TimeTally - Timesheet Management AppTimeTally

GDPR Compliance Statement

Last updated: 4/28/2026

1. Our Commitment to GDPR Compliance

TimeTally, operated by Timetally, is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We recognize that protecting your personal data is not just a legal requirement but a fundamental responsibility to our users.

This GDPR Compliance Statement explains how we fulfill our obligations under UK data protection law and ensures your rights are respected and protected at all times.

2. Data Controller Information

Timetally is the data controller for all personal data processed through TimeTally. Our responsibilities include:

  • Determining the purposes and means of processing personal data
  • Ensuring lawful, fair, and transparent processing
  • Implementing appropriate technical and organizational measures
  • Maintaining records of processing activities
  • Responding to data subject requests within required timelines

Contact Details:

3. Principles of Data Processing

We adhere to the seven principles of the UK GDPR in all our data processing activities:

3.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We clearly explain what data we collect, why we collect it, and how we use it through our Privacy Policy and this GDPR statement.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes only. We do not process data in ways incompatible with those purposes. Purposes include:

  • Providing timesheet management services
  • Processing payments and subscriptions
  • Managing leave requests and approvals
  • Generating payroll reports
  • Improving service quality and security

3.3 Data Minimization

We collect only the personal data that is adequate, relevant, and necessary for our specified purposes. We do not collect excessive or unnecessary information.

3.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. You can update most of your information directly through your account settings. Inaccurate data is erased or rectified without delay.

3.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law. We have clear data retention policies:

  • Active accounts: Data retained while account is active
  • Cancelled subscriptions: 90-day retention for reactivation
  • Billing records: 7 years for UK tax compliance
  • Deleted accounts: Immediate deletion with 30-day backup retention

3.6 Integrity and Confidentiality (Security)

We implement appropriate technical and organizational measures to ensure personal data security, protecting against unauthorized or unlawful processing, accidental loss, destruction, or damage.

3.7 Accountability

We are responsible for and can demonstrate compliance with the UK GDPR principles. We maintain comprehensive documentation of our processing activities, security measures, and data protection impact assessments.

4. Lawful Bases for Processing

Under UK GDPR, we must have a valid lawful basis for processing personal data. We rely on the following legal bases:

4.1 Performance of a Contract (Article 6(1)(b))

Processing is necessary to fulfill our contractual obligations under the Terms of Service, including:

  • Creating and managing user accounts
  • Processing and storing timesheet data
  • Managing leave requests and approvals
  • Providing access to the Service
  • Generating payroll reports and exports
  • Processing payments through Stripe

4.2 Consent (Article 6(1)(a))

For certain processing activities, we obtain your explicit consent:

  • Marketing communications and newsletters
  • Non-essential cookies and analytics
  • Optional features and integrations

You have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4.3 Legitimate Interests (Article 6(1)(f))

We process certain data based on legitimate business interests, balanced against your rights and freedoms:

  • Fraud detection and prevention
  • Network and information security
  • Improving service quality and performance
  • Understanding usage patterns
  • Internal administration and record-keeping
  • Enforcing legal rights and terms of service

We conduct legitimate interest assessments (LIAs) to ensure our interests do not override your fundamental rights.

4.4 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations, including:

  • UK tax and accounting requirements (7-year billing record retention)
  • Employment law compliance
  • Anti-money laundering regulations
  • Court orders and legal requests
  • Data breach notification to the ICO

5. Your Rights Under UK GDPR

Under UK GDPR, you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights.

5.1 Right of Access (Article 15)

What it means: You have the right to obtain confirmation that we process your personal data and receive a copy of that data along with supplementary information about the processing.

How to exercise: Email support@timetally.org with your request. We will provide the information free of charge within one month.

What we provide:

  • Confirmation of whether we process your data
  • Categories of data being processed
  • Purposes of processing
  • Recipients of your data
  • Retention periods
  • Copy of your personal data in CSV or JSON format

5.2 Right to Rectification (Article 16)

What it means: You have the right to have inaccurate personal data corrected and incomplete data completed.

How to exercise:

  • Update most information directly in your account settings
  • Contact us at support@timetally.org for corrections you cannot make yourself

Our response time: We will correct inaccurate data within one month of your request.

5.3 Right to Erasure ("Right to be Forgotten") (Article 17)

What it means: You have the right to request deletion of your personal data in certain circumstances.

When this applies:

  • Data is no longer necessary for the purposes it was collected
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Data must be erased to comply with a legal obligation

How to exercise:

  • Use the account deletion feature in settings (immediate deletion)
  • Email support@timetally.org to request specific data deletion

Exceptions: We may retain data when required by law (e.g., 7-year tax records) or for exercising/defending legal claims.

5.4 Right to Restriction of Processing (Article 18)

What it means: You can request that we limit how we use your data in certain situations.

When this applies:

  • You contest the accuracy of data (while we verify)
  • Processing is unlawful but you don't want erasure
  • We no longer need the data but you need it for legal claims
  • You've objected to processing (while we verify our legitimate grounds)

Effect: We will store the data but not process it further without your consent or for legal claims.

5.5 Right to Data Portability (Article 20)

What it means: You can receive your personal data in a structured, machine-readable format and transmit it to another controller.

When this applies:

  • Processing is based on consent or contract performance
  • Processing is carried out by automated means

How to exercise:

  • Export timesheets to CSV or Excel format within the application
  • Use payroll export integrations (Xero, QuickBooks)
  • Request a complete data export via support@timetally.org

Format provided: CSV, JSON, or Excel, depending on data type.

5.6 Right to Object (Article 21)

What it means: You can object to processing in certain circumstances.

Types of objection:

  • Legitimate interests: You can object to processing based on our legitimate interests. We must demonstrate compelling legitimate grounds to continue or cease processing.
  • Direct marketing: You have an absolute right to object to marketing communications at any time. We will stop processing for that purpose immediately.

How to exercise: Email support@timetally.org with your objection and reasons.

5.7 Rights Related to Automated Decision Making (Article 22)

What it means: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Our position: TimeTally does not make automated decisions about you. All timesheet approvals, leave requests, and account management decisions involve human review.

5.8 How to Exercise Your Rights

To exercise any of these rights:

  • Email: support@timetally.org
  • Subject line: Include "GDPR Request" and the specific right you're exercising
  • Information needed: Your name, email address, and organization name for verification
  • Response time: We will respond within one month. For complex requests, we may extend by two months and will notify you of the extension.

We will not charge a fee unless your request is manifestly unfounded or excessive. We may request additional information to confirm your identity before fulfilling requests.

6. Data Protection Measures

We implement comprehensive technical and organizational measures to ensure appropriate security of personal data:

6.1 Technical Measures

  • Encryption in transit: TLS 1.2+ for all connections (HTTPS)
  • Encryption at rest: Database encryption via Supabase PostgreSQL
  • Password hashing: Bcrypt algorithm through Supabase Auth
  • Access controls: Row-Level Security (RLS) policies enforcing data isolation by organization
  • Session management: JWT tokens with automatic expiration and secure storage
  • Input validation: Zod schema validation on all user inputs
  • CSRF protection: Session-based CSRF tokens
  • XSS protection: React automatic escaping and Content Security Policy
  • API security: Authentication required for all API endpoints
  • Regular backups: Automated database backups with encryption

6.2 Organizational Measures

  • Access control policy: Limited access to personal data on a need-to-know basis
  • Staff training: Regular data protection and security training for all personnel
  • Confidentiality agreements: All staff sign confidentiality and data protection agreements
  • Security audits: Regular internal and external security assessments
  • Incident response plan: Documented procedures for handling data breaches
  • Data protection by design: Privacy considerations integrated into system development
  • Data protection by default: Minimum data collection by default
  • Vendor management: Due diligence on all third-party processors
  • Business continuity: Disaster recovery and business continuity plans

6.3 Third-Party Processors

We only use processors that provide sufficient guarantees of GDPR compliance:

  • Supabase: EU/US data centers with GDPR-compliant processing
  • Stripe: PCI-DSS Level 1 certified, GDPR compliant
  • Vercel: SOC 2 Type II certified, GDPR compliant
  • Google Analytics: GDPR-compliant configuration with IP anonymization

We have data processing agreements (DPAs) in place with all processors detailing their obligations under UK GDPR.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom.

7.1 Safeguards for International Transfers

When we transfer data outside the UK, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): UK ICO-approved contractual clauses with data processors
  • Adequacy decisions: Transfers to countries with UK adequacy decisions
  • Binding Corporate Rules: For service providers with approved BCRs
  • Certification schemes: Processors certified under approved frameworks

7.2 Specific Transfer Mechanisms

  • Supabase: Data stored in configurable regions (EU/US). We use EU regions where possible. SCCs in place.
  • Stripe: Global payment processing with UK/EU primary processing. GDPR-compliant with SCCs.
  • Vercel: Global CDN with data processing agreements and SCCs.

8. Data Breach Notification

We have robust procedures for detecting, investigating, and responding to personal data breaches.

8.1 Breach Response Process

  1. Detection: Continuous monitoring for security incidents
  2. Assessment: Immediate assessment of breach severity and impact
  3. Containment: Swift action to contain and limit the breach
  4. Investigation: Thorough investigation of root cause and extent
  5. Notification: Timely notification to affected parties and authorities
  6. Remediation: Implementation of measures to prevent recurrence
  7. Documentation: Detailed breach records for accountability

8.2 Notification to ICO

If a breach is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, including:

  • Nature of the breach (categories and approximate numbers affected)
  • Name and contact details of our Data Protection Officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.3 Notification to Data Subjects

If a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay, providing:

  • Clear and plain language description of the breach
  • Likely consequences
  • Measures taken to address the breach
  • Recommendations for protecting yourself
  • Contact information for further inquiries

9. Records of Processing Activities

Under Article 30 UK GDPR, we maintain comprehensive records of our processing activities, including:

  • Name and contact details of the controller and DPO
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients of personal data
  • Details of international transfers and safeguards
  • Retention periods
  • Description of technical and organizational security measures

These records are available to the ICO upon request and can be provided to data subjects exercising their right of access.

10. Data Protection Impact Assessments (DPIAs)

When processing is likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments before beginning processing. We have conducted DPIAs for:

  • Timesheet data collection and processing systems
  • Employee monitoring and performance tracking features
  • Payment processing and billing systems
  • Analytics and usage tracking implementations

Our DPIAs assess the necessity and proportionality of processing, risks to individuals, and measures to address those risks.

11. Children's Data

TimeTally is not intended for use by children under 18 years of age. We do not knowingly collect or process personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete that information immediately.

If you believe a child has provided us with personal data, please contact us at support@timetally.org.

12. Complaints and Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with UK GDPR.

12.1 UK Information Commissioner's Office (ICO)

As a UK-based organization, our supervisory authority is the ICO:

  • Website: https://ico.org.uk
  • Phone: 0303 123 1113
  • Live Chat: Available on ICO website during business hours
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

12.2 Direct Complaint to TimeTally

Before contacting the ICO, we encourage you to raise concerns with us directly so we can address them promptly:

We will investigate all complaints thoroughly and respond within one month. For complex complaints, we may extend this by two months and will notify you of the extension and reasons.

13. Updates to This GDPR Statement

We may update this GDPR Compliance Statement to reflect changes in law, our practices, or regulatory guidance. Material changes will be communicated through:

  • Updated "Last updated" date at the top of this page
  • Email notification to registered users
  • Prominent notice within the Service

We recommend reviewing this statement periodically to stay informed of how we protect your data.

14. Further Information and Contact

For detailed information about our data practices, please see:

For GDPR-related enquiries, exercising your rights, or complaints:

We are committed to protecting your personal data and ensuring compliance with UK GDPR at all times. Your trust is important to us, and we take our data protection responsibilities seriously.