Hello Christian and welcome to the community!
I understand that you have doubts about the usage of personal or organizational tokens for a timesheets app. However, I don’t understand what the specific question is.
If your doubt is about what token you should pick for your app, I recommend taking a look at Organization apps and personal apps. There we suggest to choose “organizational” tokens for this use case.
If your doubt is about whether the app should be public, I hope the following clarification can help you:
When you create an app, it’s automatically submitted for a security review to our team. Until the app is approved by our team, it can be used by users inside your organization without any limitation or for testing purposes. However, if you try to use it with users outside of your organization, that won’t work. After we approve it, the app will also work outside of your organization.
An app does not require to be published on the App Store to be used outside of your organization. You can publish it on the App Store if you want it to be showcased (the process is outlined in Request an app to be published on the App Store). However, that’s not mandatory for the app to be used by users outside of your organization.
Please let me know if this helps get some clarity.