Privacy Policy
policies-public/privacy-policy.mdPrivacy Policy
Version: 1.0 | Last reviewed: 2026-06-30 Effective date: 2026-05-28 Last updated: 2026-06-30
This Privacy Policy explains how Vezoft (a company registered in Bulgaria under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria) ("Vezoft", TimerOS, "we", "us") processes personal data when you visit our website, register an account, or use the TimerOS service (the "Service"). It is written to satisfy the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and the comprehensive state privacy laws of Colorado, Connecticut, Utah, Virginia, Texas, and Oregon. It also describes how the on-device AI activity classification feature works, as required by Article 50 of the EU AI Act.
If something here conflicts with a separate written agreement between TimerOS and your employer (the "Customer DPA"), the Customer DPA prevails for processing of employee personal data.
1. Who we are, and the two roles we play
TimerOS plays one of two roles depending on whose data is involved.
Controller role. We are the controller of personal data we collect directly: visitors to our website, people who sign up for an account, and people who contact us by email.
Processor role. When a Customer (an employer or contractor) uses TimerOS to track its employees, contractors, or clients, the Customer is the controller of that personal data and TimerOS is the processor. We process that data only on the Customer's documented instructions, as set out in the Customer Data Processing Agreement. If you are an employee of a TimerOS Customer and want to exercise your data rights about your time-tracking data, contact your employer first — they hold the controller obligations. We will help them respond.
| TimerOS contact | |
|---|---|
| Privacy and data-subject requests | privacy@timeros.ai |
| Security incidents and vulnerability reports | security@timeros.ai |
| General support | support@timeros.ai |
| Postal address | Vezoft, with registered office in Kardzhali, Bulgaria (see Imprint for the full registered address) |
| EU representative (Art. 27 GDPR) | Not required — Vezoft is established in Bulgaria (EU Member State). |
| Data Protection Officer | Not appointed — Vezoft is below the thresholds in GDPR Art. 37(1)(b) and (c). |
2. What we collect, why, and the legal basis
2.1 When you visit the website or download an application
| Data | Purpose | GDPR legal basis | Retention |
|---|---|---|---|
| IP address, user agent, page visited, timestamp, referrer | Operate and secure the site; aggregate visit counts | Legitimate interests (Art. 6(1)(f)) | 14 days in server logs; aggregated counts indefinitely |
| Contact form content (name, email, message) | Respond to your enquiry | Legitimate interests (Art. 6(1)(f)) or Pre-contract (Art. 6(1)(b)) if you ask about a purchase | 24 months after last contact |
| Google Play download / install telemetry (for the Android companion application — a review / management dashboard that does not track time or run the activity classifier) — collected by Google LLC as the Play Store operator under its own terms | Distribution of the companion application; Google's own anti-abuse and update mechanisms | Necessary for performance of the distribution contract (Art. 6(1)(b)) between you and Google; we receive only aggregated install counts | Determined by Google; see Google Play Privacy |
We do not use Google Analytics, Meta Pixel, HubSpot, Mixpanel, Segment, or any other third-party analytics on our public website at the date above. If that changes we will update the Cookie Policy and this section, and add a consent mechanism where required.
2.2 When you register a TimerOS account
| Data | Purpose | GDPR legal basis | Retention |
|---|---|---|---|
| Full name, email, password (hashed with bcrypt, 12 rounds), workspace name, organization details, country, seat count | Provide the Service; manage your subscription; comply with our legal obligations | Contract (Art. 6(1)(b)); Legal obligation for invoicing (Art. 6(1)(c)) | Duration of subscription + 30-day grace; 7 years for billing-related records (tax law) |
| Payment method ID (returned from Stripe; we never see the card number) | Process subscription payments via Stripe | Contract (Art. 6(1)(b)) | Duration of subscription + 7 years for tax records |
| Two-factor authentication secret (AES-256-GCM encrypted) and backup codes (bcrypt-hashed) | Secure your account | Legitimate interests in account security (Art. 6(1)(f)) | Until you disable 2FA, then deleted |
| Refresh tokens, access tokens, login timestamps, IP address of the login | Maintain your session, detect compromise | Legitimate interests in security (Art. 6(1)(f)) | Refresh token: until logout or 7 days, whichever first. Login records: 12 months |
2.3 When you use TimerOS as an employee of a TimerOS Customer
When you are an employee, contractor, or worker of a TimerOS Customer, that Customer is the controller of your personal data. You may interact with the Service through any of its surfaces — the desktop application, the web application, the Android companion application (a review / management dashboard), or the per-tenant client portal — but automatic activity tracking and the activity classifier run only on the Windows desktop application; the other surfaces only display and manage data the desktop has already produced (and data you or your manager enter manually).
TimerOS processes the following on the Customer's instructions:
| Data the Customer stores about you on our servers | Purpose set by the Customer |
|---|---|
| Employment record: name, email, phone, hire date, date of birth, gender, nationality, tax ID, job title, salary, addresses, emergency contact, certifications, photo | HR management |
| Time entries: date, clock-in time, hours (regular / overtime / break / billable / non-billable), project, task | Time tracking; payroll; client billing |
Activity status: a snapshot label such as productive, idle, break, overtime, off_work, offline and the time it changed |
Display "is the worker active" status |
| Shifts, schedules, leave requests, approvals | Workforce scheduling |
| Payslips with salary, deductions, tax info | Payroll records |
| Data processed locally on your own device and not transmitted to TimerOS | Why |
|---|---|
| The title of your current foreground window | Input to the activity classifier |
| The name of the running application | Input to the activity classifier |
| The time since your last keyboard or mouse activity | Idle detection |
| Whether your operating system session is locked | Detect break time |
The locally-processed data is read in memory, fed into the classifier (a scored rule engine combined with a small on-device statistical classifier — no cloud AI service, no model download, no large language model, no network call), discarded, and never sent to TimerOS servers or to any third party. Only the resulting activity status (one of: productive, idle, break, overtime, off_work, offline) and the aggregate hours-per-bucket totals are sent to the Customer's workspace.
TimerOS does not take screenshots, record the screen, capture keystrokes, record audio or video, monitor browsing history, or transmit the names of the applications or windows you use.
2.4 When you are a client of a TimerOS Customer using the Client Portal
| Data | Purpose | Controller |
|---|---|---|
| Email, name, hashed password | Authenticate you to your supplier's portal | The Customer (the supplier) |
| Records of projects, tasks, invoices, support tickets that the supplier has chosen to share with you | Show you progress on work being done for you | The Customer |
2.5 Manual and edited time entries
Time entries are not exclusively produced by the timer. Either the employee or an authorised manager may create a time entry manually (for example, to record work performed offline) or edit an existing time entry (for example, to correct a wrong project assignment, a missed clock-out, or an inaccurate duration).
- Audit log. Every create, edit, and deletion of a time entry is recorded in an append-only audit log capturing who made the change, when (UTC timestamp), and the full before/after state of the affected fields. The audit log is append-only — no TimerOS interface (UI or API) can edit or delete an entry; this is enforced at the application and database layer.
- Visible "Edited" badge. Time entries that have been manually created or subsequently edited are displayed in the desktop app, the Customer's dashboard, and the Client Portal with a visible "Edited" badge, so reviewers can distinguish them from timer-captured entries.
- GDPR basis. This mechanism supports the accuracy principle in GDPR Art. 5(1)(d) (personal data must be accurate and, where necessary, kept up to date) and the right to rectification under GDPR Art. 16 (you can request correction of inaccurate personal data). If you are an employee and you believe a time entry about you is inaccurate, ask your employer to correct it; the corrected entry will carry the "Edited" badge and the change will be visible in the audit log.
- Retention. The audit log for a time entry is retained for the same statutory period as the underlying payroll record (see Section 6), so that the evidentiary trail for any pay calculation remains intact for as long as the payroll record itself.
3. About the AI activity classifier (EU AI Act Art. 50 notice)
The TimerOS desktop app includes an on-device AI feature that gives your current foreground activity one of two labels — "productive" or "idle" — together with a confidence score. The desktop timer then uses that label, together with how long you have been idle and your shift schedule, to decide how the time shows up on your timesheet — as productive, idle, break, overtime, or off-work time. When the desktop timer is not running, your activity status is recorded as "offline". This notice tells you how it works.
- Where it runs. Entirely on your device. We do not send your window titles or application names to any cloud AI service. The classifier consists of (a) a scored rule engine that matches application names and window-title substrings against built-in lists of well-known work and non-work apps and websites, combining signals such as application match, title match, and overlap with your assigned project, task, and job-title keywords; and (b) optionally, a small on-device statistical classifier whose weights are included with the desktop installer (a few tens of kilobytes, not a multi-gigabyte language model). No cloud AI service, no model download, no large language model. This is a deliberate privacy upgrade over earlier designs that contemplated a locally-running large language model: the current architecture removes the entire class of risks associated with shipping or downloading a multi-gigabyte generative model, removes any local inference server, and removes any background process that touches your activity data. We maintain a model card and an EU AI Act applicability assessment for the classifier, available to competent authorities on request.
- What it sees. Only the title of the currently-foreground window and the name of the running application, at the moment of classification. It does not see the contents of files, the body of emails, browsing history, or anything you type.
- What it outputs. The classifier itself produces a binary label ("productive" or "idle") and a confidence score (0–1). The desktop timer then maps that binary label, together with idle-time and your shift, into one of six activity-status values stored on the TimerOS servers as the
activity_statusfield of your employee record: productive, idle, break, overtime, off_work, or offline. The field is overwritten each time the status changes. Past labels are not stored as a log; only the current status plus aggregated hour totals are persisted. - What it is not. The classifier is not an automated decision-making system in the sense of GDPR Art. 22. The classifier does not, by itself, produce any decision affecting your employment, pay, discipline, or promotion. The Terms of Service require Customers to make those decisions through human review of broader evidence. Under EU AI Act Art. 6(3), TimerOS positions this classifier as a system that performs a "narrow procedural task" (mapping a window title to one of a finite set of labels) and is not "high-risk" within the meaning of Annex III.
- Human oversight. You and your employer can override any classification through the timer bar. Classifications can be reviewed and corrected at any time, and your corrections are stored only on your device. In the desktop app's Settings → Activity Detection → Tracking mode you can switch to Rule-based (AI/ML layer off, rule engine alone) or Manual (no automatic classification — you set your own state). The rule engine is deterministic for a given installed version, so the same activity always receives the same classification.
- Accuracy and limitations. The classifier is approximate. For example, a Stack Overflow tab you are reading may be labelled "idle" because you are not typing or clicking, even though you are doing real work. Both you and your employer should treat the labels as indicative, not exact.
If you have questions about how the classifier handled a specific period of time, email privacy@timeros.ai.
4. Who we share data with
We share personal data only with the following categories of recipients, and only as needed:
| Recipient | Country | Why | Safeguards |
|---|---|---|---|
| MongoDB, Inc. (MongoDB Atlas) — 1633 Broadway, 38th Floor, New York, NY 10019, USA; EEA contracting via MongoDB Ltd (Ireland) | EU (AWS Frankfurt eu-central-1 / Ireland eu-west-1); all clusters in the EU |
Managed database hosting — all data at rest. Dedicated tier M10+, AES-256 encryption at rest | MongoDB DPA auto-incorporated into the Cloud Terms of Service; EU 2021 SCCs (Module 2 controller-to-processor and Module 3 processor-to-processor); EU-US Data Privacy Framework certification; UK IDTA addendum; EU-tenant clusters pinned to an EU region |
| Render Services, Inc. — 525 Brannan Street, Suite 300, San Francisco, CA 94107, USA; compute runs on AWS | EU (Frankfurt — AWS eu-central-1) | Application / API hosting — data in transit and transient | Render DPA; EU SCCs; EU-US Data Privacy Framework; TLS in transit |
| Cloudflare, Inc. — 101 Townsend Street, San Francisco, CA 94107, USA | Uploaded files pinned to the EU (R2, jurisdiction=eu); IP / request metadata on the global edge |
Object storage for uploaded files (R2), DNS, and CDN / reverse-proxy / WAF in front of the Service (TLS termination, DDoS protection) | Cloudflare DPA; EU SCCs; EU-US Data Privacy Framework |
| Lettermint B.V. — Willemsvaart 16 B, Unit 1.08, 8019 AB Zwolle, The Netherlands (Dutch Chamber of Commerce (KvK) no. 99337711) | EU/EEA only (own EU infrastructure, Autonomous System AS213427 — primary hosting UpCloud, Netherlands; backup OVHcloud, France); sending domain mail.timeros.ai | Transactional / system email delivery (API/SMTP) — account & security email (verification, password reset), team invitations, invoices, sub-processor & legal-change notices, workforce notification emails. Categories of personal data: recipient email address & name; email subject & body content; engagement/technical metadata (opens, clicks, bounces, IP address, email-client/device data) | Lettermint DPA; sub-processor list. None required — processed within the EU/EEA. Lettermint runs its own EU infrastructure (no AWS/Google/Microsoft in the email path); email data encrypted at rest in EU data centres. No EU-US Data Privacy Framework and no Standard Contractual Clauses are required for the email payload (EU-to-EU processing). Email is transmitted over TLS-encrypted connections. Message content and delivery/engagement metadata are retained only as long as needed to deliver the message and provide deliverability reporting; all personal data is deleted within 30 days of termination. Lettermint holds no third-party security certification at this time (it states ISO 27001 certification is in progress). |
| Stripe Payments Europe, Limited — 1 Grand Canal Street Lower, Dublin 2, D02 H210, Ireland (with Stripe, Inc., US, for cross-border) | EU (Ireland) + some US | Subscription billing — billing contact and payment metadata | DPA in place; EU-US Data Privacy Framework + EEA SCCs; PCI DSS Level 1 |
| Zoho Corporation B.V. (operator of Zoho's EU service, zoho.eu) — Amsterdam, the Netherlands | EU (Amsterdam + Dublin) | EU business mailboxes hosting support@/hello@/privacy@/security@ inboxes — inbound email and attachments; no EEA exit for the EU service | Zoho DPA; EEA SCCs |
| Google LLC — 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | US (with global edge) | Android companion app only — Google Play distribution and optional Firebase Cloud Messaging push delivery (install telemetry, FCM token, push payload). The Android app is a review / management dashboard; it does not track time and does not run the activity classifier | Google Cloud / Play DPA; EU SCCs Module 2; EU-US Data Privacy Framework certification |
| Government authorities | Varies | Only when required by valid legal process | We push back on overbroad requests and notify the data subject where lawful |
iOS / Apple distribution is planned but not yet active; Apple is not currently an active sub-processor.
A complete and current list is at /legal/subprocessors. The Customer DPA grants Customers the right to object to new sub-processors with 30 days' notice.
We do not sell personal data (CCPA/CPRA definition) and we do not share personal data for cross-context behavioural advertising.
5. International transfers
If you are in the EU/EEA/UK and we transfer your personal data to a country that does not have an adequacy decision (typically the United States), we rely on the European Commission's Standard Contractual Clauses (Module 1 controller-to-controller, or Module 2 controller-to-processor as appropriate), supplemented by the EU-US Data Privacy Framework where the recipient is certified, technical measures (encryption in transit and at rest), and the contractual measures in our sub-processor DPAs.
For EU Customers, the database (MongoDB Atlas) and the application servers (Render) are deployed in EU regions, and uploaded files (Cloudflare R2) and EU business mailboxes (Zoho) are pinned to the EU. Transactional / system email (Lettermint B.V., a Netherlands entity) is processed entirely within the EU/EEA on Lettermint's own EU infrastructure, so no international transfer arises for the email payload — no EU-US Data Privacy Framework and no Standard Contractual Clauses are required for it. The only flow genuinely processed in the United States is Android companion-app push notifications, delivered through Google's Firebase Cloud Messaging; this is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses. Several of the other EU-resident providers are nonetheless US-incorporated entities (MongoDB, Render, and Cloudflare); for those, the SCCs + EU-US Data Privacy Framework still apply as a safeguard against potential US government access even though the data is processed in the EU. The applicable regions are stated in the Customer DPA, Annex 3.
6. How long we keep data
Retention varies by data type. The full retention schedule is in our Data Retention Policy and the key periods are reproduced in the table in Section 2 above. As a general rule:
- Operational data is kept for the duration of the relationship plus a 30-day grace period for recovery.
- Records required by tax, accounting, or other law are kept for the statutory period (typically 5–10 years).
- Security logs are kept for 12 months.
- Backups are kept for 30 days and then overwritten.
After expiry, data is hard-deleted (database documents are removed, files are removed from object storage, and the next-cycle backup no longer contains them).
7. Your rights
If we are a controller of your data, you have the following rights and you can exercise any of them by emailing privacy@timeros.ai.
Under GDPR / UK GDPR:
- Access (Art. 15): a copy of your personal data and information about how we use it.
- Rectification (Art. 16): correction of inaccurate data.
- Erasure (Art. 17): deletion, subject to limited exceptions (legal obligations, claims).
- Restriction (Art. 18): pause processing while a complaint is resolved.
- Portability (Art. 20): machine-readable export of data you provided. The Service includes a self-service export at Settings → Privacy → Export my data.
- Objection (Art. 21): object to processing based on our legitimate interests.
- Withdraw consent (Art. 7(3)) where processing is based on consent — without affecting past lawful processing.
- Lodge a complaint with your local data protection authority. A list is at edpb.europa.eu/about-edpb/about-edpb/members_en. You do not need to contact us first.
Under CCPA/CPRA (California residents) and equivalent rights in CO, CT, UT, VA, TX, OR:
- Right to know what categories of personal information we collect, the purposes, the sources, and the categories of third parties with whom we share it.
- Right to access a copy of your personal information collected over the past 12 months.
- Right to delete your personal information, subject to limited exceptions.
- Right to correct inaccurate personal information.
- Right to opt-out of sale or sharing for cross-context behavioural advertising — we do not engage in either, but the right exists.
- Right to limit use of sensitive personal information. We do not use sensitive personal information beyond what is necessary to provide the Service.
- Right to non-discrimination for exercising any of the above.
We respond to verifiable requests within 30 days under GDPR and within 45 days under CCPA (extendable once for 45 more days where reasonably necessary). To verify your identity we will match your request against the email on file; for sensitive requests we may ask for an additional factor.
If you are an employee of a Customer and your request concerns time-tracking data, please contact your employer first; we will support them in fulfilling your request.
8. Cookies and similar technologies
Our public website does not set non-essential cookies at the date above. We use localStorage to keep you logged in (an essential function). Full details are in the Cookie Policy.
9. Security
We take appropriate technical and organisational measures to protect personal data, including: TLS 1.2+ in transit; encryption at rest where the underlying provider offers it; per-tenant database isolation; bcrypt password hashing; AES-256-GCM encryption of 2FA secrets; access control via short-lived authentication tokens; principle of least privilege for staff access. The full set of measures is described in Annex 2 of the DPA.
No system is perfectly secure. If you suspect an incident, email security@timeros.ai. If we determine a breach has occurred we will notify affected Customers within 72 hours of becoming aware (GDPR Art. 33) and, where required, the individuals affected (Art. 34).
10. Children
The Service is for businesses, sole-traders, and individual professionals (Freelancer tier) acting in a professional or business capacity, and their workers. It is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has registered, email privacy@timeros.ai and we will delete the account.
11. Changes to this Policy
We will post the updated Policy at this URL and update the "Last updated" date. For material changes that affect a Customer's processing, we will notify the account owner by email at least 30 days before the change takes effect, as required by the DPA.
12. Quick contact summary
- Privacy / data subject requests: privacy@timeros.ai
- Security incidents: security@timeros.ai
- General questions: support@timeros.ai
- Postal: Vezoft, with registered office in Kardzhali, Bulgaria (see Imprint for the full registered address)
- EU Representative: Not required — Vezoft is established in Bulgaria (EU Member State).