Back
Updated Privacy Policy for Timelytics
Last Updated: January 15, 2025
1. INTRODUCTION
Welcome to Timelytics ("we," "us," "our," or "Company"). We are committed to protecting your privacy and ensuring you have a positive experience on our website and services. This Privacy Policy outlines how we collect, use, store, and protect your personal and non-personal information when you use our website located at https://timelytics.co (the "Website") and our time tracking services.
By accessing or using the Website and our services, you agree to the terms of this Privacy Policy. If you do not agree with the practices described in this policy, please do not use our services.
This Privacy Policy complies with:
- Swiss Federal Act on Data Protection (FADP) - Revised 2023
- General Data Protection Regulation (GDPR) for EU users
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Other applicable US privacy laws
2. LEGAL BASIS FOR DATA PROCESSING
2.1 Primary Legal Bases
We process your personal data based on the following legal grounds:
Contract Performance:
- Account creation and management
- Service provision and maintenance
- Payment processing and subscription management
Legitimate Interest:
- Service improvement and analytics (with consent)
- Security and fraud prevention
- AI-powered insights (with opt-out rights)
Consent:
- Marketing communications
- Analytics and tracking technologies
- AI processing (with withdrawal rights)
Legal Obligation:
- Tax and accounting requirements
- Regulatory compliance
- Data retention obligations
2.2 Data Processing Register
We maintain a comprehensive data processing register as required by Swiss FADP. This register documents:
- Categories of personal data processed
- Purposes of processing
- Legal bases for processing
- Data retention periods
- Third-party recipients
- Cross-border transfers
You may request access to our data processing register by contacting our Data Protection Officer.
3. INFORMATION WE COLLECT
3.1 Personal Data
We collect the following personal information from you:
Account Information:
- Name: We collect your name to personalize your experience and communicate with you effectively
- Email Address: We collect your email address for account creation, authentication, and communication
- Profile Image: We may collect your profile picture from Google authentication
Authentication Data:
- Google OAuth Tokens: We securely store access and refresh tokens to access your Google Calendar
- Session Information: We maintain session data to keep you logged in
Payment Information:
- Payment Details: We collect payment information to process your subscriptions securely
- Note: We do not store your payment information on our servers. Payments are processed by Stripe, a trusted third-party payment processor
Calendar Data:
- Google Calendar Events: We access your Google Calendar events through the Google Calendar API to provide our time tracking and statistics service
- Calendar Metadata: We store calendar names, colors, and IDs for display purposes
- Event Data: We store event details including titles, descriptions, start/end times, and locations
Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
User-Generated Content:
- Goals: We store goals you create for time management
- Categories: We store custom categories you create for organizing your time
- Feedback: We store feedback you submit to help improve our services
Consent and Preference Data:
- Cookie consent preferences
- Marketing communication preferences
- AI processing opt-out status
- Data processing withdrawal history
3.2 Non-Personal Data
We collect the following non-personal information:
Technical Information:
- IP Address: For security and analytics purposes
- Browser Type and Version: To ensure compatibility
- Device Information: Device type, operating system, and screen resolution
- Usage Analytics: How you interact with our website and services
Cookies and Similar Technologies:
- Session Cookies: To maintain your login state (Required)
- Analytics Cookies: To understand how you use our services (Optional - requires consent)
- Preference Cookies: To remember your settings and preferences (Optional - requires consent)
4. HOW WE USE YOUR INFORMATION
4.1 Primary Uses
We use your information for the following purposes:
Service Provision:
- To provide our time tracking and analytics services
- To sync and process your Google Calendar events
- To generate time management insights and reports
- To personalize your experience and dashboard
Account Management:
- To create and maintain your account
- To authenticate your identity
- To process payments and manage subscriptions
- To communicate with you about your account
4.2 Secondary Uses
We also use your information for:
Analytics and Improvement:
- To analyze usage patterns and improve our services
- To develop new features and functionality
- To conduct research and development
AI-Powered Insights:
- To generate productivity insights, we may send aggregated and anonymized time statistics (e.g., total hours per category or goal) to OpenAI's API
- We do not send any personally identifiable information, raw calendar events, or sensitive content
- This processing is automatic and solely intended to improve the user experience
- No data is used for training purposes, and no human has access to your calendar data through OpenAI
- You have the right to opt-out of AI processing at any time
- You have the right to request human review of any AI-generated insights
Communication:
- To send you important service updates
- To respond to your support requests
- To send marketing communications (with your consent)
Security and Compliance:
- To detect and prevent fraud and abuse
- To comply with legal obligations
- To enforce our terms of service
5. AUTOMATED DECISION MAKING AND AI PROCESSING
5.1 AI Processing Rights
Under GDPR Article 22, you have the following rights regarding automated decision making:
Right to Opt-Out:
- You can opt-out of AI processing at any time via your account settings
- Opt-out requests are processed immediately
- You can re-enable AI processing at any time
Right to Human Review:
- You can request human review of any AI-generated insights
- Contact our support team for human review requests
- Human review will be provided within 30 days
Right to Explanation:
- You can request explanation of how AI processing works
- We provide clear information about data used for AI insights
- No personal data is shared with AI services
5.2 AI Processing Safeguards
We implement the following safeguards for AI processing:
- Data minimization: Only aggregated, anonymized statistics are processed
- Purpose limitation: AI processing is solely for user experience improvement
- Retention limits: AI processing data is not stored by third parties
- User control: Complete opt-out and withdrawal mechanisms
6. DATA SHARING AND THIRD-PARTY SERVICES
6.1 Third-Party Services We Use
We share data with the following third-party services:
Google Services:
- Google Calendar API: To access your calendar events
- Google OAuth: For authentication and account creation
Payment Processing:
- Stripe: To process payments and manage subscriptions
Analytics and Monitoring:
- PostHog: For analytics and user behavior tracking (requires consent)
- Vercel: For hosting and performance monitoring
Customer Support:
- Crisp: For customer support chat functionality (requires consent)
6.2 Data Sharing Policies
We do not sell, trade, or rent your personal information to third parties for marketing purposes. We only share your data:
- With your explicit consent
- To provide our services (e.g., with Google for calendar access)
- To comply with legal obligations
- To protect our rights and safety
- With service providers who help us operate our services (under strict confidentiality agreements)
We do not manually access your Google Calendar data unless you explicitly request support and grant permission for debugging purposes.
6.3 International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including:
- Standard Contractual Clauses (SCCs) for EU data transfers
- Adequacy decisions where applicable
- Swiss FADP cross-border transfer requirements
- Other appropriate safeguards as required by law
7. DATA STORAGE AND RETENTION
7.1 Data Storage
Your data is stored securely using:
- MongoDB Atlas: For database storage
- Vercel: For application hosting
- Google Cloud: For various services
7.2 Data Retention
We retain your data for the following periods:
Account Data: Retained while your account is active and for 30 days after deletion
Calendar Events: Retained while your account is active and for 30 days after deletion
Analytics Data: Retained for up to 2 years
Payment Data: Retained as required by law (typically 7 years)
Logs and Security Data: Retained for up to 90 days
Consent Records: Retained for up to 3 years after withdrawal
7.3 Data Deletion
You can request deletion of your data at any time by:
- Contacting us at support@timelytics.co
- Using the account deletion feature in your dashboard
- Revoking Google Calendar access through your Google account
If you revoke access to Google Calendar through your Google Account settings, we will automatically delete all related calendar and event data within 30 days.
8. YOUR RIGHTS AND CHOICES
8.1 Your Rights
Depending on your location, you have the following rights:
Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your personal data
Portability: Request transfer of your data to another service
Restriction: Request limitation of data processing
Objection: Object to certain types of processing
Withdrawal of Consent: Withdraw consent for data processing
Opt-Out of AI Processing: Opt-out of automated decision making
Human Review: Request human review of AI decisions
Explanation: Request explanation of AI processing
8.2 How to Exercise Your Rights
To exercise your rights, contact us at support@timelytics.co. We will respond to your request within 30 days.
You can also exercise certain rights through our self-service tools:
- Data Export: /api/user/data-export
- AI Opt-Out: /api/user/ai-opt-out
- Consent Withdrawal: /api/consent/withdraw
8.3 Your Choices
You can control your data through:
- Account settings in your dashboard
- Google account settings for calendar access
- Browser settings for cookies
- Email preferences for marketing communications
- Cookie preferences page
9. DATA SECURITY
9.1 Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption in Transit: All data is encrypted using HTTPS/TLS when transmitted between your device and our servers
- Database Security: Your data is stored in MongoDB Atlas, which provides encryption at rest by default
- Access Controls: Strict access controls and authentication using NextAuth.js
- Environment Security: Sensitive configuration data is stored in encrypted environment variables
- Regular Security Audits: We conduct regular security assessments
- Employee Training: Staff are trained on data protection
- Incident Response: We have procedures for security incidents
9.2 Data Breach Procedures
In the event of a data breach, we will:
- Notify affected users within 72 hours (GDPR) / 24 hours (Swiss FADP)
- Report to relevant authorities as required by law:
- Swiss: Federal Data Protection and Information Commissioner (FDPIC)
- EU: Local data protection authority
- US: State attorneys general (as applicable)
- Take immediate steps to contain and remediate the breach
- Provide guidance on protective measures
10. CHILDREN'S PRIVACY
Timelytics is not intended for children under the age of 13 (or 16 in some jurisdictions). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately.
11. COOKIES AND TRACKING TECHNOLOGIES
11.1 Types of Cookies We Use
Essential Cookies: Required for basic functionality
Analytics Cookies: Help us understand how you use our services
Preference Cookies: Remember your settings and preferences
Marketing Cookies: Used for advertising (with your consent)
11.2 Managing Cookies
You can control cookies through your browser settings. However, disabling certain cookies may affect service functionality.
11.3 Consent Management
We provide a comprehensive consent management system that allows you to:
- Choose which types of cookies to accept
- Update your preferences at any time
- Access detailed information about each cookie category
- Reset your preferences to default settings
- Withdraw consent at any time
You can manage your cookie preferences by:
- Visiting our Cookie Preferences page at /cookie-preferences
- Using the cookie banner that appears on your first visit
- Contacting our support team for assistance
Your consent choices are stored locally and will be remembered for future visits. You can change your preferences at any time.
12. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:
- Posting the updated policy on this page
- Sending you an email notification
- Displaying a notice on our website
Your continued use of our services after such changes constitutes acceptance of the updated policy.
13. CONTACT INFORMATION
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: support@timelytics.co
Address: A Ca di Patrizi 21, 6702 Claro, Switzerland
Data Protection Contact:
- Email: privacy@timelytics.co
- Phone: +41 (0) 76 346 67 02
- Address: A Ca di Patrizi 21, 6702 Claro, Switzerland
Swiss Data Protection Authority:
- Federal Data Protection and Information Commissioner (FDPIC)
- Website: https://www.edoeb.admin.ch
- Email: info@edoeb.admin.ch
For EU residents, you also have the right to lodge a complaint with your local data protection authority.
For US residents, you may contact your state attorney general for privacy-related complaints.
14. GOVERNING LAW
This Privacy Policy is governed by Swiss law, with additional protections provided by GDPR for EU users and applicable US privacy laws for US residents.
15. DEFINITIONS
"Personal Data": Any information relating to an identified or identifiable natural person
"Processing": Any operation performed on personal data
"Controller": The entity responsible for determining the purposes and means of processing
"Processor": The entity that processes personal data on behalf of the controller
"Data Protection Contact": The designated person responsible for handling privacy requests and compliance
"Automated Decision Making": Processing that produces legal effects or similarly significantly affects the data subject
By using Timelytics, you consent to the terms of this Privacy Policy.
Thank you for using Timelytics.