Privacy Policy

Name: taime
Availability: InStock

Effective date: 28 April 2026 · Version: 1.0

1. Controller

The controller of your personal data is R2S, s.r.o., IČO 28130936, Vrbenská 2044/6, České Budějovice 5, 370 01 České Budějovice, Czech Republic, registered in the Commercial Register kept by the Regional Court in České Budějovice, file C 19084.

Privacy contact: privacy@taimesheet.com. We have not appointed a Data Protection Officer; the privacy contact is the responsible person for any data-protection request.

2. What we collect

Category	Examples	Source
Account data	Email, full name, hashed password, authentication tokens	You
Profile / settings	Hourly rate, currency, locale, protocol preferences	You
Uploaded content	Timesheet rows: dates, times, descriptions, optional project tags	You
API usage	API key activity, request volume, error rates	System
Usage metrics	Token counts, success/error rates per optimization	System
Technical logs	IP address, user agent, request paths, response codes (kept up to 30 days)	System
Billing data	Invoicing details, transaction records (when paid plans are launched)	You / payment processor

We do not request or store special-category data (health, religion, biometrics, etc.) and you should not upload such data into descriptions.

3. Why we process it (purposes and legal bases)

Purpose	Legal basis (GDPR Art. 6)
Provide the optimization service to you	Performance of contract — Art. 6(1)(b)
Account creation, authentication, security	Performance of contract — Art. 6(1)(b)
Billing, accounting, statutory record-keeping	Legal obligation — Art. 6(1)(c)
Service improvement, abuse detection, debugging	Legitimate interest — Art. 6(1)(f)
Product analytics (aggregated, pseudonymous)	Legitimate interest — Art. 6(1)(f)
Marketing emails to existing customers	Legitimate interest — Art. 6(1)(f), with opt-out in every email
Cookies / persistent storage beyond strict necessity	Consent — Art. 6(1)(a)

4. AI processing of your timesheets

When you submit a timesheet for optimization, the row-level data is sent to OpenAI's API for processing. We use OpenAI's API service tier, under which:

Your inputs and outputs are not used to train OpenAI's models.
OpenAI retains data for up to 30 days for abuse monitoring, then deletes it (per OpenAI's API data-handling policy).
Processing typically takes place in OpenAI's US infrastructure. The transfer is covered by Standard Contractual Clauses (SCCs) per Art. 46 GDPR.

We do not deliberately fine-tune any model on your private data. If we ever introduce model-improvement features that require your data, we will ask for explicit, separate consent.

5. Subprocessors

We rely on the following subprocessors. Where any operate outside the EU, transfers are protected by Standard Contractual Clauses or equivalent safeguards under GDPR Chapter V.

Subprocessor	Purpose	Region
Supabase	Database, authentication, file storage	EU (Frankfurt)
Vercel	Web hosting, CDN, edge functions	Global edge / EU primary
OpenAI	Large language model inference	USA (SCC-protected)
Inngest	Background job orchestration	USA (SCC-protected)
Resend	Transactional email delivery	EU / USA (SCC-protected)
Sentry	Error monitoring, session replay	EU (Frankfurt)
PostHog	Product analytics (EU instance)	EU (Frankfurt)

5.1 Optional time-tracker integrations

If you choose to connect a third-party time-tracker (Toggl Track, Clockify or Harvest) to import timesheet data, that provider becomes an additional subprocessor strictly while the connection is active. Their data-handling terms apply to data fetched from them. We store only an encrypted access token; we never see, store, or transmit your provider account password.

Optional subprocessor	Purpose	Region
Toggl Track	Pull-on-demand of your time entries	EU (Estonia)
Clockify	Pull-on-demand of your time entries	USA (SCC-protected)
Harvest	Pull-on-demand of your time entries	USA (SCC-protected)

Disconnecting an integration in Settings → Připojeníremoves the stored token from our database. Revoking the token at the provider's end is the user's separate responsibility.

Material changes to this list will be announced at least 14 days before they take effect.

6. Retention

Account & profile data: for the lifetime of your account, then 90 days for restoration / dispute window, then deletion.
Uploaded timesheets: kept while the parent "upload" record exists in your dashboard. Deleted within 7 days of you deleting the upload, or within 90 days of account closure.
API usage logs: 12 months for security investigations, then aggregated.
Technical request logs: 30 days.
Billing & accounting records: 10 years (mandatory under Czech accounting law).
Backups: rolling 30-day window, after which expired records fall out of all backups.

7. Sharing your data

We do not sell your personal data. We disclose data only to (a) the subprocessors listed above, (b) where required by law, and (c) in connection with a corporate transaction (merger, acquisition), in which case you will be notified before any transfer occurs.

8. International transfers

Data may be transferred to or processed in countries outside the European Economic Area, principally the USA via OpenAI and Inngest. Such transfers rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the relevant safeguards by emailing the privacy contact.

9. Security

TLS 1.2+ for all data in transit.
Encryption at rest at the database and object-storage layers.
Row-level security policies in the database to enforce per-user data isolation.
API access via short-lived sessions or hashed bearer keys; secrets are never stored in plaintext.
Principle of least privilege for service accounts and human operators.
Regular dependency-vulnerability scanning and security review of code changes.

No system is perfectly secure. If we identify a personal-data breach with risk to you, we will notify the Office for Personal Data Protection (ÚOOÚ) within 72 hours and you without undue delay.

10. Your rights under GDPR

You have the right to:

Access a copy of the personal data we hold about you (Art. 15).
Rectify inaccurate or incomplete data (Art. 16).
Erase your data, subject to retention duties (Art. 17).
Restrict processing in certain circumstances (Art. 18).
Portability — receive your data in a structured, machine-readable format (Art. 20).
Object to processing based on legitimate interests (Art. 21).
Withdraw consent at any time, where consent is the legal basis (Art. 7(3)).
Lodge a complaint with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz).

To exercise your rights, email privacy@taimesheet.com. We respond within 30 days.

11. Cookies and similar technologies

We use a minimal set of cookies and storage:

Strictly necessary — authentication session, CSRF tokens. No consent required.
Functional — UI preferences (theme, language), stored client-side.
Analytics — PostHog (EU instance, IP-anonymized). Loaded only after consent where required.
Error monitoring — Sentry. Strictly limited to debugging payloads; no cross-site tracking.

You can manage non-essential cookies via the in-app preference panel or your browser settings.

12. Children

The Service is not intended for users under 18. We do not knowingly collect data from children. If you believe we have, please contact us.

13. Automated decision-making

The optimization output is generated by AI but is not used to make a legal or similarly significant decision about you. You always retain control over whether to use, edit, or discard any output.

14. Changes to this policy

We may update this Privacy Policy. Material changes will be announced 14 days in advance via email or in-app notice. Older versions are available on request.

15. Contact

Email: privacy@taimesheet.com · Postal address: see Section 1.