Privacy Policy

1. Scope of this Policy

This Privacy Policy applies to:

• Our websites and web application
• Our marketing, advertising, and analytics activities related to the Services
• Communications we send from Timeliner email addresses, phone numbers, and messaging accounts (including WhatsApp)
• Support and onboarding calls made by our team

This policy does not apply to third-party websites, tools, or services that you may connect to Timeliner. Their privacy practices are governed by their own policies.

2. Business Accounts, Roles, and Responsibilities

Timeliner is primarily a business-to-business (B2B) platform.

2.1 Controller and Processor Roles

When organizations use Timeliner to manage projects, media, and client approvals, they may upload or manage data about other individuals (“Customer Data”), including clients, collaborators, and team members. For Customer Data, the organization that controls the workspace is the “data controller” (in GDPR terms) or “business” (in US state privacy terms), and Timeliner acts as the “data processor” or “service provider.”

For account-level data (billing, authentication, product analytics, security), Timeliner acts as an independent controller.

2.2 Invited Users, Guests, and Clients

If you are an invited user, guest, or client reviewer accessing content through a business workspace, requests related to project content, approvals, or deletion may need to be handled by the workspace administrator. We will route data-subject requests accordingly.

3. Information We Collect

3.1 Information You or Your Workspace Provide

• Account and workspace information: name, email address, phone number, role, workspace details, language preference, time zone
• Invited user and client information: names, email addresses, phone numbers, permissions
• Project and workflow data: tasks, statuses, deadlines, briefs, notes, and reference links
• Media and feedback data: video, audio, images, raw footage, comments, annotations, timestamp feedback, and voice notes
• Payment tracking numbers: numeric records showing how much is owed to or by users (no bank or card details are stored by Timeliner for this purpose)
• Support and onboarding communications: messages, emails, and chat transcripts generated when you contact us or when we contact you. When you join a scheduled onboarding or demo call on Google Meet, that meeting may be recorded and transcribed (see Section 9)

3.2 Information Collected Automatically

When you use the Services, we may collect:

• IP address and general location derived from IP
• Browser type, device type, and operating system
• Pages or screens viewed and interaction events
• Clicks, scrolls, keystrokes (as event counts, not content), form field focus, and error events
• Referring URLs, UTM parameters, and timestamps
• Session recordings (video-like replays of your interaction with the Services) — see Section 6
• Diagnostic logs, crash reports, and performance telemetry

3.3 Payments

Subscription payments are processed by Stripe. Payment card information is handled directly by Stripe according to their own security and privacy practices. We do not store full card numbers on our systems.

3.4 Sensitive Categories

We do not intentionally collect special-category data under GDPR (Article 9) or sensitive personal information under US state privacy laws. Please do not upload such data unless strictly required for your workflow.

4. Magic Links and Auto-Login

Timeliner supports access through magic links that allow users to open specific media or app experiences without entering a password. Anyone who has access to the link may be able to access the related content until the link expires or is revoked. Users should treat magic links as confidential.

5. How We Use Information

We use information to:

• Provide and operate the Services
• Manage accounts, permissions, and authentication
• Enable project workflows, reviews, and approvals
• Process subscriptions and billing
• Provide customer support, including access to accounts for troubleshooting when authorized (see Section 7)
• Send service, onboarding, and feedback communications by email, WhatsApp, SMS, or voice call (see Section 8)
• Record and transcribe scheduled onboarding and demo video meetings (e.g. on Google Meet) for quality assurance, follow-up, and training (see Section 9)
• Monitor performance, reliability, and usage patterns and improve the product through session replay and event analytics (see Section 6)
• Detect, prevent, and address technical issues, abuse, fraud, and security incidents
• Measure and optimize marketing and advertising campaigns, including through Meta (Facebook) Pixel and Google products
• Comply with legal obligations and enforce our Terms

6. Session Recording and Product Analytics

We use PostHog to collect product analytics and record user sessions on our website and web application. Session recordings are video-like replays of your interactions — clicks, navigation, scrolls, and page structure — used to diagnose bugs, understand user journeys, and improve the product.

6.1 What We Record

• Mouse movements, clicks, scroll positions, and navigation
• Page structure (DOM) and network request metadata
• Console errors and performance timings
• Email addresses entered in forms (to identify abandoned signups)

6.2 What We Do Not Record

• Passwords (masked at capture)
• Content typed into form inputs other than emails (masked at capture)
• Full payment card details

6.3 Consent

For visitors we detect as located in the European Economic Area, United Kingdom, or Switzerland, session recording and non-essential analytics are disabled by default and only enabled after you grant consent through our cookie banner. For other regions, you may opt out at any time through our cookie preferences tool or your browser's Global Privacy Control (GPC) signal.

6.4 Retention

Session recordings are retained by our analytics provider for up to 12 months and then automatically deleted.

7. Support Access and Account Impersonation

To diagnose bugs, resolve support tickets, or fulfill a user request, authorized Timeliner employees may access a workspace or log into a user's account on their behalf (“impersonation”).

Impersonation is:

• Restricted to employees with administrative credentials
• Logged in our internal audit trail
• Typically performed only after you request support or give consent, except where required to investigate abuse, security incidents, legal requests, or critical platform issues
• Used only for the purpose of diagnosing or resolving the specific issue, not for browsing unrelated content

Workspace administrators may also access data within their own workspaces based on the permissions they have configured.

8. Phone, SMS, and WhatsApp Communications

When you provide a phone number during signup, invitation, or account setup, you agree that Timeliner may contact you at that number by voice call, SMS, and/or WhatsApp message for:

• Account verification and authentication codes
• Service notifications (task updates, review requests, approvals, reminders)
• Onboarding assistance, setup help, and product guidance
• Customer support and response to inquiries you initiate
• Feedback, product-research, and relationship-building communications (including check-in calls)
• Billing and account-status communications (e.g. failed payment)
• Marketing communications, where permitted by applicable law and, where required, with your prior express consent

8.1 Autodialer / Prerecorded Calls

By providing a phone number and accepting our Terms of Service, you expressly consent to receive calls and text messages from Timeliner at that number, which may be placed using automatic telephone dialing systems or prerecorded voice messages. Your consent is not a condition of purchasing any goods or services. Message and data rates may apply. Message frequency varies.

8.2 Opt-Out

You may opt out of non-essential phone, SMS, and WhatsApp communications by:

• Replying STOP to any SMS or WhatsApp message
• Telling a Timeliner representative during a call that you wish to stop receiving calls
• Emailing contact@timeliner.io with “unsubscribe” in the subject line

Essential service communications (security alerts, billing failures, account-critical notices) cannot be turned off while your account remains active.

8.3 WhatsApp

WhatsApp messages from Timeliner are delivered through the WhatsApp Business Platform operated by Meta. Your use of WhatsApp is also governed by WhatsApp's own terms and privacy policy.

9. Meeting Recording and AI Transcription

When you join a scheduled onboarding, demo, or sales video meeting with Timeliner — typically hosted on Google Meet — that meeting may be recorded and automatically transcribed using Fireflies.ai for quality assurance, follow-up notes, training, and internal coaching purposes. Other one-off voice calls, phone calls, SMS, and WhatsApp messages are not recorded.

Where required by law (including two-party consent jurisdictions in the United States such as California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington), we will provide a disclosure at the start of the meeting (for example, through the Google Meet recording indicator and the Fireflies.ai notetaker joining the call) and will only proceed with recording after you are notified. If you do not wish to be recorded, you may ask us to disable recording or leave the meeting.

Meeting recordings and transcripts are stored on our infrastructure and with our meeting and transcription vendors (including Google and Fireflies.ai), retained for up to 24 months, and then deleted unless retention is required for legal or compliance reasons.

10. Cookies and Tracking Technologies

We use cookies, pixels, local storage, SDKs, and similar technologies to operate the Services, analyze usage, record sessions, and measure marketing performance. Detailed information is provided in our Cookie Policy.

You may control cookies through your browser settings, our in-product consent tool, or by sending a Global Privacy Control (GPC) signal, where available.

11. How We Share Information

11.1 Service Providers and Sub-processors

We share information with third-party providers that perform services on our behalf, under written agreements that require them to protect the information:

• Amazon Web Services (AWS) — cloud infrastructure, media processing, and storage
• Cloudflare — CDN, file storage, security, and performance
• Vercel — application hosting and edge delivery
• Supabase — database, authentication, and realtime services
• PostHog — product analytics and session recording
• Google Analytics and Google Tag Manager — website analytics and tag management
• Meta Pixel — advertising measurement and retargeting
• Stripe — payment processing and billing
• Twilio — voice calling and SMS delivery
• WhatsApp (Meta) — messaging through the WhatsApp Business Platform
• GoHighLevel (GHL), Resend, and related email vendors — transactional and marketing email delivery
• Google (Workspace and Google Meet) — hosting scheduled video meetings and, where enabled, their recordings
• Fireflies.ai — AI notetaker and transcription for scheduled onboarding and demo meetings

A current list of material sub-processors is available on request at contact@timeliner.io.

11.2 Within Your Workspace

Workspace administrators and authorized users may access information based on assigned roles and permissions.

11.3 Legal and Safety Reasons

We may disclose information if required to comply with applicable law, valid legal process, court order, or government request; to enforce our Terms; to protect the rights, property, or safety of Timeliner, our users, or others; or to investigate fraud, abuse, or security incidents.

11.4 Business Transfers

If Timeliner is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

11.5 No Sale of Personal Information

We do not sell personal information for money. Certain cookie- and pixel-based advertising activity (for example, use of Meta Pixel and Google advertising products) may be considered a “sale” or “sharing” of personal information under California law and similar US state laws. You may opt out through our cookie preferences tool or Global Privacy Control signal.

12. International Data Transfers

Timeliner operates globally. Information we collect is processed primarily in the United States, and may be processed in other countries where our service providers operate.

Where we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on lawful transfer mechanisms, such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, and the UK Addendum where applicable
• EU-U.S. Data Privacy Framework participation (where applicable to a specific vendor)
• Derogations permitted by Article 49 GDPR for specific transfers

13. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, or reporting requirements. Typical retention periods are:

• Account and workspace data: for the life of the account plus up to 30 days after cancellation
• Billing and tax records: up to 7 years, as required by applicable tax and accounting law
• Session recordings and product analytics: up to 12 months
• Onboarding / demo meeting recordings and transcripts: up to 24 months
• Support communications: up to 36 months after the last interaction
• Server and security logs: up to 12 months
• Marketing analytics and advertising attribution: up to 24 months

Some information may be retained longer if required for legal compliance, dispute resolution, fraud prevention, or security purposes, and may be retained in backups for a limited additional period until those backups are recycled.

14. Data Export

You or a workspace administrator may request an export of personal data and account data by emailing contact@timeliner.io. Automated self-service export tools may not be available at this time.

15. Security

We take reasonable technical and organizational measures designed to protect information in the Services, including encryption in transit, access controls, role-based permissions, and audit logging of administrative activity. However, no system can be guaranteed to be completely secure, and we cannot guarantee absolute security.

16. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify our business customers (as the data controllers) and, where required by applicable law, affected individuals and competent supervisory authorities, within the time frames required by law (for example, without undue delay and where feasible within 72 hours under GDPR Article 33).

17. Children's Privacy

The Services are a business tool and are not directed at children. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided personal information to us, please contact contact@timeliner.io and we will take appropriate steps to delete it.

18. Legal Bases for Processing (EEA / UK / Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases:

• Contractual necessity — to provide the Services you or your workspace request
• Legitimate interests — to operate, secure, and improve the Services, prevent fraud and abuse, and conduct direct B2B marketing where permitted
• Consent — for non-essential cookies, session recording, marketing communications where required, and other processing that requires consent by law
• Legal obligations — to comply with tax, accounting, and other laws

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

19. Your Rights and Choices

Depending on your location and the nature of your relationship with us, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Receive a portable copy of certain data in a commonly used machine-readable format
• Not be subject to solely-automated decisions producing legal or similarly significant effects (we do not currently make such decisions about users)
• Appeal a denial of a privacy request, where required by your state's law
• Lodge a complaint with your local data-protection supervisory authority

If your data is part of a business workspace, requests related to Customer Data may need to be routed to the workspace administrator.

To submit a request, contact contact@timeliner.io. We will verify your identity before responding, and we will respond within the time frames required by applicable law.

20. EU / UK Representative

Timeliner Inc. is established in the United States. Where required under Article 27 of the EU GDPR or the UK GDPR, we will appoint a representative on request. In the interim, EEA and UK data subjects may contact us directly at contact@timeliner.io for any matter relating to the processing of their personal data.

21. US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, or any other US state with a comprehensive consumer-privacy law in effect, you may have additional rights under those laws, including the rights to:

• Know what personal information we collect, use, disclose, and (where applicable) “sell” or “share”
• Access and receive a copy of your personal information
• Request correction or deletion
• Opt out of “sale” or “sharing” of personal information, and of targeted advertising
• Opt out of profiling that produces legal or similarly significant effects
• Limit use of sensitive personal information
• Not be discriminated or retaliated against for exercising your privacy rights
• Appeal a denial of a privacy request, where your state provides an appeal right
• Californians: request disclosure of any personal information shared with third parties for their direct marketing (California “Shine the Light” law)

We honor opt-out preference signals such as the Global Privacy Control (GPC) for known regions where required.

To exercise any of these rights, contact us at contact@timeliner.io. You may designate an authorized agent to submit requests on your behalf, subject to our identity-verification requirements.

22. Data Processing Addendum (B2B)

Business customers subject to GDPR, UK GDPR, CCPA, or similar laws may request a Data Processing Addendum (DPA) containing Standard Contractual Clauses and processor commitments by emailing contact@timeliner.io.

23. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and provide notice as required by law, for example by email or in-product notification. Continued use of the Services after the effective date means you accept the updated policy.

24. Contact Us

If you have questions or requests regarding this Privacy Policy or your personal data: