance:
- Accounting data: 8 years (anonymized, invoice ID only)
- Security logs: 90 days (IP addresses, login attempts)
How to Delete Your Account
- Navigate to Settings → Danger Zone
- Click "Delete Account"
- Confirm with your current password
- Check your email for confirmation
Cancel Deletion:
- Click the link in your confirmation email
- OR go to Settings → Danger Zone → "Cancel Deletion"
4. Right to Restriction of Processing (Article 18)
Temporarily Freeze Data Processing
Request that we store your data but do not actively process it.
When to Use:
- You're disputing the accuracy of your data
- Processing is unlawful but you don't want deletion
- We no longer need the data but you need it for legal claims
- You've objected to processing and we're verifying your objection
What Happens
Your data is stored (not deleted)
You can still access and export your data
Account remains active with limited functionality
You can lift restriction at any time
No active processing (reports, analytics, etc.)
Limited features while restriction is active
How to Request Restriction
- Navigate to Settings → Privacy → GDPR Rights
- Click "Request Data Processing Restriction"
- Select reason:
- Accuracy dispute
- Unlawful processing
- No longer needed (but you need it for legal claims)
- Pending objection
- Optional: Provide additional notes
- Click "Request Restriction"
Notification: We will inform you before lifting the restriction (GDPR Article 18.3).
How to Lift Restriction
- Navigate to Settings → Privacy → GDPR Rights
- Click "Lift Data Processing Restriction"
- Confirm action
- Processing resumes immediately
5. Right to Data Portability (Article 20)
Transfer Data to Another Service
Export your data in a structured, machine-readable format for transfer to another service.
Portable Data:
- All data you provided to us
- All data generated through your use of CADENSA
Format: JSON (compatible with most time tracking services)
How to Use
- Navigate to Settings → Privacy → Export Data
- Select JSON format
- Download file
- Import into another service (consult their documentation)
6. Right to Object (Article 21)
Stop Specific Data Processing
Object to certain types of data processing. Three types of objections are available:
6.1. Object to Direct Marketing (Article 21.2)
Absolute Right: No justification needed. This is the strongest user right in GDPR.
What Stops:
- Marketing emails (product updates, feature announcements)
- Promotional notifications
What Continues:
- Transactional emails (invoices, security alerts)
- Service notifications (project updates, time entry reminders)
How to Object:
- Navigate to Settings → Privacy → GDPR Rights
- Toggle OFF: "Object to Direct Marketing"
- Change takes effect immediately
Alternative: Use email unsubscribe links in marketing emails.
6.2. Object to Profiling (Article 21.3)
Stop automated profiling for marketing purposes.
What Stops:
- Behavior analysis for marketing
- Personalized advertising recommendations
What Continues:
- Service functionality profiling (feature usage analytics)
- Performance optimization
How to Object:
- Navigate to Settings → Privacy → GDPR Rights
- Toggle OFF: "Object to Profiling"
- Change takes effect immediately
6.3. Object to Processing Based on Legitimate Interests (Article 21.1)
Object to data processing when it's based on our legitimate interests.
You must provide a reason for your objection based on your particular situation.
Review Period: 30 days Temporary Restriction: Applied during review
How to Object:
- Navigate to Settings → Privacy → GDPR Rights
- Click "Object to Data Processing"
- Provide your reason (required)
- Click "Submit Objection"
What Happens Next:
- We review your objection within 30 days
- Temporary processing restriction applied
- You receive email notification of our decision
- If we have no compelling legitimate grounds, processing stops
7. Withdraw Consent (Article 7.3)
Revoke Previously Given Consent
Withdraw consent for cookies and marketing at any time.
Cookies:
- Navigate to Settings → Privacy → Cookie Preferences
- Toggle OFF categories:
- Analytics cookies
- Marketing cookies
- Essential cookies cannot be disabled (required for service functionality)
Marketing Emails:
- Navigate to Settings → Privacy → Email Preferences
- Toggle OFF: "Marketing Emails"
- OR click unsubscribe link in any marketing email
8. Right to Lodge a Complaint (Article 77)
File a Complaint with Data Protection Authority
If you believe we have violated your data protection rights, you can file a complaint with the supervisory authority.
Hungary (NAIH):
Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information)
- Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
- Email: ugyfelszolgalat@naih.hu
- Website: naih.hu
Before Filing: We encourage you to contact us first: support@cadensa.io We respond within 30 days (GDPR Article 12.3).
FAQ
How long does data export take?
Instant. Data export is generated on-demand and downloads immediately.
Can I cancel account deletion?
Yes, within 7 days. After 7 days, deletion is permanent.
What happens if I object to all processing?
Account becomes view-only. You can:
- Access and export your data
- View past time entries and reports
- Create new time entries
- Generate new reports
Do I need to justify my objection to direct marketing?
No. This is an absolute right under GDPR Article 21(2). No reason needed.
Can I request restriction and deletion at the same time?
No. Choose one:
- Restriction: Temporary freeze (can be lifted)
- Deletion: Permanent removal (7-day grace period)
Need Help?
Email: privacy@cadpr.io Response Time: 30 days (GDPR Article 12.3)
We will verify your identity before processing GDPR requests to protect your privacy.
Related Articles
Legal Reference: This documentation implements GDPR Articles 15-22. For full legal text, see our Privacy Policy.