Privacy Policy
Last updated: April 9, 2026
1. Who We Are
Timezylla is an AI-powered visual project planning tool developed and operated by WorkGaming SRL, a Romanian company (in formation). For privacy matters, contact us at support@timezylla.com.
2. What Data We Collect
Account data
When you sign up, we collect your name, email address, and a hashed password (hashed by Supabase — we never see or store your plaintext password). We use this to create and manage your account.
Timeline and project data
Content you create in Timezylla: timelines, tasks, milestones, dependencies, swimlanes, and any other project planning data. This is your content — you own it. We process it only to provide the service.
Workspace data
Configuration you provide: workspace name, team member accounts, and integration settings.
Usage data
How you use Timezylla: page views, feature interactions, session duration. Collected via PostHog (optional — you can opt out at any time in Settings → My Account → Privacy).
Technical data
IP address, browser type, and error logs for security and debugging purposes, processed by Sentry (EU region).
Payment data
When paid plans are available, billing will be handled by Stripe. We will never store card numbers or payment credentials on our servers.
Cookies
We use essential cookies for authentication (Supabase Auth session) — these are required for the service to work and do not require consent. We also use optional analytics cookies (PostHog) — you can decline these when you first visit or change your preference in Settings → Privacy. See our Cookie Policy for full details.
3. Why We Collect Your Data and Legal Bases
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide and operate Timezylla | Contract performance (Art. 6(1)(b)) |
| AI-powered features (generation, critique, suggestions) | Contract performance — processing on your instructions |
| Improve features using anonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Send product updates and service notifications | Legitimate interests (Art. 6(1)(f)) |
| Send marketing emails | Consent (Art. 6(1)(a)) — opt-in only |
| Detect and prevent security incidents | Legitimate interests (Art. 6(1)(f)) |
We do not sell your data. We do not use your project content to train AI models.
4. AI Processing
Timezylla uses AI to power features like timeline generation, task critique, dependency suggestions, and smart naming. Your project data may be sent to AI providers (currently Anthropic Claude and Google Gemini, routed via OpenRouter) to process your requests. These providers' API terms prohibit using API inputs to train their models — your data is not used for AI model training.
5. Who We Share Data With
| Third Party | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt, aws eu-central-1) |
| Vercel | Frontend hosting | Global edge, EU/US processing |
| Sentry | Error monitoring | EU |
| PostHog | Product analytics (optional) | EU |
| Stripe | Payment processing | US (SCCs apply) |
| OpenRouter | AI request routing | US (SCCs apply) |
| Anthropic (Claude) | AI processing | US (SCCs apply) |
| Google (Gemini) | AI processing | US (SCCs apply) |
| Langfuse | AI observability | EU (Frankfurt) |
| Resend | Transactional email | US (SCCs apply) |
| Upstash | Caching & rate limiting | EU/US (SCCs apply) |
| Slack | Integration: posts notifications when you connect your Slack workspace | US (SCCs apply) |
| Microsoft (Teams) | Integration: posts notifications when you connect Teams | EU/US (SCCs apply) |
| GitHub | Integration: reads issues/PRs when you connect a GitHub account | US (SCCs apply) |
| Atlassian (Jira) | Integration: imports issues + pushes updates when you connect Jira | EU/US (SCCs apply) |
| Linear | Integration: reads cycles + issues when you connect Linear | US (SCCs apply) |
| Notion | Integration: reads/writes pages on workspaces you grant access to | US (SCCs apply) |
| Google (Calendar) | Integration: reads + writes calendar events when you connect Google Calendar | US (SCCs apply) |
For transfers to countries without an EU adequacy decision (e.g. US), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable.
Third-party integrations (Slack, Teams, GitHub, Jira, Linear, Notion, Google Calendar)
Timezylla lets you connect your own accounts with external project-management and communication tools. Connections are opt-in only — until you click Connect for a given tool, no data flows either way. When you connect:
- You authenticate with the provider via OAuth. Your provider password is never shared with Timezylla — we receive a scoped access token.
- We request only the scopes needed for the feature (e.g. Slack
chat:write, Google Calendarcalendar.events). Full scope list is shown in the connect dialog. - Access tokens and any refresh tokens are encrypted at rest using AES-GCM with a server-side key before being written to our database.
- We store your provider-side account label (e.g. workspace name, email, site URL) so you can identify the connection in settings. No additional profile data is retained.
- You can disconnect at any time from Settings → Integrations → Disconnect. On disconnect, we delete the stored tokens and metadata immediately. You can additionally revoke Timezylla's access from the provider's own "authorized apps" page.
- The provider processes your content under its own privacy policy as a separate controller. Timezylla has no access to data in the provider that you did not authorize us to read.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Timeline and project data | Until workspace deletion + 30 days |
| Usage analytics | 12 months rolling |
| Error logs | 90 days |
| Billing records | 7 years (legal requirement) |
When you delete your account, we remove all personal data within 30 days. Some data may be retained longer where required by law (e.g. billing records for tax compliance).
7. Your Rights Under GDPR
If you are in the European Economic Area, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate data (you can also edit your profile in Settings → My Account)
- Erasure — request deletion of your account and all associated data
- Portability — download your timeline and project data in standard formats (JSON, CSV, Excel)
- Restrict processing — ask us to pause processing while a dispute is resolved
- Object to processing — opt out of analytics via Settings → My Account → Privacy
- Withdraw consent — where processing is based on consent (e.g. marketing emails), you can withdraw at any time
To exercise any of these rights, email support@timezylla.com — we will respond within 30 days. There is no fee for exercising your rights.
8. Children
Timezylla is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8.5 Beta Waitlist Data
When you request beta access, we collect your email address and any optional notes you share about your current pain points or the features you'd like to see. That's it — no name, no password, no tracking cookies on the waitlist form.
We use this information for three things: deciding who gets into the closed beta, understanding what to build next, and emailing you when Timezylla is ready for you. We do not sell, rent, or share waitlist data with anyone outside our team.
Under GDPR, our legal basis is your consent (the checkbox you ticked) combined with our legitimate interest in running a small closed beta. We keep waitlist data until the beta ends, and no longer than 24 months from the day you signed up.
You can ask us to delete your waitlist entry anytime by emailing privacy@timezylla.com. We'll remove it within 30 days and confirm when it's done.
9. Security
We take appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. Your database is hosted in Supabase's EU (Frankfurt) region with row-level security policies to ensure data isolation between workspaces.
10. Changes to This Policy
We may update this policy from time to time. We will notify you by email at least 30 days before any material change takes effect. The “Last updated” date at the top of this page will always reflect the most recent revision.
11. Contact and Complaints
For any privacy-related questions or to exercise your rights: support@timezylla.com
You also have the right to lodge a complaint with the Romanian data protection supervisory authority: ANSPDCP(Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal) — dataprotection.ro.