Back to Timelo

Privacy Policy

Last updated: April 2026

1. Information We Collect

When you use Timelo, we collect information necessary to provide and improve our service. This includes:

Account Information: When you register, we collect your name, email address, phone number, and authentication credentials. If you sign up via Google or Facebook, we receive your name, email, and profile picture from those providers.

Business Information: For salon owners, we collect your business name, address, business type, working hours, services offered, staff details, and branding assets (logo, cover image).

Booking Data: Appointment details, service selections, scheduling preferences, client notes, and appointment history.

Payment Information: We do not store credit card numbers directly. Payment processing is handled by Stripe (and in the future, PayPal). We store transaction records, subscription status, and billing history.

Usage Data: Device information, browser type, IP address, pages visited, and interactions with the platform to help us improve the service.

Push Notification Tokens: If you enable push notifications, we store your Firebase Cloud Messaging device token to deliver notifications.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Timelo booking platform
  • Process appointments, payments, and subscriptions
  • Send booking confirmations, reminders, and no-show alerts
  • Communicate with you about your account, service updates, and support requests
  • Improve and personalize your experience on the platform
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations and enforce our terms

3. Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase with encryption at rest and in transit. We implement industry-standard security measures including:

  • Row Level Security (RLS) for multi-tenant data isolation
  • HTTPS/TLS encryption for all data in transit
  • Strict Content Security Policy (CSP) and security headers
  • Rate limiting and brute-force protection on authentication endpoints
  • Audit logging of critical actions
  • CAPTCHA and honeypot fields to prevent automated abuse

Our infrastructure is hosted in the EU and US regions. While we take all reasonable precautions, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.

4. Third-Party Services

We use the following third-party services to operate Timelo:

  • Supabase — Database hosting, authentication, and file storage
  • Stripe — Payment processing and subscription management
  • Resend — Transactional email delivery (booking confirmations, reminders)
  • Firebase Cloud Messaging — Push notifications for mobile and web
  • hCaptcha — Bot protection on login and registration forms
  • Upstash — Rate limiting via Redis

Each third-party provider has their own privacy policy governing their use of your data. We only share the minimum information necessary for these services to function.

5. Cookies

Timelo uses a minimal set of cookies essential to the functioning of the service:

  • Authentication cookies — Secure session cookies to keep you signed in
  • Locale preference — Stores your selected language (timelo_locale)
  • Location selection — Remembers your selected salon location (timelo_location_id)

We do not use third-party tracking cookies or advertising cookies. We do not sell your data to advertisers.

6. Your Rights

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have the following rights:

  • Right of Access — Request a copy of the personal data we hold about you
  • Right to Rectification — Request correction of inaccurate or incomplete data
  • Right to Erasure — Request deletion of your personal data (subject to legal retention obligations)
  • Right to Data Portability — Receive your data in a structured, machine-readable format
  • Right to Restrict Processing — Request limitation of how we process your data
  • Right to Object — Object to processing based on legitimate interests

To exercise any of these rights, please contact us at support@timelo.io. We will respond to your request within 30 days.

7. Data Retention

Your data is preserved indefinitely for as long as your account exists, even if your subscription is cancelled. We believe your business data is valuable and should not be lost due to billing changes.

If you cancel your subscription, your salon becomes invisible to clients but all data (appointments, client records, staff information) is retained. You can reactivate at any time and pick up where you left off. Data is only deleted upon explicit written request from the account owner in accordance with GDPR erasure rights.

8. Children's Privacy

Timelo is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at support@timelo.io.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will notify you by email or through a notice on the platform. Your continued use of Timelo after any changes constitutes your acceptance of the updated policy.

10. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Exploode Ltd
Email: support@timelo.io

powered by TimeloBack to home