Client Portal — Privacy Notice
policies-public/privacy-policy-portal.mdClient Portal — Privacy Notice
Effective date: 2026-05-28 Last updated: 2026-06-30 Last reviewed: 2026-06-30 Version: 1.0
This notice applies to people who access the TimerOS Client Portal as a client of a TimerOS Customer (the "Supplier"). The Client Portal is the web app where you, as a client of the Supplier, can see project status, invoices, support tickets, and shared documents.
It is shorter than the main Privacy Policy because your relationship is primarily with the Supplier, not with us.
Who is responsible for your data
The Supplier (your business contact who invited you) is the controller of the data shown to you in the portal. TimerOS provides the technology and acts as a processor under contract with the Supplier.
If you want to:
- Access or correct your portal account details: contact the Supplier first; they can update them.
- Stop using the portal: ask the Supplier to deactivate your account.
- Make a GDPR or CCPA request about the project data shown to you: contact the Supplier; they are the controller.
For account-security incidents (e.g. you think your portal account was compromised) you may also email TimerOS at security@timeros.ai.
What we collect about you
Only what's needed to authenticate you and operate the portal:
- Email, name, hashed password (stored using bcrypt, an industry-standard salted one-way hash), refresh tokens.
- Records of pages you visit in the portal and timestamps, for security and to show you "what's new."
- IP address of each session (12-month retention).
We do not track your activity outside the portal. We set no third-party cookies.
How long we keep it
- Portal account and authentication data (your email, name, hashed password, and refresh tokens): kept for as long as your portal account is active. When the Supplier deactivates your account, we delete or anonymise this data within 90 days, except where a longer period is required to comply with a legal obligation or to establish, exercise, or defend legal claims.
- Session IP addresses: retained for 12 months (as noted above), then deleted.
- Project and business data shown to you is controlled and retained by the Supplier, not by TimerOS; ask the Supplier about its retention practices.
What the Supplier may share with you in the portal
The Supplier controls what you see. Typically:
- Project status, milestones, deliverables.
- Invoices and payment status.
- Support tickets you have raised.
- Documents the Supplier has marked customer-visible.
- The first name and role of the team members assigned to your projects.
The Supplier does not share with you, through the portal, its employees' productivity scores, internal cost data, salaries, internal notes that are not marked customer-visible, or activity classification labels. If you believe the portal is exposing data it should not, email security@timeros.ai.
Your rights
The full set of GDPR and CCPA rights described in the main Privacy Policy applies to you for your portal account information (TimerOS as controller of that thin layer of data). For the business data shown to you in the portal, address those rights to the Supplier.
Contact
- TimerOS Privacy: privacy@timeros.ai
- TimerOS Security: security@timeros.ai
- Postal: Vezoft (a company registered in Bulgaria under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria) ("Vezoft"), see Imprint for the full registered address