Timely
Legal · Privacy

Privacy Policy

The data we collect, why we collect it, and the controls you have over it.

Last updated · May 3, 2026

1. Overview

Timely (“we”, “our”, “us”) provides employee time-tracking and productivity-monitoring software to organizations and their employees (“you”, “user”). This Privacy Policy explains what information we collect through our web application (the “Platform”) and our desktop tracker (the “Tracker”), how we use it, who we share it with, and what choices you have.

By creating a Timely account or installing the Tracker, you confirm that you have read and understood this Policy. If you do not agree, please do not use the Service.

2. Information we collect

We collect three categories of information:

  • Account information. Organization name, organization ID, your full name, email, phone number, role (Super Admin, Organization Admin, or Employee), department, designation, and an optional profile photo.
  • Productivity data captured by the Tracker. Active application name and window title, total active and idle time per session, randomized screenshots (when enabled by your organization), and operating system metadata such as hostname and platform.
  • Operational data. Timestamps of activity, IP addresses for audit logs, payment status (handled by Stripe and SSLCommerz), and contact-form submissions.

3. How we use your information

We use the information described above strictly to:

  • Provide and improve the time-tracking, reporting, and screenshot-monitoring features.
  • Authenticate users and enforce role-based access control.
  • Generate productivity dashboards and exports for the Organization Admin who employs you.
  • Bill organizations through Stripe or SSLCommerz and manage subscriptions.
  • Detect abuse, troubleshoot incidents, and keep the Service running reliably.

We do not sell, rent, or trade your data with advertisers, brokers, or any third party for marketing.

4. Screenshots & desktop tracking

The Tracker captures the active window title, the foreground application’s name, and (when enabled by an Organization Admin) periodic screenshots at randomized intervals (typically every 5–15 minutes).

  • Screenshots are stored either in the organization’s configured AWS S3 bucket or, if S3 is not configured, on Timely’s backend disks. Access is restricted to the employing organization’s admins.
  • The Tracker does not log keystrokes, capture passwords, record audio or video, access your microphone or camera, or read file contents.
  • Idle time is determined from operating-system idle signals (no keyboard or mouse input for 5 minutes). The Tracker never captures the actual content of what you type.
  • Employees can always see the live tracker status and the latest captured window in the desktop application UI.

5. Data sharing

We share data only with the following categories of parties:

  • Your employing organization. All productivity data captured by the Tracker is, by design, accessible to authorized administrators within the organization that owns your account.
  • Service providers. Cloud hosting (AWS), payment processing (Stripe, SSLCommerz), email delivery, and similar infrastructure providers, all bound by contractual confidentiality obligations.
  • Legal compliance. When required by law, court order, or to protect the rights, property, or safety of Timely, our users, or others.

6. Data retention

Activity logs and screenshots are retained for as long as the organization’s subscription is active, plus a 30-day grace period after cancellation to allow data export. After that, productivity data is permanently deleted from primary storage and purged from backups within 90 days.

Account information (your name, email, role) is retained for the lifetime of your organization’s account and deleted on request after the account is closed.

7. Security

We protect your data with industry-standard measures:

  • Passwords are hashed with bcrypt (12 rounds); we never store plaintext passwords.
  • Access tokens use signed JWTs with rotating secrets.
  • All API traffic is served over TLS in production environments.
  • Multi-tenant isolation is enforced by org_id on every database query.
  • Screenshot URLs are short-lived and accessible only to authorized organization admins.

No system can be 100% secure. If you believe your account has been compromised, contact us immediately at the email listed in our Contact page.

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate personal data.
  • Request deletion (subject to legitimate business and legal retention needs).
  • Export a copy of your data in a portable format.
  • Object to or restrict certain processing activities.

To exercise these rights, contact your Organization Admin or write to us through the Contact page. Note that some requests must be processed via your employer because they own the productivity data captured under their organization.

9. International data transfers

Timely is operated from servers that may be located in regions different from where you access the Service. By using Timely, you consent to your data being processed in those regions, subject to the protections described in this Policy.

10. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated via the Platform or email.

11. Contact us

Questions or requests related to this Privacy Policy can be sent through our Contact page. We aim to respond within one business day.

Have a question about this policy? Our team is happy to clarify anything.

Contact us