Privacy Policy
Last updated: 2026-03-09
Diurna — Privacy Policy
Last updated: February 2026
1. Data Controller
The data controller for Diurna is:
Name: OVVIO Solutions
Address: Nieuwe Rijn 55B, Leiden, The Netherlands
Chamber of Commerce No.: 75292807
Email: privacy@diurna.eu
For questions regarding this policy, contact us at privacy@diurna.eu.
2. Data We Collect
Account Data (all users):
First name, last name, email address
Role (firm administrator, staff member, platform owner)
Firm/organization affiliation
Profile photo (optional)
Login timestamps, language preference
Organization (Firm) Data (administrators):
Company name, VAT number
Legal representative name and contact details
Certified email (PEC), SDI code
Business address
Client Company Data (managed by firms):
Company name, Tax ID, VAT number
Legal representative name, tax ID, and date of birth
Contact email, mobile phone
Industry sector, payment frequency
Employee Data (managed by staff on behalf of client companies):
First name, last name
Tax identification number
Email address, phone number (optional)
Employee ID, regulatory filing code
Contract type, contract terms, weekly hours
Contract start/end dates, department, role
Employment status, termination reason
Attendance and Scheduling Data:
Absence records (sick leave, vacation, overtime, etc.)
On-call shift scheduling and regulatory communication codes
Dates, times, hours, and notes
Activity and Audit Data:
User actions on the platform (activity log)
Email delivery logs (recipient, event type, status)
Legal document consent records (document ID, version, timestamp, IP address)
AI Chat Data (temporary):
Conversation messages exchanged with the HR assistant
Stored only in the browser (localStorage) — not on our servers
3. How We Use Your Data
Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
Providing the Diurna service | Performance of contract (Art. 6.1.b) |
Authentication and access control | Performance of contract (Art. 6.1.b) |
Attendance and payroll data processing | Performance of contract + Legal obligation (Art. 6.1.b, 6.1.c) |
Regulatory communications for on-call workers to the relevant labor authority | Legal obligation (Art. 6.1.c) — labor law |
Sending transactional emails (invitations, alerts, notifications) | Legitimate interest (Art. 6.1.f) |
AI-assisted data entry via chat | Legitimate interest (Art. 6.1.f) — operational efficiency |
Audit tracking and activity logging | Legitimate interest (Art. 6.1.f) — security and compliance |
Billing and usage metrics (aggregated) | Performance of contract (Art. 6.1.b) |
4. Third-Party Service Providers (Sub-processors)
We use the following services to operate Diurna:
Service | Provider | Purpose | Data Shared |
|---|---|---|---|
Supabase | Supabase Inc. | Database, authentication, serverless functions | All application data (encrypted in transit and at rest) |
Brevo | Brevo (formerly Sendinblue) | Transactional email delivery | Recipient email, name, notification content |
Mistral AI | Mistral AI (SAS) | AI chat assistant for data entry | Chat messages, employee names, attendance context |
All sub-processors are bound by data processing agreements and process data only on our instructions.
5. Data Retention
Data Category | Retention Period |
|---|---|
Account and profile data | Duration of account + 1 year after deletion |
Employee payroll data | Duration of employment + 10 years (tax/labor legislation) |
Firm and client company data | Duration of service + 5 years |
Activity logs | 7 years |
Email delivery logs | 2 years |
Consent records | Indefinite (legal audit requirement) |
AI chat history | 2 years |
6. Data Security
All data transmitted via HTTPS/TLS encryption
Database encrypted at rest (managed by Supabase)
Row-Level Security (RLS) for strict multi-tenant data isolation
Platform owners cannot access personal data of clients or employees (privacy wall)
Passwords hashed with bcrypt
JWT-based authentication with role-based access control
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
Access your personal data
Rectify inaccurate data
Erase your data ("right to be forgotten"), subject to legal retention obligations
Restrict processing under certain circumstances
Data portability — receive your data in a structured format
Object to processing based on legitimate interest
Withdraw consent at any time (where processing is based on consent)
To exercise these rights, contact us at privacy@diurna.eu. We will respond within 30 days.
You also have the right to file a complaint with your local data protection authority.
8. International Data Transfers
Your data is processed within the European Union. If a sub-processor transfers data outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
9. Browser Storage
Diurna does not use tracking cookies, analytics cookies, or marketing cookies.
We use browser localStorage for:
Authentication session — managed by the Supabase SDK for session persistence
Chat history — temporarily stores AI assistant conversations for page refresh continuity
No data is shared with third parties via browser storage.
10. Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated" date and notify you through the platform. Continued use of Diurna after changes constitutes acceptance.