GDPR Compliance

Your data protection rights under EU regulations

Last updated: May 7, 2025

Our Commitment to GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all companies processing personal data of individuals in the European Union. At Timer, we are fully committed to GDPR compliance and protecting your fundamental right to privacy.

This page explains how Timer complies with GDPR requirements and details the rights you have regarding your personal data when using our smart scheduling platform.

GDPR Commitment

Timer is designed with privacy by design principles, ensuring that data protection is built into every aspect of our platform from the ground up.

Legal Basis for Data Processing

Under GDPR, we must have a lawful basis for processing your personal data. Timer processes your data based on the following legal grounds:

Contract Performance (Article 6(1)(b))

  • Processing necessary to provide Timer's scheduling services
  • Managing your account and subscription
  • Facilitating meeting bookings and calendar synchronization
  • Providing customer support and technical assistance

Legitimate Interests (Article 6(1)(f))

  • Improving our services and developing new features
  • Ensuring platform security and preventing fraud
  • Conducting analytics to enhance user experience
  • Marketing communications (with opt-out options)

Consent (Article 6(1)(a))

  • Optional AI transcription services
  • Non-essential cookies and tracking
  • Marketing communications where required by law
  • Integration with third-party services

Legal Obligation (Article 6(1)(c))

  • Compliance with tax and accounting requirements
  • Responding to legal requests and court orders
  • Meeting regulatory compliance obligations

Your GDPR Rights

As a data subject under GDPR, you have several important rights regarding your personal data:

Right of Access (Article 15)

  • Request confirmation of whether we process your personal data
  • Obtain a copy of your personal data
  • Receive information about how we process your data
  • Learn about data sharing with third parties

How to exercise: Contact us at [email protected] or use the data export feature in your account settings.

Right to Rectification (Article 16)

  • Correct inaccurate personal data
  • Complete incomplete personal data
  • Update outdated information

How to exercise: Update your information directly in your account settings or contact us for assistance.

Right to Erasure / "Right to be Forgotten" (Article 17)

  • Request deletion of your personal data
  • Applicable when data is no longer necessary for original purpose
  • When consent is withdrawn and no other legal basis exists
  • When data has been unlawfully processed

How to exercise: Use the account deletion feature in your settings or contact us at [email protected].

Right to Restrict Processing (Article 18)

  • Limit how we process your data while maintaining storage
  • Available when accuracy is contested
  • When processing is unlawful but you prefer restriction over deletion

Right to Data Portability (Article 20)

  • Receive your data in a structured, machine-readable format
  • Transfer data directly to another service provider where possible
  • Applies to data processed based on consent or contract

How to exercise: Use the data export feature in your account settings or contact us for assistance.

Right to Object (Article 21)

  • Object to processing based on legitimate interests
  • Object to direct marketing (always honored)
  • Object to automated decision-making and profiling

Rights Related to Automated Decision-Making (Article 22)

  • Not be subject to decisions based solely on automated processing
  • Request human intervention in automated decisions
  • Challenge automated decisions that significantly affect you

Data Processing Activities

Personal Data We Process

  • Identity Data: Name, email address, profile picture
  • Contact Data: Email address, phone number (optional)
  • Technical Data: IP address, browser information, device identifiers
  • Usage Data: How you interact with Timer's features and services
  • Scheduling Data: Meeting types, availability, booking information
  • Integration Data: Calendar events, contact information from connected services
  • Communication Data: Support inquiries, feedback, meeting recordings (with consent)

Special Categories of Data

Timer generally does not process special categories of personal data (such as health, religious, or political information). If such data is inadvertently collected through meeting content or integrations, it is processed with appropriate safeguards and only with explicit consent where required.

Automated Decision-Making

Timer uses automated processing for:

  • Smart Scheduling: AI algorithms suggest optimal meeting times
  • Conflict Detection: Automatic identification of scheduling conflicts
  • Spam Prevention: Automated filtering of suspicious booking attempts

These automated processes are designed to enhance your experience and do not make decisions that significantly affect your legal rights without human oversight.

International Data Transfers

Timer is based in Portugal (EU), but some of our service providers may be located outside the European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards:

Transfer Mechanisms

  • Adequacy Decisions: Transfers to countries with EU adequacy decisions
  • Standard Contractual Clauses: EU-approved contracts with service providers
  • Binding Corporate Rules: For transfers within multinational service providers
  • Certification Schemes: Transfers under approved certification schemes

Third Country Processing

We work with the following types of service providers that may process data outside the EEA:

  • Cloud infrastructure providers (with appropriate safeguards)
  • Email service providers for communications
  • Analytics and monitoring services
  • Payment processors for subscription billing

Data Retention Policies

Retention Periods

  • Active Accounts: Data retained while account is active and for legitimate business needs
  • Closed Accounts: Most personal data deleted within 30 days of account closure
  • Legal Requirements: Some data retained longer to comply with legal obligations (e.g., 7 years for billing records)
  • Legitimate Interests: Limited data may be retained for fraud prevention and security

Secure Deletion

When data is deleted, we use secure deletion methods to ensure it cannot be recovered. Backup systems are purged according to our data retention schedule.

Data Security Measures

Security by Design

Timer implements technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.

Technical Safeguards

  • Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
  • Access Controls: Role-based access controls and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and monitoring systems
  • Vulnerability Management: Regular security assessments and updates
  • Backup Security: Encrypted backups with geographic distribution

Organizational Measures

  • Staff Training: Regular privacy and security training for all employees
  • Access Limitation: Principle of least privilege for data access
  • Incident Response: Procedures for detecting and responding to data breaches
  • Vendor Management: Due diligence and contracts with data processors

Data Breach Notification

In the unlikely event of a personal data breach, Timer has procedures in place to:

Internal Response (Within 72 hours)

  • Detect and assess the scope of the breach
  • Contain the breach and implement remedial measures
  • Document the incident and its impacts
  • Notify the relevant supervisory authority if required

Individual Notification

If a breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay, including:

  • Description of the breach and affected data types
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Recommendations for protecting yourself

How to Exercise Your Rights

Self-Service Options

Many GDPR rights can be exercised directly through your Timer account:

  • Access: View your personal data in account settings
  • Rectification: Update your profile and preferences
  • Portability: Export your data using the data export feature
  • Erasure: Delete your account and data
  • Objection: Opt out of marketing communications

Contact Our Data Protection Officer

For complex requests or additional assistance:

  • Email: [email protected]
  • Subject Line: Include "GDPR Request" for faster processing
  • Information Required: Your name, email, and specific request details
  • Identity Verification: We may need to verify your identity for security

Response Timeframes

  • Standard Response: Within 30 days of receiving your request
  • Complex Requests: May be extended by up to 60 additional days
  • Fee: Generally free, but reasonable fees may apply for excessive requests

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Portuguese Data Protection Authority

As Timer is based in Portugal, our lead supervisory authority is:

Comissão Nacional de Proteção de Dados (CNPD)

Website: www.cnpd.pt

Email: [email protected]

Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal

Other EU Supervisory Authorities

You may also contact the supervisory authority in your EU country of residence. A complete list is available at: edpb.europa.eu

GDPR Contact Information

For GDPR-related questions, data protection concerns, or to exercise your rights:

Data Protection Officer: [email protected]

GDPR Inquiries: [email protected]

General Support: [email protected]

Address: AtivoLabs, Avenida da Liberdade 110, Lisbon, Portugal