Privacy Policy

This privacy policy covers how Timely AS, Karvesvingen 5, 0579 Oslo ("Timely", "we" or "us"), collects and treats information about its users ("Data Subject" or "you").

Timely AS is the data controller for the processing of personal data of its private users (i.e natural persons). Timely AS acts as data processor on behalf of its corporate customers (i.e. legal persons) for the processing of personal data of their users. Additionally, Timely is the data controller for certain processing activities regarding Timely's business activities, such as administration and marketing, relating to both private users and representatives of its corporate customers.

Users may contact Timely at any time regarding the processing of personal data at support@timely.com.

1. General

All capitalised terms used and not otherwise defined in this privacy policy have the meanings ascribed to them in Timely's terms of service (available at https://timelyapp.com/terms, hereinafter "Terms of service").

Nothing in this privacy policy is intended to limit users’ statutory privacy and data protection rights.

2. Overview

In summary, Timely processes data for the following purposes:

  1. To enter into agreements. In order to enter into agreements with our customers, we process certain data such as name, title and contact information of our private customers and corporate customers' representatives. Read more about this in section 3.1 below.
  2. To provide Timely's services. We process some personal data, such as name and e-mail, in order to set up user accounts. When you use the Memory Tracker for Timely, it collects data about your activities in order to provide the tracking functionality. We may also customise the content and/or layout of the service for you. We also process personal data when handling support requests or otherwise communicating with you. Read more about this in section 3.2 below.
  3. For administrative purposes and everyday business processes. We process data such as name, contact information and payment details for our business processes, such as administering agreements and handling payments. Read more about this in section 3.3 below.
  4. For product improvement purposes. We anonymise data about the use of our services and use the anonymised data for product improvement purposes. Read more about this in section 3.4 below.
  5. For security purposes. We process certain data such as security logs for the purpose of ensuring an appropriate level of security in our services. Read more about this in section 3.5 below.
  6. For marketing purposes. We process data such as name, contact information and title in connection with our marketing activities, for example to reach out to potential new customers or communicate with our existing customers about new products, features or services. Read more about this in section 3.6 below.

3. How Timely processes personal data

3.1 Entering into agreements

In order to enter into agreements, including negotiating, modifying, amending or concluding agreements, we collect and store certain data included in the agreements. This will typically be name and contact information of the customer (in case of private customers, where the customer is also the Data Subject), or name, contact information and title of the customer's representatives (in case of corporate customers). We may also store communications to and from the Data Subject over the course of negotiations or inquiries regarding the agreement.

When we enter into agreements with private customers, the legal basis for this processing is GDPR Article 6 no. 1 (b): the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

When we enter into agreements with private customers, the legal basis for this processing is GDPR Article 6 no. 1 (b): the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

3.2 Providing our services

Timely may collect information (including personal data) about Data Subjects:

  1. When a Data Subject fills in forms via the Service, opens a User Account, subscribes to, or unsubscribes from, a Service Plan, creates or modifies a user profile, or enters or modifies other information associated with their User Account (the information thus provided by the Data Subject);
  2. When a Data Subject downloads, installs, updates or uninstalls software from Timely
  3. When a Data Subject accesses or uses the Service or any other service connected with the Memory Tracker for Timely ;
  4. When the Data Subject requests and receives support services;
  5. When we send notifications to the Data Subject in accordance with our Terms of Service and the Data Subject's chosen communication preferences; and
  6. When otherwise knowingly made available to Timely by the Data Subject.

The data Timely processes for this purpose include:

  1. Name and contact information;
  2. Account information such as settings, preferences, and password;
  3. Tracking data collected through the use of the Service (the location (GPS), manner, means and duration of activities recorded by the Memory Tracker for Timely);
  4. Other information the Data Subject may provide or input into the Service; and
  5. Communications with the Data Subject relating to support requests or other inquiries from the Data Subject.

Timely does not intend to process special categories of personal data, such as data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Timely will only process such special categories of personal data as specified above at the request of the user, i.e., when the user submits such data to Timely at their own will. For example, users may choose to connect their Timely account to fitness apps or to keep track of doctor’s appointments. Timely will only process such special categories of personal data following the informed, expressly and freely given consent of the Data Subject.

The Memory Tracker for Timely for macOS and Windows do not have full access to everything going on inside your computer; it will only send basic information about the applications you are using. For example, if you have Google Chrome active on a website, they will send the current window title, which in most cases will be the name of the website, together with a timestamp and some information about what application the Timely software thinks it was. This is used to display the correct icon on your timeline.

If you choose to use or connect to third-party integrations (e.g. Google Calendar, Trello etc.) through the Service, or if you are required or permitted to do so by a customer, such third parties may allow us to have access to and store additional information about your interaction with those services as it relates to your use of the Service.

If you initiate these connections, we will share information about you that is required to enable your use of the third-party integration through the Service. If you do not wish to have this information shared, do not initiate these connections.

By enabling these connections, you authorise us to connect and access the information provided through these connections. The privacy policies of these third parties govern such connections. More information about each integration can be found on the respective support pages for Timely.


As part of our Service, we send certain notifications to our users. This includes notifications about important updates (e.g., security updates), service messages and administrative messages, notifications about activities in the user's workspace, notifications related to any third-party integrations you have connected or to the Timely tracking software. Notifications may be shown in the Timely web or desktop app, in the operating system notifications, or sent to the e-mail address associated with the relevant User Account. The Data Subject can manage their communication preferences relating to notifications via their User Account settings.

When we carry out these processing activities for private customers (where the customer is also the Data Subject), the legal basis for the processing is GDPR Article 6 no. 1 (b): the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

When we carry out these processing activities for corporate customers (where the Data Subject is typically employed by or otherwise affiliated with the customer), the customer is the controller and determines the legal basis for processing. In these cases, Timely's processing is subject to a data processing agreement with the customer and other instructions provided by the customer in their capacity as data controller.

3.3 Administration and business processes

We process certain personal data in order to administer agreements and carry out our day-to-day business processes. This includes processing the following personal data relating to our private customers and representatives of corporate customers:

  1. Name, title/role and contact information;
  2. Payment details;
  3. Communications with or pertaining to the Data Subject.

We use these data in order to administer invoices and payments, archive and administer agreements, exercise our rights according to the Terms of Service or other agreement between us and the customer and carry out other regular business processes.


When we carry out these processing activities relating to private customers (where the customer is also the Data Subject), the legal basis for the processing is GDPR Article 6 no. 1 (b): the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract for processing related to administering payments or otherwise fulfilling our agreement(s) with the Data Subject. For other processing activities, the legal basis is GDPR Article 6 no. 1 (f): the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, based on our legitimate interest in exercising our rights according to our agreement(s) with the Data Subject and carrying out other regular business processes.

When we carry out these processing activities for corporate customers (where the Data Subject is typically employed by or otherwise affiliated with the customer), the legal basis for the processing is GDPR Article 6 no. 1 (f): the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, based on our legitimate interest in exercising our rights according to our agreement(s) with the corporate customer in questions and carrying out other regular business processes.

Agreements, invoices and information regarding payments, including personal data which are included in such documents (typically name and contact information), may be subject to statutory data retention requirements under bookkeeping laws and regulations. When we store such data for the purpose of complying with bookkeeping laws and regulations, the legal basis for processing is GDPR Article 6 no.1 (c): the processing is necessary for compliance with a legal obligation to which the controller is subject. Please see section 4 below for further information regarding storage period for personal data.

3.4 Product improvement

Timely may anonymise and aggregate data for the purpose of machine learning and statistics in order to improve the Service.

The data we use for these purposes are:

  1. Data collected through the Memory Tracker for Timely or cookies on the Timely website (timely.com) about how users use the Service.
  2. Tracking data collected through use of the Memory Tracker, as described in section 3.2 above.
  3. Tracking data collected through third-party software designed to capture clicks, page views and other product usage data.

Tracking data collected through use of the Memory Tracker is anonymised and aggregated before being used for product improvement purposes. This means that we do not directly use tracked data collected by the Timely app with associated personally identifiable information for product improvement.

When we process personal data for this purpose, the legal basis is GDPR Article 6 no. 1 (f): the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, based on our legitimate interest in improving and maintaining our products and services.

3.5 Security

We process certain data for the purpose of ensuring and maintaining the security of our software and preventing misuse. Such data relates to security log data which may contain personal data.

We use these data in order to carry out anomaly detection, detect and stop misuse of User Accounts (e.g., attempts to log onto someone else's User Account), detect and stop attempts at unauthorised access to data or software, identify, solve and follow up security incidents, etc.

When we process personal data for this purpose, the legal basis is GDPR Article 6 no. 1 (f): the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, based on our legitimate interest in ensuring an appropriate level of security in our services.

3.6 Marketing

We process certain personal data for marketing purposes. This includes processing the following personal data about our private customers and representatives of corporate customers:

  1. Name
  2. E-mail address
  3. Title

If a Data Subject participates in Timely’s mailing or similar program, Timely will use these personal data to send them information about products, services, promotions, and events that Timely believes may be of interest to them. Any subscription to any such program may be cancelled at will.

The legal basis for our processing for marketing purposes is GDPR article 6 no. 1 (a): consent. You can withdraw your consent at any time by clicking the "unsubscribe" link at the bottom of the e-mails you receive from us, or by contacting us directly at support@timely.com.

If you are an existing customer with us, for instance, because you subscribe to our services or have signed up for a trial period, you may also receive marketing communications and other inquiries containing useful information, offers, and similar content. Such marketing activities are conducted on the basis of GDPR Article 6(1)(f) (legitimate interest).

4. Storage period for personal data

For private customers, Timely will keep personal data for as long as necessary to fulfil its contractual obligations towards the Data Subject, as specified in the Terms of Service. Corporate customers may instruct Timely with respect to retention and deletion of personal data for which they act as controller.

Most personal data we process will be stored until the User Account with which the data are associated are terminated. Unless otherwise instructed by a corporate customer acting as controller, or required by statutory law, personal data will be deleted or anonymised as soon as possible after the termination of the Data Subject’s account.

Some data may be stored only for shorter periods of time, such as log data. We store log data for a maximum of six months.

Certain data may be subject to statutory retention requirements regarding bookkeeping, which require up to 10 years retention time. This typically applies to agreement documents and information about payments and transactions.

5. Where personal data are processed

Timely AS may use processors and transfer personal data to these processors, including processors in countries not considered to provide the same level of protection for personal data as EU countries. In such cases, Timely will only transfer personal data subject to appropriate safeguards provided by sub-suppliers, such as a legally binding and enforceable instrument between public authorities or bodies, or standard data protection clauses adopted by the EU Commission. A copy of such safeguards may be obtained by contacting Timely at support@timely.com.

A complete list of our processors and sub-processors is available at https://timely.com/subprocessors

6. Transfer of personal data to others

Timely may use processors to perform certain processing operations for us. When we engage processors, we make sure that they are subject to the same data protection obligations as we ourselves are. A complete list of our processors and sub-processors is available at https://timely.com/subprocessors

Timely may also share personal data with third parties in connection with corporate transactions such as mergers, acquisitions, investments and divestments. This includes sharing such information with legal and other advisors as well as investors or business partners in such transactions, subject to appropriate data protection safeguards and in accordance with applicable law.

Timely will not otherwise transfer or provide access to Data Subject’s personal data to any third party except when, to the extent, and to persons; With the Data Subject’s consent, as required by law, or necessary in order to enter into agreements, provide the agreed services or otherwise perform Timely's obligations under the Terms of Service or other agreement between the Data Subject and Timely or the controller (corporate customers) and Timely, or its statutory obligations, or to exercise its legal rights, or defend against claims or other process.

7. How we safeguard personal data

Timely has implemented and will continue to employ appropriate measures to ensure that personal data are processed securely and in compliance with the applicable law. Among other things:

  1. Timely employs firewalls and anti-virus software in accordance with industry standards.
  2. Timely employs encryption methods in accordance with industry standards. Data are encrypted both in transit and at rest.
  3. Timely limits access to personal data through appropriate access controls, including ensuring that employees only have access to personal data which they need to have access to in order to carry out their duties.
  4. Timely engages an independent third-party to carry out yearly security audits of Timely.
  5. Timely takes daily backups of customer data.
  6. Timely never knowingly stores passwords in plaintext. We use a one-way hashing algorithm to store passwords.
  7. Timely has a number of privacy-related internal guidelines, routines and other resources for its employees, and conducts GDPR training for its employees.

Timely has no obligation to monitor or access its customers' accounts, but may do so in cases where such action is reasonably justified (e.g., in order to prevent illegal or harmful activity, provide customer support, or perform its legal duties).

8. Data subjects' rights

  1. Access: Upon the Data Subject’s request, Timely will grant the Data Subject access to all personal data that Timely maintains about the Data Subject, unless such information is otherwise available to the Data Subject or Timely is legally prohibited from disclosing such records.
  2. Right to rectification or erasure of personal data or restriction of processing: If any Personal Data prove to be incorrect or misleading, the Data Subject is entitled to have the data rectified. Registered Data Subjects can access and correct certain of their own Personal Data through the Service by visiting their personal profile page and account setting page.
  3. Rights in connection with disclosure: In all cases where Timely is allowed to disclose Personal Data to third parties, it will ensure that the person to whom disclosure is made grants the respective Data Subject the same as those set forth herein with respect to the processing of such Personal Data (including the right to be informed about the data maintained on the Data Subject and the right to correct or have corrected incorrect or misleading information).
  4. Right to data portability: The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to Timely, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from Timely.
  5. Right to lodge a complaint with a supervisory authority: The Data Subject has the right to lodge a complaint with a supervisory authority if the Data Subject considers that the processing of personal data relating to him or her infringes his or her rights. The Data Subject may make complaints to its local supervisory authority.
  6. If you wish to make a complaint to your local supervisory authority, please see this list to identify your local supervisory authority and their contact information: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9. Contact

Timely asks that all requests, enquiries, complaints, and other communications that Data Subject wishes to address to Timely with respect to this privacy policy or data processing be submitted via the feedback feature of Timely’s website, or that such communications be sent to the following email or postal address: support@timely.com / Timely AS, Karvesvingen 5, Oslo, Norway

10. Change of policy

Timely may amend or repeal this privacy policy at any time by posting a revised privacy policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, Timely will notify registered users of the fact that its privacy policy has changed by sending users an email to the address associated with their User Account, and by posting a prominent notice on the Service.

Apps distributed on Google Play are also subject to the Google Play Developer Distribution Agreement.

Timely’s use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The Limited Use requirements have four elements:

  1. Allowed Use: Developers are only allowed to use restricted scope data to provide or improve user-facing features that are prominent from the requesting app's user interface. It should be clear to your users why and how you use the restricted scope data they've chosen to share with you.
  2. Allowed Transfer: Developers are only allowed to transfer restricted scope data to others if that transfer is (a) necessary to provide or improve user-facing features that are prominent from the requesting app's user interface, (b) to comply with applicable laws, or (c) a part of a merger, acquisition or sale of assets of the developer. All other transfers or sales of user data are completely prohibited.
  3. Prohibited Advertising: Developers are never allowed to use or transfer restricted scope data to serve users advertisements. This includes personalized, re-targeted and interest-based advertising.
  4. Prohibited Human Interaction: Developers cannot allow humans to read restricted scope user data. For example, a developer with access to a user's data is not allowed to have one of its employees read through a user's emails. There are four limited exceptions to this rule: (a) the developer obtains a user's consent to read specific messages (for example, for tech support), (b) it's necessary for security purposes (for example, investigating abuse), (c) to comply with applicable laws, and (d) the developer aggregates and anonymizes the data and only uses it for internal operations (for example, reporting aggregate statistics in an internal dashboard).
Privacy
Terms of Service
Privacy Policy
Data Processing Agreement
List of Sub-Processors
Cookie Policy
Survey Promotion Terms and Conditions