Timello

Privacy Policy

Last updated: 1 March 2026

1. Who We Are

Timello is operated as a sole trader business registered in England. If you have any questions about this privacy policy or how we handle your personal data, please contact us at [email protected].

2. What Data We Collect

We collect and process the following personal data:

  • Account information: name, email address, and password (encrypted) when you register or are invited to use the service.
  • Business information: business name provided during registration.
  • Employment data: department, role within the platform, holiday allowance, and work day patterns as configured by your business administrator.
  • Leave records: leave request dates, types, periods (full/half day), approval status, and any notes added to requests.
  • Payment information: if you subscribe to a paid plan, payment processing is handled by Stripe. We store a Stripe customer identifier and the last four digits of your payment method. We do not store full card numbers.
  • Technical data: session identifiers and IP addresses for security and rate-limiting purposes.

3. Legal Basis for Processing

We process your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our legal bases are:

  • Contract: processing is necessary to provide the Timello service you or your employer have signed up for.
  • Legitimate interests: to maintain security, prevent fraud, and improve the service.
  • Legal obligation: to comply with applicable laws and regulations.

4. How We Use Your Data

We use your personal data to:

  • Provide and maintain the Timello service, including managing leave requests and calendar functionality.
  • Send transactional emails such as account invitations, leave request notifications, and payment confirmations.
  • Process subscription payments via Stripe.
  • Enforce security measures including rate limiting and session management.

We do not use your data for marketing purposes or share it with third-party advertisers.

5. Data Sharing

We share personal data only with:

  • Stripe: for payment processing. Stripe acts as an independent data controller. See Stripe's Privacy Policy.
  • Zoho: for transactional email delivery. See Zoho's Privacy Policy.
  • Your employer/business administrator: administrators within your business can see your name, email, department, leave requests, and allowance information as part of normal service functionality.

We do not sell your personal data to any third party.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. When a user account is deactivated, we retain the data in a deactivated state for audit and recovery purposes. If you wish to have your data permanently deleted, please contact us at [email protected].

Payment records are retained as required by UK tax and accounting regulations (typically 6 years).

7. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of passwords using industry-standard hashing.
  • HTTPS encryption for all data in transit.
  • Role-based access controls within the application.
  • Regular database backups.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your personal data where there is no compelling reason for continued processing.
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Data portability: request your data in a structured, commonly used format.
  • Objection: object to processing based on legitimate interests.

To exercise any of these rights, please contact [email protected]. We will respond within one month.

9. Cookies

We use a small number of essential cookies to operate the service. For full details, please see our Cookie Policy.

10. Children's Data

Timello is a business service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes by email. The "last updated" date at the top of this page indicates when the policy was last revised.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

13. Contact

For any questions about this privacy policy, please contact:

Timello
Email: [email protected]