Privacy Policy

1.Definitions and Scope

For the purposes of this Policy, the following terms shall have the meanings ascribed below:

• “Personal Data” means any information that relates to an identified or identifiable natural person, including but not limited to name, email address, telephone number, IP address, device identifiers, geolocation data, and any other information that can be used, directly or indirectly, to identify an individual.
• “Data Controller” means the natural or legal person that determines the purposes and means of the processing of Personal Data. With respect to Subscriber account data and platform usage data, the Company acts as the Data Controller.
• “Data Processor” means the natural or legal person that processes Personal Data on behalf of the Data Controller. With respect to End User data submitted through a Subscriber’s booking page, the Company acts as a Data Processor on behalf of the Subscriber.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Sub-processor” means any third-party entity engaged by the Company to process Personal Data on the Company’s behalf in connection with the provision of the Service.

This Policy applies to all Personal Data processed by the Company in its capacity as both a Data Controller and a Data Processor. Where the Company processes End User data on behalf of a Subscriber, the Subscriber remains the Data Controller for such data, and the Company’s processing activities are governed by the terms of the applicable data processing agreement and the Subscriber’s own privacy policies.

2.Information We Collect

The Company collects and processes the following categories of information in connection with the provision and operation of the Service:

a) Account and Registration Data

Information provided during account registration and profile configuration, including full legal name, business name, email address, telephone number, physical address, billing address, selected timezone, custom booking URL, and any other information voluntarily submitted during the onboarding process.

b) Transactional and Payment Data

Information related to subscription purchases, payment processing, and billing, including credit card or payment instrument details (processed and stored by our third-party payment processor), transaction amounts, billing history, invoice records, and subscription plan details. The Company does not directly store complete credit card numbers or financial account credentials on its servers.

c) Usage and Telemetry Data

Information automatically collected through your interaction with the Service, including pages viewed, features accessed, click patterns, session duration, navigation paths, search queries, booking creation and management activity, AI assistant interaction logs, error logs, and other behavioral and engagement metrics.

d) Device and Technical Data

Information about the devices and systems used to access the Service, including IP address, browser type and version, operating system, device type and model, screen resolution, language preferences, referring URLs, unique device identifiers, and other technical attributes collected through cookies, web beacons, pixel tags, and similar tracking technologies.

e) End User Data

Information submitted by End Users through Subscriber booking pages, including name, email address, telephone number, appointment preferences, service selections, booking notes, and any other information voluntarily provided by End Users during the booking process. Such data is collected and processed by the Company on behalf of the Subscriber in its capacity as a Data Processor.

3.Legal Bases for Processing

The Company processes Personal Data in reliance upon one or more of the following legal bases, as applicable under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation:

• Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract. This includes processing required to provide, maintain, and administer the Service, manage user accounts, and process subscription payments.
• Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the Company, provided that such interests are not overridden by the rights and freedoms of the data subject. Such legitimate interests include fraud prevention, network and information security, product improvement, analytics, and direct marketing communications to existing Subscribers.
• Consent: Where the data subject has given explicit, freely given, specific, informed, and unambiguous consent to the processing of their Personal Data for one or more specific purposes. Consent may be withdrawn at any time without affecting the lawfulness of processing based on consent prior to its withdrawal.
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which the Company is subject, including tax reporting requirements, law enforcement requests, and regulatory compliance obligations.

4.Purpose of Processing

The Company processes Personal Data for the following purposes, each of which is supported by one or more of the legal bases identified in Section 3:

• Provisioning, operating, maintaining, and improving the Service and its features, functionalities, and performance;
• Creating, administering, and managing Subscriber accounts and authentication credentials;
• Processing subscription payments, issuing invoices, managing billing cycles, and handling refund requests;
• Facilitating appointment scheduling, booking management, calendar synchronization, and notification delivery;
• Providing customer support, responding to inquiries, and resolving technical issues;
• Sending transactional communications, including booking confirmations, appointment reminders, cancellation notices, and account-related notifications;
• Sending marketing and promotional communications to Subscribers who have opted in or where otherwise permitted by applicable law;
• Conducting analytics, usage monitoring, and statistical analysis to understand usage patterns and improve the Service;
• Detecting, preventing, investigating, and responding to fraud, security incidents, unauthorized access, and other potentially illegal or harmful activities;
• Complying with applicable laws, regulations, legal processes, governmental requests, and enforceable judicial or administrative orders;
• Enforcing the Company’s Terms of Service, this Policy, and other applicable agreements; and
• Generating aggregated, de-identified, or anonymized datasets for product development, benchmarking, research, and industry reporting purposes.

5.Data Sharing and Third-Party Disclosures

The Company does not sell, rent, lease, or trade Personal Data to third parties for their own marketing purposes. The Company may disclose Personal Data to the following categories of recipients under the following circumstances:

• Sub-processors and Service Providers: The Company engages third-party sub-processors and service providers to perform functions on its behalf, including cloud hosting and infrastructure (e.g., Vercel, Supabase), payment processing (e.g., Stripe), email delivery (e.g., Resend), analytics, and customer support tooling. Such sub-processors are contractually obligated to process Personal Data only in accordance with the Company’s instructions and applicable data protection laws.
• Legal Compulsion: The Company may disclose Personal Data when required to do so by applicable law, regulation, legal process, subpoena, court order, or governmental or regulatory request, or when the Company believes in good faith that disclosure is necessary to protect the rights, property, or safety of the Company, its users, or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or other corporate transaction, Personal Data may be transferred to the acquiring entity or successor-in-interest, subject to the terms of this Policy. The Company shall provide notice of any such transfer to affected data subjects where required by applicable law.
• With Consent: The Company may share Personal Data with third parties where the data subject has provided explicit, informed consent to such disclosure.
• Professional Advisors: The Company may disclose Personal Data to its attorneys, auditors, accountants, and other professional advisors in connection with the provision of legal, accounting, or advisory services.

6.International Data Transfers

The Company is headquartered in the United States of America, and Personal Data collected through the Service may be transferred to, stored in, and processed in the United States and other jurisdictions in which the Company, its affiliates, or its sub-processors operate. These jurisdictions may have data protection laws that differ from those in your jurisdiction of residence.

Where the Company transfers Personal Data from the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, the Company relies on appropriate safeguards, including Standard Contractual Clauses (“SCCs”) approved by the European Commission, UK International Data Transfer Addendum, or other legally recognized transfer mechanisms to ensure that Personal Data is afforded an adequate level of protection in accordance with applicable data protection laws.

By using the Service, you acknowledge and consent to the transfer, storage, and processing of your Personal Data in the United States and other jurisdictions as described herein.

7.Data Retention

The Company retains Personal Data for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal obligations, to resolve disputes, and to enforce the Company’s agreements. The specific retention period applicable to each category of Personal Data is determined based on the following criteria:

• Account Data: Retained for the duration of the Subscriber’s active account and for a period of ninety (90) days following account termination or deletion, after which it shall be permanently deleted or anonymized unless longer retention is required by applicable law.
• Transactional Data: Retained for a minimum of seven (7) years following the date of the transaction to comply with tax reporting, accounting, and financial regulatory obligations.
• Usage and Telemetry Data: Retained in identifiable form for a period of twenty-four (24) months from the date of collection, after which it is aggregated and anonymized.
• End User Data: Retained in accordance with the Subscriber’s instructions and the terms of the applicable data processing agreement. Upon termination of the Subscriber’s account, End User data shall be deleted within ninety (90) days unless otherwise required by applicable law or requested by the Subscriber.

When Personal Data is no longer required for its stated purpose and no legal obligation mandates further retention, the Company shall securely delete, destroy, or irreversibly anonymize such data using industry-standard methods.

8.Security Measures

The Company implements and maintains appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, accidental loss, destruction, alteration, disclosure, or other unlawful processing. These measures include, but are not limited to:

• Encryption of data in transit using Transport Layer Security (TLS) protocols and encryption of data at rest using AES-256 or equivalent encryption standards;
• Role-based access controls and the principle of least privilege for access to systems containing Personal Data;
• Multi-factor authentication for administrative and privileged access to production systems;
• Regular vulnerability assessments, penetration testing, and security audits conducted by qualified personnel;
• Intrusion detection and prevention systems, firewall configurations, and network segmentation;
• Comprehensive audit logging and monitoring of access to systems and data;
• Incident response procedures and breach notification protocols in accordance with applicable data protection laws; and
• Employee security awareness training and confidentiality obligations for all personnel with access to Personal Data.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure, and the Company cannot guarantee the absolute security of Personal Data. The Company shall not be liable for any unauthorized access, disclosure, or loss of Personal Data resulting from circumstances beyond its reasonable control.

9.Your Rights (Data Subject Rights)

Subject to applicable law and certain exemptions, you may have the following rights with respect to your Personal Data:

• Right of Access: You have the right to request confirmation of whether the Company is processing your Personal Data and, if so, to obtain a copy of such data along with supplementary information regarding the processing activities.
• Right to Rectification: You have the right to request the correction or completion of inaccurate or incomplete Personal Data concerning you.
• Right to Erasure: You have the right to request the deletion of your Personal Data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw your consent; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed.
• Right to Restriction of Processing: You have the right to request the restriction of processing of your Personal Data under certain circumstances, including where you contest the accuracy of the data or where the processing is unlawful.
• Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit such data to another controller without hindrance.
• Right to Object: You have the right to object to the processing of your Personal Data on grounds relating to your particular situation, including processing based on legitimate interests or for direct marketing purposes.
• Right Regarding Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe that the processing of your Personal Data violates applicable data protection laws.

To exercise any of the foregoing rights, please submit a verifiable request to legal@timebase.pro. The Company shall respond to valid requests within thirty (30) days or such shorter period as required by applicable law. The Company may require verification of your identity before processing your request.

10.Cookies and Tracking Technologies

The Service utilizes cookies and similar tracking technologies (collectively, “Cookies”) to collect and store information about your interactions with the Service. The Company employs the following categories of Cookies:

• Strictly Necessary Cookies: These Cookies are essential for the operation of the Service and enable core functionality such as authentication, session management, security features, and load balancing. These Cookies cannot be disabled without impairing the functionality of the Service.
• Analytics and Performance Cookies: These Cookies collect information about how users interact with the Service, including pages visited, features used, and error occurrences. This information is used to analyze usage patterns, identify performance issues, and improve the Service. Analytics data may be processed by third-party analytics providers such as Vercel Analytics.
• Functional Cookies: These Cookies enable enhanced functionality and personalization, such as remembering user preferences, language settings, timezone selections, and other customization options.

You may manage your Cookie preferences through your browser settings. Most web browsers allow you to control Cookies through their settings preferences. However, if you choose to disable or restrict Cookies, certain features or functionality of the Service may be impaired or unavailable. For more information about managing Cookies, please consult your browser’s help documentation.

11.Children’s Privacy

The Service is not directed at, marketed to, or intended for use by individuals under the age of sixteen (16) years. The Company does not knowingly collect, solicit, or process Personal Data from children under the age of sixteen. If the Company becomes aware that it has collected Personal Data from a child under sixteen without verifiable parental or guardian consent, the Company shall take commercially reasonable steps to promptly delete such data from its systems. If you believe that the Company has inadvertently collected Personal Data from a child under sixteen, please contact us immediately at legal@timebase.pro.

12.California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”). In accordance with the CCPA, the Company provides the following disclosures:

Categories of Personal Information Collected

The Company has collected the following categories of personal information within the preceding twelve (12) months: identifiers (name, email, phone number, IP address); commercial information (transaction history, subscription details); internet or other electronic network activity information (usage data, browsing history, interaction data); geolocation data (inferred from IP address); and professional or employment-related information (business name, business type).

Your Rights Under CCPA

• Right to Know: You have the right to request that the Company disclose the categories and specific pieces of personal information it has collected about you, the categories of sources from which such information was collected, the business or commercial purpose for collecting such information, and the categories of third parties with whom such information has been shared.
• Right to Delete: You have the right to request the deletion of personal information that the Company has collected from you, subject to certain statutory exceptions.
• Right to Correct: You have the right to request the correction of inaccurate personal information maintained by the Company.
• Right to Opt-Out of Sale or Sharing: The Company does not sell personal information as defined under the CCPA, nor does it share personal information for cross-context behavioral advertising purposes. As such, there is no need to opt out of such activities.
• Right to Non-Discrimination: The Company shall not discriminate against you for exercising any of your CCPA rights, including by denying goods or services, charging different prices, providing a different level or quality of service, or suggesting that you may receive a different price or level of service.

To submit a verifiable consumer request pursuant to the CCPA, please contact us at legal@timebase.pro. The Company shall verify your identity before processing your request and shall respond within forty-five (45) days of receipt, with the possibility of a one-time extension of an additional forty-five (45) days where reasonably necessary.

13.Changes to This Policy

The Company reserves the right to modify, amend, or update this Policy at any time in its sole discretion. In the event of any material changes to this Policy, the Company shall provide notice to affected data subjects by posting the revised Policy on the Service, sending an email notification to the address associated with the Subscriber’s account, or through other reasonable means of communication not less than thirty (30) days prior to the effective date of such changes.

Your continued use of the Service following the effective date of any modification to this Policy shall constitute your acceptance of such modification. If you do not agree to the modified Policy, you must discontinue your use of the Service prior to the effective date of the modification. The “Last Updated” date at the top of this Policy indicates when the most recent revisions were made.

14.Contact and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or your rights as a data subject, please contact us using the following information:

The Company has designated a Data Protection Officer (“DPO”) responsible for overseeing compliance with applicable data protection laws. For inquiries specifically related to data protection matters, including requests to exercise data subject rights, please direct your correspondence to the DPO at the contact information provided above. The Company shall endeavor to respond to all data protection inquiries within thirty (30) days of receipt.