TimeTally - Timesheet Management AppTimeTally

Privacy Policy

Last updated: 4/28/2026

1. Introduction

Welcome to TimeTally, operated by Timetally ("we", "us", "our"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our timesheet management platform.

This policy applies to all users of TimeTally, including organization administrators and employees. By using our Service, you agree to the collection and use of information in accordance with this policy.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For detailed information about your rights and our GDPR compliance, please see our GDPR Compliance Statement.

2. Data Controller

Timetally is the data controller responsible for your personal data. Our contact details are:

3. Information We Collect

We collect different types of information depending on how you use our Service. The information we collect includes:

3.1 Account Information

When you create an account, we collect:

  • Full name: Used to identify you within the system
  • Email address: Used for account login, notifications, and communications
  • Password: Securely hashed and stored through Supabase authentication
  • Phone number: Optional, for contact purposes
  • Profile photo: Optional, displayed in your profile

3.2 Employment Information

For employees added to organizations, we collect:

  • Job title: Your position within the organization
  • Department: Your organizational department
  • Hourly rate: Your standard hourly wage (in GBP)
  • Overtime rate: Your overtime hourly wage (in GBP)
  • Standard working hours: Your expected weekly hours
  • Start date: Your employment start date
  • Country/Location: Your work location

3.3 Timesheet and Work Data

During your use of the Service, we collect:

  • Time entries: Daily hours worked, including start date, end date, and total hours
  • Timesheet status: Submission, approval, and review status
  • Approval history: Who approved/rejected timesheets and when
  • Overtime hours: Automatically calculated overtime
  • Project assignments: Projects or cost centers associated with time entries
  • Notes and comments: Any notes added to timesheets
  • Status change history: Audit trail of timesheet modifications

3.4 Leave/Holiday Information

We collect and process:

  • Holiday allowances: Annual leave entitlements and remaining days
  • Leave requests: Dates, duration, type of leave (vacation, sick, etc.)
  • Leave status: Pending, approved, or rejected status
  • Rejection reasons: Notes explaining why leave was denied
  • Leave notes: Additional information about leave requests

3.5 Payment and Billing Data

For organization administrators managing subscriptions, we collect:

  • Payment card details: Last 4 digits and brand only (never full card numbers)
  • Billing email: Email address for invoices
  • Stripe Customer ID: Your unique identifier in our payment processor
  • Stripe Subscription ID: Your subscription reference
  • Payment history: Transaction records and invoice details
  • Billing history: Events related to subscription changes

Important: We never store full credit card numbers. All payment processing is handled securely by Stripe, our PCI-DSS compliant payment processor.

3.6 Technical and Usage Data

We automatically collect:

  • IP address: For security and fraud prevention
  • Browser type and version: To ensure compatibility
  • Device information: Operating system and device type
  • Time zone: For accurate time tracking
  • Page views: Pages you visit within the application
  • Session duration: How long you're logged in
  • Feature usage: Which features you use most frequently
  • Error logs: Technical errors for debugging purposes

3.7 Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information, please see our Cookie Policy. Key cookies include:

  • Authentication cookies: Keep you logged in (Supabase session tokens)
  • Preference cookies: Remember your settings (tour completion flags)
  • Analytics cookies: Google Analytics and Vercel Analytics for usage insights

4. How We Use Your Information

We use your personal data only for legitimate purposes in accordance with UK GDPR. We process your information to:

4.1 Provide the Service

  • Create and manage your account
  • Process and store timesheet entries
  • Calculate overtime and track working hours
  • Manage leave requests and approvals
  • Generate payroll reports and exports
  • Enable approval workflows between managers and employees

4.2 Process Payments

  • Calculate subscription fees based on employee count
  • Process monthly payments through Stripe
  • Send invoices and payment receipts
  • Handle subscription changes, cancellations, and reactivations
  • Manage trial periods and billing cycles

4.3 Communicate With You

  • Send timesheet submission and approval notifications
  • Notify you of leave request status changes
  • Send account-related emails (password resets, security alerts)
  • Provide customer support and respond to inquiries
  • Send service updates and feature announcements
  • Notify you of changes to our policies or terms

4.4 Improve and Secure the Service

  • Analyze usage patterns to improve features
  • Monitor performance and identify technical issues
  • Detect and prevent fraud and unauthorized access
  • Ensure compliance with our Terms of Service
  • Debug errors and improve system stability
  • Conduct security audits and vulnerability assessments

4.5 Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Respond to lawful requests from authorities
  • Enforce our Terms of Service and other agreements
  • Protect our rights, property, and safety
  • Maintain accounting records for tax purposes

5. Legal Basis for Processing

Under UK GDPR, we must have a legal basis for processing your personal data. We rely on:

5.1 Contract Performance

Processing is necessary to provide the Service under our Terms of Service. This includes account management, timesheet processing, payment processing, and feature delivery.

5.2 Consent

You provide explicit consent for certain processing activities, such as receiving marketing communications or using optional features. You can withdraw consent at any time.

5.3 Legitimate Interests

We have legitimate business interests in improving the Service, ensuring security, preventing fraud, and analyzing usage patterns. We balance these interests against your rights and freedoms.

5.4 Legal Obligations

We must process certain data to comply with legal requirements, such as tax laws, employment regulations, and data protection laws.

6. How We Share Your Information

We do not sell, rent, or trade your personal data. We only share information in the following limited circumstances:

6.1 Within Your Organization

Your data is shared with other users in your organization according to role-based permissions:

  • Administrators: Can view all employee data, timesheets, and reports
  • Employees: Can only view their own data and public organization information

6.2 Service Providers

We share data with trusted third-party service providers who help us deliver the Service:

  • Supabase: Database hosting, authentication, and backend infrastructure
  • Stripe: Payment processing and subscription management
  • Google Analytics: Website analytics and usage tracking
  • Vercel: Application hosting and performance monitoring

All service providers are contractually obligated to protect your data and use it only for specified purposes.

6.3 Payroll Export Integrations

If you configure integrations with accounting software (Xero, QuickBooks), timesheet data will be exported to those platforms according to your configuration. You control what data is exported.

6.4 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders or subpoenas
  • Legal proceedings or regulatory investigations
  • Requests from law enforcement or government authorities
  • Protection of our legal rights or the safety of others

6.5 Business Transfers

If TimeTally is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. Data Security

We implement industry-standard security measures to protect your personal data:

7.1 Technical Measures

  • Encryption: All data in transit uses TLS/SSL encryption (HTTPS)
  • Database encryption: Data at rest is encrypted in Supabase PostgreSQL
  • Password security: Passwords are hashed using bcrypt through Supabase Auth
  • Access controls: Row-level security policies enforce data isolation
  • Session management: Secure JWT tokens with automatic expiration

7.2 Organizational Measures

  • Limited access to personal data on a need-to-know basis
  • Regular security audits and vulnerability assessments
  • Employee training on data protection and security
  • Incident response procedures for data breaches
  • Regular backups and disaster recovery plans

7.3 Limitations

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your login credentials and should notify us immediately of any unauthorized access.

8. Data Retention

We retain your personal data only as long as necessary for the purposes set out in this Privacy Policy:

8.1 Active Accounts

While your account is active, we retain all data necessary to provide the Service, including timesheet history, employee records, and approval history.

8.2 Cancelled Subscriptions

After subscription cancellation, your data is retained for 90 days to allow for account reactivation. After 90 days, your account may be permanently deleted unless you reactivate.

8.3 Deleted Accounts

When you delete your account through the account deletion feature:

  • Your organization and all associated data are immediately deleted
  • Employee accounts linked to your organization are removed
  • Deletion is permanent and irreversible
  • Some data may be retained in backups for up to 30 days

8.4 Legal Requirements

We may retain certain data longer if required by law, including:

  • Billing records: 7 years for UK tax and accounting compliance
  • Transaction history: Retained for fraud prevention and dispute resolution
  • Legal disputes: Data relevant to ongoing litigation or investigations

9. Your Rights

Under UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

9.1 Right to Access

You have the right to request copies of your personal data. We may charge a small fee for this service if requests are manifestly unfounded or excessive.

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

9.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain conditions. Use the account deletion feature in settings or contact us at support@timetally.org.

9.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as while we verify data accuracy or assess your objection to processing.

9.5 Right to Data Portability

You have the right to receive your personal data in a structured, machine-readable format and transmit it to another controller. Use our export features (CSV, Excel, or payroll integrations).

9.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us at support@timetally.org or support@timetally.org. We will respond within one month, or two months for complex requests.

10. International Data Transfers

Your data may be stored and processed in locations outside the United Kingdom, including:

  • Supabase: EU/US data centers (configurable by project region)
  • Stripe: Global payment processing infrastructure
  • Vercel: Global content delivery network

When we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the UK ICO
  • Adequacy decisions by the UK Government
  • Service providers certified under appropriate data protection frameworks

11. Children's Privacy

TimeTally is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately, and we will delete such information.

12. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide information about the nature of the breach, likely consequences, and mitigation measures
  • Take immediate steps to contain and remediate the breach

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the updated policy on this page with a revised "Last updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice within the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

14. Complaints and Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: https://ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

However, we encourage you to contact us first at support@timetally.org so we can address your concerns directly.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: