Privacy Policy
Last updated: January 25, 2025
PRIVACY POLICY
1. DATA CONTROLLER
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), we inform you:
Email: privacy@timeblu.com
Website: https://timeblu.com
Application: https://app.timeblu.com
Hereinafter, "Timeblu", "we" or the "Controller".
2. WHAT IS TIMEBLU?
Timeblu is a simple scheduling application for appointment-based businesses that allows users (professionals, companies, freelancers) to efficiently manage their appointments, clients, and calendars.
3. INFORMATION WE COLLECT AND PROCESS
3.1 Timeblu User Data (the professional/company)
When you register as a Timeblu user, we collect:
- Account data: Name, surname, email address, password (encrypted), phone number (optional)
- Billing data: Information necessary to process your subscription (managed by Stripe)
- Usage data: Information about how you use the application, preferences, settings
3.2 User-Entered Data (user's clients)
IMPORTANT: You decide what information you enter about your clients in Timeblu. In this case, you act as the Data Controller and Timeblu acts as the Data Processor.
Data you may enter includes:
- Your clients' names
- Phone numbers
- Email addresses
- Addresses
- Free-form notes
PROHIBITION OF SENSITIVE DATA: It is not permitted to enter special category data according to Article 9 of the GDPR in the notes (health, religion, sexual orientation, racial/ethnic origin, political opinions, trade union membership, biometric, genetic data). If you enter such data, it is under your sole responsibility.
3.3 Technical Data
- IP address
- Browser and device type
- Cookies and similar technologies (see Cookie Policy)
- Service access and usage logs
4. FOR WHAT PURPOSES DO WE PROCESS YOUR DATA?
4.1 As a Timeblu User
| Purpose | Legal Basis | Retention Period |
|---|---|---|
| Manage your account and provide the service | Contract performance (Art. 6.1.b GDPR) | While the contractual relationship lasts |
| Process payments and billing | Contract performance + Legal obligation (Art. 6.1.b and c GDPR) | Invoices: 4 years from issuance (tax obligation) |
| Service communications (changes, maintenance, security) | Contract performance (Art. 6.1.b GDPR) | While the contractual relationship lasts |
| Sending commercial information about improvements, new features (optional) | Consent (Art. 6.1.a GDPR) | Until you withdraw consent |
| Fulfill legal obligations (tax, accounting) | Legal obligation (Art. 6.1.c GDPR) | According to applicable regulations |
| Service improvement and usage analysis | Legitimate interest (Art. 6.1.f GDPR) | Anonymized/aggregated data without time limit |
4.2 As Data Processor (your clients' data)
Timeblu only processes the data you enter about your clients following your instructions to:
- Store them securely
- Allow you to access, modify, export, and delete them
- Make backups
We do not use your clients' data for any other purpose. For more details, see our Data Processing Agreement (DPA).
5. TO WHOM DO WE DISCLOSE YOUR DATA?
We do not sell or transfer your data to third parties for commercial purposes.
We only share data with:
5.1 Service Providers (Sub-processors)
| Provider | Service | Location | Guarantees |
|---|---|---|---|
| Supabase Inc. | Database hosting | Frankfurt, Germany (EU) | GDPR-compliant DPA, ISO 27001 certification |
| Stripe Inc. | Payment processing | EU + Standard Contractual Clauses | GDPR-compliant DPA, PCI-DSS certified |
All our providers comply with GDPR and we have signed data processing agreements (DPA) with them.
5.2 Legal Obligations
We may disclose data if required by law, court order, or competent authority.
6. HOW LONG DO WE KEEP YOUR DATA?
- Active account: While you maintain your account active
- After account cancellation: 30 days to allow reactivation, then complete deletion
- Tax/invoice data: 4 years from the last invoice (legal obligation)
- Security logs: 2 years (security and legal defense requirements)
7. WHAT ARE YOUR RIGHTS?
You can exercise the following rights at any time:
7.1 GDPR Rights
- Access: Obtain confirmation about whether we process your data and access them
- Rectification: Correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): Request deletion of your data
- Restriction: Request that we limit processing in certain circumstances
- Portability: Receive your data in a structured format (CSV/JSON) - feature available in your control panel
- Objection: Object to processing based on legitimate interest
- Withdrawal of consent: If processing is based on your consent, you can withdraw it at any time
7.2 How to Exercise Your Rights?
Option 1 - From the application (recommended):
- Access your account at https://app.timeblu.com
- Go to Settings > Privacy and Data
- You will find options to:
- Export all your data
- Delete your account
- Manage communication preferences
Option 2 - By email: Send an email to privacy@timeblu.com with:
- Subject: "GDPR Rights Exercise"
- Your name and account email
- The right you wish to exercise
- Copy of ID or identification document (to verify your identity)
Response time: 1 month from the request (extendable by 2 more months in complex cases)
7.3 Complaint to Supervisory Authority
If you believe we have not properly addressed your rights, you can file a complaint with your local Data Protection Authority.
8. DATA SECURITY
We implement appropriate technical and organizational measures to protect your data:
8.1 Technical Measures
- Encryption: HTTPS for all communications, data encrypted in database
- Access control: Robust authentication, two-factor authentication (2FA) option available
- Backups: Encrypted automatic daily backups
- Data segregation: Each user can only access their own data (Row Level Security)
- Audit logs: Record of access and critical operations
8.2 Organizational Measures
- Restricted access to personal data only to authorized personnel
- Internal information security policies
- Security incident management procedures
8.3 Security Breach Notification
In case of a security breach that may pose a risk to your rights:
- We will notify the supervisory authority within 72 hours
- We will inform you without undue delay if the risk is high
- We will take measures to mitigate the impact
9. INTERNATIONAL TRANSFERS
Our data is stored on servers located in the European Union (Frankfurt, Germany), so there is no international transfer of data outside the European Economic Area.
If in the future we use providers outside the EEA, we will ensure appropriate protection mechanisms (Standard Contractual Clauses approved by the European Commission, adequacy decisions, etc.).
10. MINORS
Timeblu is not intended for people under 18 years of age. We do not knowingly collect data from minors. If we detect that a minor has provided data, we will proceed to delete it immediately.
If you are a parent/guardian and believe your minor child has provided data, contact us at privacy@timeblu.com.
11. MANDATORY DATA AND CONSEQUENCES OF NOT PROVIDING IT
Fields marked with an asterisk (*) in forms are mandatory. If you don't provide them:
- We cannot create your account
- We cannot provide the service
- We cannot process payments (for paid plans)
12. AUTOMATED DECISIONS AND PROFILING
Timeblu DOES NOT perform:
- Automated decisions that produce legal effects on you
- Profiling for marketing or similar purposes
13. UPDATES TO THIS POLICY
We may update this Privacy Policy periodically. Significant changes will be notified:
- By email to your account
- With a prominent notice in the application
- By updating the "Last updated" date at the beginning of this document
We recommend reviewing this policy regularly. Continued use of the service after changes implies acceptance of them.
14. CONTACT
For any questions about this Privacy Policy or about the processing of your data:
Email: privacy@timeblu.com
15. ADDITIONAL INFORMATION
This Privacy Policy complements our Terms of Service and our Cookie Policy, available at:
- Terms of Service: https://timeblu.com/terms
- Cookie Policy: https://timeblu.com/cookies
- DPA (for customers): https://timeblu.com/dpa
Applicable regulations:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)