Privacy Policy

1. Introduction

Welcome to TimeIn.one. We value your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Czech and EU law. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.

2. Data Controller

The data controller responsible for your personal data is:

3. Data Protection Roles

Under the GDPR, different roles apply depending on the context of data processing:

• TimeIn.one as Controller: For the purposes of operating the platform — including account management, authentication, security, service improvement, and communication with users — TimeIn.one (Štěpán Kameník) acts as the independent data controller.
• TimeIn.one as Processor: When processing worklog data, time entries, project information, and other content that you (or your organization) enter into the service, TimeIn.one acts as a data processor on your behalf. In this context, you (or your employer/organization) are the data controller who determines the purposes and means of processing this data.

This dual-role arrangement is common for SaaS platforms. The specific obligations of TimeIn.one as Processor are detailed in our Data Processing Agreement (DPA), which forms part of the Terms of Service.

4. Information We Collect

We collect information to provide better services to our users. The types of information we collect include:

• Account Information: When you register, we collect your name, email address, and authentication details (e.g., via Google OAuth).
• Usage Data: We collect information about how you interact with our service, including time logs, project details, work descriptions, and preferences.
• Technical Data: IP addresses, browser types, and device information are collected for security and service operation purposes.
• Integration Data: When you connect third-party services (GitLab, Resource Guru, Google), we store the necessary tokens and data to maintain those integrations.

5. Legal Bases for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the TimeIn.one service, including account management, time tracking, reporting, and data export.
• Legitimate interest (Art. 6(1)(f)): Processing for security purposes (e.g., fraud prevention, abuse detection), service improvement, and anonymized analytics via Vercel Analytics.
• Consent (Art. 6(1)(a)): Processing for optional features such as AI-powered weekly summaries (which sends work data to OpenAI) and third-party integrations you choose to enable. You may withdraw consent at any time by disabling the relevant feature in Settings.

6. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our services.
• Personalize your experience and provide tailored content.
• Communicate with you regarding updates, security alerts, and support.
• Generate AI-powered weekly summaries and productivity insights (when enabled).
• Monitor and analyze usage trends to optimize our platform (using cookieless, privacy-friendly Vercel Analytics).

7. Google API Data

TimeIn.one's use and transfer to any other app of information received from Google APIs will adhere to the Google API Service User Data Policy, including the Limited Use requirements.

When you connect your Google Calendar, we access your calendar events to provide worklog suggestions. This data is used solely to help you track your time and is not shared with third parties for advertising or other purposes.

8. Recipients and Third Parties

We do not sell your personal data. We share information with the following categories of recipients:

• Vercel Inc. (United States) — Application hosting, CDN, serverless functions, and privacy-friendly cookieless analytics.
• Neon Inc. (EU — Frankfurt) — PostgreSQL database hosting for all application data.
• OpenAI, L.L.C. (United States) — AI-powered weekly summaries and productivity insights. Work data is sent to OpenAI only when you enable AI features.
• Google LLC (United States) — OAuth authentication and Calendar integration (when enabled by you).
• GitLab Inc. (United States) — Issue metadata retrieval when you use the GitLab integration.
• Resource Guru Ltd. (United Kingdom) — Scheduling data synchronization when you enable the Resource Guru integration.
• Legal Requirements: We may disclose data if required by law or to protect our rights and the safety of our users.

For a complete list of sub-processors and their roles, see our Data Processing Agreement.

9. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on:

• EU-US Data Privacy Framework: Where applicable, we rely on our sub-processors' participation in the EU-US Data Privacy Framework (DPF), recognized by the European Commission as providing an adequate level of data protection. Vercel and Google have publicly confirmed their DPF certification. For other sub-processors, we verify their current DPF status or apply alternative safeguards.
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply or a sub-processor's DPF certification cannot be confirmed, we use the European Commission's Standard Contractual Clauses as the legal transfer mechanism.

10. Data Retention

We retain your personal data as follows:

• Active accounts: Your data is retained for the duration of your contractual relationship with us (i.e., while your account remains active and you continue to use the service).
• Deleted accounts: Upon account deletion, your personal data is removed within 30 days.
• Backups: Database backups are retained for up to 90 days before automatic deletion.
• Security logs: Server logs containing IP addresses and technical data are retained for security analysis and incident investigation.

11. Data Security

We implement appropriate technical and organizational security measures to protect your data, including encryption at rest and in transit, secure authentication with scrypt password hashing, HMAC-SHA256 signed session tokens, and httpOnly cookies. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

12. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate personal data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request restriction of processing of your personal data.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (CSV/PDF export available in Settings).
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time by disabling the relevant feature in Settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at stepan@kamest.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz.

13. AI Features

TimeIn.one offers optional AI-powered features, including weekly summaries and productivity insights, powered by OpenAI. When you enable these features, your work data (time entries, project names, and descriptions) is sent to OpenAI for processing.

AI requests are made through TimeIn.one's own OpenAI account — you do not need to provide your own API key. TimeIn.one acts as the data controller for this processing and has a Data Processing Agreement in place with OpenAI. No data is sent to OpenAI unless you explicitly enable AI features in Settings. Under our current API agreement with OpenAI, data submitted through the API is not used for model training (see OpenAI's Enterprise Privacy documentation). Please note that OpenAI's policies may be updated over time; we review them periodically and will update this policy if there are material changes.

AI-generated summaries and insights are informational only and do not constitute professional advice. They should not replace human judgment in decision-making. You can disable AI features at any time in Settings.

14. Changes to This Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date. For material changes, we may also notify you via email.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at stepan@kamest.dev.