Privacy Policy
Effective date: June 18, 2026
1. Introduction
Welcome to TimeMappr ("we", "our", or "us"). We operate the website located at timemappr.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.
2. Information We Collect
2.1 Information You Provide
- Account information: email address and password when you register.
- Profile data: your time zone and weekly working-hours schedule.
- Team data: team names, member display names, time zones, and availability windows you enter.
- Billing data: when you subscribe to the Pro plan, payment processing is handled entirely by Stripe. TimeMappr receives and stores a Stripe customer ID, your subscription status, plan type (monthly/annual), subscription start date, and renewal date; we never store your full card number, CVV, or any other raw payment credentials.
- Bug reports: the message and optional screenshot you submit through the in-app "Report a Bug" form.
- Display preferences: your light/dark theme selection.
2.2 Information Collected Automatically
- Usage data: pages visited, features used, and timestamps, collected via server logs.
- Device data: browser type, operating system, and IP address.
- Authentication tokens: Firebase Authentication tokens used to identify your session securely.
- Push notification device tokens: if you enable mobile notifications, we store a device token (iOS/Android) tied to your account to deliver pushes.
2.3 Anonymous Visitors
Visitors who have not registered are assigned an anonymous Firebase session. No personally identifiable information is collected for anonymous sessions beyond what is listed under 2.2 above.
2.4 Calendar Sync Data
If you connect Google Calendar or Microsoft Outlook ("Calendar Sync"), we fetch your calendar events for the current week, including event titles, start and end times, and busy/free status — not just busy/free blocks. Event titles are displayed to other members of your team as a tooltip on your schedule, so they are not private to you alone. OAuth refresh tokens used to access your calendar are encrypted at rest using Google Cloud KMS before being stored (see Section 10) and are never exposed to the browser or other users. Fetched events are cached briefly (a few minutes) to reduce calendar-provider API calls and are refreshed automatically. You can disconnect Calendar Sync at any time from Settings, which deletes the stored tokens and cached events.
2.5 Team Activity Logs
For each team, we keep a log of administrative actions — members added or removed, role changes, team renames, and similar events — including who performed the action and when. This log is visible to team owners and admins from the team's Activity view. The in-app Activity view shows only the most recent 90 days of entries; underlying log records are retained for longer for audit and abuse-prevention purposes.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Create and manage your account and teams.
- Display time zone overlap visualizations based on the data you enter.
- Send transactional emails (e.g., password reset, subscription confirmations) when requested.
- Process subscription payments and manage your Pro plan status.
- Monitor and analyze usage to improve the Service.
- Detect and prevent fraud, abuse, or security incidents.
- Comply with legal obligations.
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
4. Sharing of Information
We may share your information only in the following circumstances:
- Service providers: trusted third-party vendors (e.g., Google Firebase, Google Cloud) that help us operate the Service and are contractually bound to protect your data.
- Legal requirements: when required by applicable law, regulation, or valid legal process.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality obligations.
- With your consent: for any other purpose with your explicit consent.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. You can delete your account at any time, self-service, from Settings → Account → Delete My Account. Deleting your account immediately disconnects any connected calendars, cancels your subscription if you have one, removes you from every team you're a member of, and deletes your profile and sign-in credential. If you still own one or more teams, you'll need to delete or otherwise dispose of them first — we don't delete teams you own automatically, since doing so would also remove access for any other members of those teams.
If you're unable to use the self-service option, you may instead request deletion by contacting us at privacy@timemappr.com. We will respond within 30 days. Residual copies may remain in backups for up to 90 days after either deletion method.
6. Security
We implement industry-standard technical and organizational measures to protect your information, including encrypted data transmission (TLS), Firebase Authentication for credential management, and access controls limiting who can access production data. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your personal data ("right to be forgotten").
- Restrict or object to certain processing activities.
- Data portability: receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at privacy@timemappr.com.
8. Cookies and Tracking
We use browser localStorage to store your display preferences (such as dark/light mode and selected team) and your cookie consent choice. Firebase Authentication may set session cookies required for authentication. These are essential to the Service and are not affected by the choice described below. You can disable cookies in your browser settings, but some features of the Service may not function correctly as a result.
8.1 Analytics Cookies and Your Choice
We use Google Analytics to understand aggregate usage of the Service. Analytics cookies are not set until you accept them: on your first visit, a banner lets you choose "Accept" (analytics enabled) or "Essential Only" (analytics disabled). Your choice is stored in your browser and applied on every later visit. You can change your mind at any time using the "Privacy Choices" link in the site footer.
9. Children's Privacy
The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@timemappr.com so we can promptly delete it.
10. Third-Party Services
The Service uses the following third-party services, each governed by their own privacy policies:
- Google Firebase (Authentication & Firestore database): stores your account credentials and application data.
- Google Cloud Run: hosts the TimeMappr API.
- Google Cloud KMS: OAuth refresh tokens for Calendar Sync are encrypted at rest using Google Cloud Key Management Service before being stored in Firestore. Tokens are never exposed to the browser or other users.
- Stripe (payment processing): processes subscription payments for the Pro plan. Stripe is a certified PCI-compliant payment processor. TimeMappr never stores raw card data. See Stripe's Privacy Policy for details.
- Mailjet (transactional email): delivers account and system emails such as welcome messages, password resets, team invitations, and billing notifications. Mailjet processes only the email address and message content necessary to deliver each email.
- Google Cloud Storage: stores bug-report screenshots and schedule screenshots you generate from the Service. These objects are private; schedule screenshots are shared via a time-limited signed link when you use the "Send Schedule" feature.
- Firebase Cloud Messaging: delivers push notifications to the device tokens described in Section 2.2, if you enable mobile notifications.
- Google Analytics: helps us understand aggregate usage of the Service. Analytics cookies are not set until you accept them via the cookie banner described in Section 8.
We encourage you to review the privacy policies of these services.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page. For material changes, we will provide a prominent notice within the Service or via email. Continued use of the Service after changes become effective constitutes your acceptance of the revised policy.
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
TimeMapprprivacy@timemappr.com