Privacy Policy

1. Scope of this Policy

This Privacy Policy applies to:

• Our websites and web application
• Our marketing, advertising, and analytics activities related to the Services
• Communications we send from Timeliner email addresses, phone numbers, and messaging accounts (including WhatsApp)
• Support and onboarding calls made by our team

This policy does not apply to third-party websites, tools, or services that you may connect to Timeliner. Their privacy practices are governed by their own policies.

2. Business Accounts, Roles, and Responsibilities

Timeliner is primarily a business-to-business (B2B) platform.

2.1 Controller and Processor Roles

When organizations use Timeliner to manage projects, media, and client approvals, they may upload or manage data about other individuals (“Customer Data”), including clients, collaborators, and team members. For Customer Data, the organization that controls the workspace is the “data controller” (in GDPR terms) or “business” (in US state privacy terms), and Timeliner acts as the “data processor” or “service provider.”

For account-level data (billing, authentication, product analytics, security), Timeliner acts as an independent controller.

2.2 Invited Users, Guests, and Clients

If you are an invited user, guest, or client reviewer accessing content through a business workspace, requests related to project content, approvals, or deletion may need to be handled by the workspace administrator. We will route data-subject requests accordingly.

3. Information We Collect

3.1 Information You or Your Workspace Provide

• Account and workspace information: name, email address, phone number, role, workspace details, language preference, time zone
• Invited user and client information: names, email addresses, phone numbers, permissions
• Project and workflow data: tasks, statuses, deadlines, briefs, notes, and reference links
• Media and feedback data: video, audio, images, raw footage, comments, annotations, timestamp feedback, and voice notes
• Payment tracking numbers: numeric records showing how much is owed to or by users (no bank or card details are stored by Timeliner for this purpose)
• Support and onboarding communications: messages, emails, and chat transcripts generated when you contact us or when we contact you. When you join a scheduled onboarding or demo call on Google Meet, that meeting may be recorded and transcribed (see Section 9)

3.2 Information Collected Automatically

When you use the Services, we may collect:

• IP address and general location derived from IP
• Browser type, device type, and operating system
• Pages or screens viewed and interaction events
• Clicks, scrolls, keystrokes (as event counts, not content), form field focus, and error events
• Referring URLs, UTM parameters, and timestamps
• Session recordings (video-like replays of your interaction with the Services) — see Section 6
• Diagnostic logs, crash reports, and performance telemetry

3.3 Payments

Subscription payments are processed by Stripe. Payment card information is handled directly by Stripe according to their own security and privacy practices. We do not store full card numbers on our systems.

3.4 Sensitive Categories

We do not intentionally collect special-category data under GDPR (Article 9) or sensitive personal information under US state privacy laws. Please do not upload such data unless strictly required for your workflow.

4. Magic Links and Auto-Login

Timeliner supports access through magic links that allow users to open specific media or app experiences without entering a password. Anyone who has access to the link may be able to access the related content until the link expires or is revoked. Users should treat magic links as confidential.

5. How We Use Information

We use information to:

• Provide and operate the Services
• Manage accounts, permissions, and authentication
• Enable project workflows, reviews, and approvals
• Publish or schedule content to social media accounts you choose to connect, where you use our optional publishing integrations (see Section 12)
• Process subscriptions and billing
• Provide customer support, including access to accounts for troubleshooting when authorized (see Section 7)
• Send service, onboarding, and feedback communications by email, WhatsApp, SMS, or voice call (see Section 8)
• Record and transcribe scheduled onboarding and demo video meetings (e.g. on Google Meet) for quality assurance, follow-up, and training (see Section 9)
• Monitor performance, reliability, and usage patterns and improve the product through session replay and event analytics (see Section 6)
• Detect, prevent, and address technical issues, abuse, fraud, and security incidents
• Measure and optimize marketing and advertising campaigns, including through Meta Conversions API and Google products
• Comply with legal obligations and enforce our Terms

6. Session Recording and Product Analytics

We use PostHog to collect product analytics and record user sessions on our website and web application. Session recordings are video-like replays of your interactions — clicks, navigation, scrolls, and page structure — used to diagnose bugs, understand user journeys, and improve the product.

6.1 What We Record

• Mouse movements, clicks, scroll positions, and navigation
• Page structure (DOM) and network request metadata
• Console errors and performance timings
• Email addresses entered in forms (to identify abandoned signups)

6.2 What We Do Not Record

• Passwords (masked at capture)
• Content typed into form inputs other than emails (masked at capture)
• Full payment card details

6.3 Consent

For visitors we detect as located in the European Economic Area, United Kingdom, or Switzerland, session recording and non-essential analytics are disabled by default and only enabled after you grant consent through our cookie banner. For other regions, you may opt out at any time through our cookie preferences tool or your browser's Global Privacy Control (GPC) signal.

6.4 Retention

Session recordings are retained by our analytics provider for up to 12 months and then automatically deleted.

7. Support Access and Account Impersonation

To diagnose bugs, resolve support tickets, or fulfill a user request, authorized Timeliner employees may access a workspace or log into a user's account on their behalf (“impersonation”).

Impersonation is:

• Restricted to employees with administrative credentials
• Logged in our internal audit trail
• Typically performed only after you request support or give consent, except where required to investigate abuse, security incidents, legal requests, or critical platform issues
• Used only for the purpose of diagnosing or resolving the specific issue, not for browsing unrelated content

Workspace administrators may also access data within their own workspaces based on the permissions they have configured.

8. Phone, SMS, and WhatsApp Communications

When you provide a phone number during signup, invitation, or account setup, you agree that Timeliner may contact you at that number by voice call, SMS, and/or WhatsApp message for:

• Account verification and authentication codes
• Service notifications (task updates, review requests, approvals, reminders)
• Onboarding assistance, setup help, and product guidance
• Customer support and response to inquiries you initiate
• Feedback, product-research, and relationship-building communications (including check-in calls)
• Billing and account-status communications (e.g. failed payment)
• Marketing communications, where permitted by applicable law and, where required, with your prior express consent

8.1 Autodialer / Prerecorded Calls

By providing a phone number and accepting our Terms of Service, you expressly consent to receive calls and text messages from Timeliner at that number, which may be placed using automatic telephone dialing systems or prerecorded voice messages. Your consent is not a condition of purchasing any goods or services. Message and data rates may apply. Message frequency varies.

8.2 Opt-Out

You may opt out of non-essential phone, SMS, and WhatsApp communications by:

• Replying STOP to any SMS or WhatsApp message
• Telling a Timeliner representative during a call that you wish to stop receiving calls
• Emailing contact@timeliner.io with “unsubscribe” in the subject line

Essential service communications (security alerts, billing failures, account-critical notices) cannot be turned off while your account remains active.

8.3 WhatsApp

WhatsApp messages from Timeliner are delivered through the WhatsApp Business Platform operated by Meta. Your use of WhatsApp is also governed by WhatsApp's own terms and privacy policy.

9. Meeting Recording and AI Transcription

When you join a scheduled onboarding, demo, or sales video meeting with Timeliner — typically hosted on Google Meet — that meeting may be recorded and automatically transcribed using Fireflies.ai for quality assurance, follow-up notes, training, and internal coaching purposes. Other one-off voice calls, phone calls, SMS, and WhatsApp messages are not recorded.

Where required by law (including two-party consent jurisdictions in the United States such as California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington), we will provide a disclosure at the start of the meeting (for example, through the Google Meet recording indicator and the Fireflies.ai notetaker joining the call) and will only proceed with recording after you are notified. If you do not wish to be recorded, you may ask us to disable recording or leave the meeting.

Meeting recordings and transcripts are stored on our infrastructure and with our meeting and transcription vendors (including Google and Fireflies.ai), retained for up to 24 months, and then deleted unless retention is required for legal or compliance reasons.

10. Cookies and Tracking Technologies

We use cookies, pixels, local storage, SDKs, and similar technologies to operate the Services, analyze usage, record sessions, and measure marketing performance. Detailed information is provided in our Cookie Policy.

You may control cookies through your browser settings, our in-product consent tool, or by sending a Global Privacy Control (GPC) signal, where available.

11. How We Share Information

11.1 Service Providers and Sub-processors

We share information with third-party providers that perform services on our behalf, under written agreements that require them to protect the information:

• Amazon Web Services (AWS) — cloud infrastructure, media processing, and storage
• Cloudflare — CDN, file storage, security, and performance
• Vercel — application hosting and edge delivery
• Supabase — database, authentication, and realtime services
• PostHog — product analytics and session recording
• Google Analytics and Google advertising products — website analytics and advertising measurement
• Meta Conversions API — server-side advertising measurement and retargeting
• Stripe — payment processing and billing
• Twilio — voice calling and SMS delivery
• WhatsApp (Meta) — messaging through the WhatsApp Business Platform
• GoHighLevel (GHL), Resend, and related email vendors — transactional and marketing email delivery
• Google (Workspace and Google Meet) — hosting scheduled video meetings and, where enabled, their recordings
• Fireflies.ai — AI notetaker and transcription for scheduled onboarding and demo meetings

A current list of material sub-processors is available on request at contact@timeliner.io.

11.2 Within Your Workspace

Workspace administrators and authorized users may access information based on assigned roles and permissions.

11.3 Legal and Safety Reasons

We may disclose information if required to comply with applicable law, valid legal process, court order, or government request; to enforce our Terms; to protect the rights, property, or safety of Timeliner, our users, or others; or to investigate fraud, abuse, or security incidents.

11.4 Business Transfers

If Timeliner is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.

11.5 No Sale of Personal Information

We do not sell personal information for money. Certain cookie- and server-side advertising measurement activity (for example, use of Meta Conversions API and Google advertising products) may be considered a “sale” or “sharing” of personal information under California law and similar US state laws. You may opt out through our cookie preferences tool or Global Privacy Control signal.

12. Connected Social Media Accounts and Publishing Integrations

Timeliner offers optional integrations that let you connect your own — or your clients' — social media and messaging accounts so that videos and posts prepared in Timeliner can be published or scheduled directly to those accounts. Supported and planned providers include YouTube (via Google), Meta (Facebook and Instagram), TikTok, LinkedIn, and Slack.

12.1 Optional and Plan-Gated

These integrations are available only on our Elite plan and are entirely optional. They are not required to use Timeliner, and the core Services function fully without connecting any social media account. You choose if and when to connect an account, and you may disconnect at any time.

12.2 How Connection Works

When you connect an account, you are redirected to the provider's own login and consent screen and authenticate directly with the provider — we never see or store your social media passwords. The provider returns an authorization token that allows Timeliner to perform only the specific actions you approve, such as uploading a video, setting its title, description, thumbnail, and scheduled publish time, and reading basic account or channel information to confirm the connection. We store these tokens in encrypted form and use them only to perform the actions you initiate or schedule within Timeliner.

12.3 Information We Access

Depending on the provider and the permissions you grant, we may access basic account or channel identity (such as channel name, ID, and avatar) to display the connection; the ability to upload and publish content you create in Timeliner; metadata about content we publish on your behalf (such as the resulting post or video ID and its status); and performance metrics and analytics for your channel and the content published through Timeliner (such as views, watch time, likes, comments, and similar engagement data) so that we can display performance reporting to you inside Timeliner. We request the minimum permissions needed to provide the feature.

12.4 Google API Services and YouTube

Our YouTube integration uses the YouTube API Services. By connecting a YouTube channel, you also agree to be bound by the YouTube Terms of Service. Information that Timeliner obtains through Google APIs, including the YouTube API Services, is governed by the Google Privacy Policy in addition to this Privacy Policy.

Timeliner's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we use data obtained through the YouTube API Services and other Google APIs only to provide and improve the user-facing publishing and scheduling features you request. We do not use this data for advertising, we do not sell it, we do not transfer it to third parties except as necessary to provide the feature or as required by law, and we do not use it to develop, improve, or train generalized artificial-intelligence or machine-learning models.

You can review or revoke Timeliner's access to your Google account at any time through the Google security settings page, and you can disconnect the account from within Timeliner at any time.

12.5 Meta (Facebook and Instagram), TikTok, LinkedIn, and Slack

Where these integrations are offered, your use of each connected platform is also governed by that platform's own terms and policies, including the Meta Platform Terms and the Facebook and Instagram terms; the TikTok terms and developer and content policies; the LinkedIn terms; and the Slack terms. We access and use data from these platforms only to provide the publishing, scheduling, and notification features you request, and we store any access tokens in encrypted form.

12.6 Accounts You Manage for Clients

If you connect a social media account that belongs to a client or other third party, you confirm that you are authorized to connect that account and to publish content to it on the owner's behalf. You are responsible for obtaining any necessary permissions from the account owner.

12.7 Revoking Access and Deletion

You may disconnect any connected account at any time from within Timeliner, and you may also revoke access directly through the provider's own security settings. When you disconnect an account, we delete the stored access tokens for that account. Content already published to a provider remains controlled by that provider and your account there; to remove it, manage it on the provider's platform.

13. International Data Transfers

Timeliner operates globally. Information we collect is processed primarily in the United States, and may be processed in other countries where our service providers operate.

Where we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on lawful transfer mechanisms, such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, and the UK Addendum where applicable
• EU-U.S. Data Privacy Framework participation (where applicable to a specific vendor)
• Derogations permitted by Article 49 GDPR for specific transfers

14. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, or reporting requirements. Typical retention periods are:

• Account and workspace data: for the life of the account plus up to 30 days after cancellation
• Billing and tax records: up to 7 years, as required by applicable tax and accounting law
• Session recordings and product analytics: up to 12 months
• Onboarding / demo meeting recordings and transcripts: up to 24 months
• Support communications: up to 36 months after the last interaction
• Server and security logs: up to 12 months
• Marketing analytics and advertising attribution: up to 24 months

Some information may be retained longer if required for legal compliance, dispute resolution, fraud prevention, or security purposes, and may be retained in backups for a limited additional period until those backups are recycled.

15. Data Export

You or a workspace administrator may request an export of personal data and account data by emailing contact@timeliner.io. Automated self-service export tools may not be available at this time.

16. Security

We take reasonable technical and organizational measures designed to protect information in the Services, including encryption in transit, access controls, role-based permissions, and audit logging of administrative activity. However, no system can be guaranteed to be completely secure, and we cannot guarantee absolute security.

17. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify our business customers (as the data controllers) and, where required by applicable law, affected individuals and competent supervisory authorities, within the time frames required by law (for example, without undue delay and where feasible within 72 hours under GDPR Article 33).

18. Children's Privacy

The Services are a business tool and are not directed at children. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided personal information to us, please contact contact@timeliner.io and we will take appropriate steps to delete it.

19. Legal Bases for Processing (EEA / UK / Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases:

• Contractual necessity — to provide the Services you or your workspace request
• Legitimate interests — to operate, secure, and improve the Services, prevent fraud and abuse, and conduct direct B2B marketing where permitted
• Consent — for non-essential cookies, session recording, marketing communications where required, and other processing that requires consent by law
• Legal obligations — to comply with tax, accounting, and other laws

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

20. Your Rights and Choices

Depending on your location and the nature of your relationship with us, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Receive a portable copy of certain data in a commonly used machine-readable format
• Not be subject to solely-automated decisions producing legal or similarly significant effects (we do not currently make such decisions about users)
• Appeal a denial of a privacy request, where required by your state's law
• Lodge a complaint with your local data-protection supervisory authority

If your data is part of a business workspace, requests related to Customer Data may need to be routed to the workspace administrator.

To submit a request, contact contact@timeliner.io. We will verify your identity before responding, and we will respond within the time frames required by applicable law.

21. EU / UK Representative

Timeliner Inc. is established in the United States. Where required under Article 27 of the EU GDPR or the UK GDPR, we will appoint a representative on request. In the interim, EEA and UK data subjects may contact us directly at contact@timeliner.io for any matter relating to the processing of their personal data.

22. US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, or any other US state with a comprehensive consumer-privacy law in effect, you may have additional rights under those laws, including the rights to:

• Know what personal information we collect, use, disclose, and (where applicable) “sell” or “share”
• Access and receive a copy of your personal information
• Request correction or deletion
• Opt out of “sale” or “sharing” of personal information, and of targeted advertising
• Opt out of profiling that produces legal or similarly significant effects
• Limit use of sensitive personal information
• Not be discriminated or retaliated against for exercising your privacy rights
• Appeal a denial of a privacy request, where your state provides an appeal right
• Californians: request disclosure of any personal information shared with third parties for their direct marketing (California “Shine the Light” law)

We honor opt-out preference signals such as the Global Privacy Control (GPC) for known regions where required.

To exercise any of these rights, contact us at contact@timeliner.io. You may designate an authorized agent to submit requests on your behalf, subject to our identity-verification requirements.

23. Data Processing Addendum (B2B)

Business customers subject to GDPR, UK GDPR, CCPA, or similar laws may request a Data Processing Addendum (DPA) containing Standard Contractual Clauses and processor commitments by emailing contact@timeliner.io.

24. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date and provide notice as required by law, for example by email or in-product notification. Continued use of the Services after the effective date means you accept the updated policy.

25. Contact Us

If you have questions or requests regarding this Privacy Policy or your personal data: