Timero.work

Privacy Policy

Last updated: May 22, 2026

1. Introduction

Kendoo Tech Consulting LTD ("Company", "we", "us"), a company registered in Israel, operates Timero.work ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service.

2. Data We Collect

We collect the following categories of data:

  • Account data: Name, email address, profile picture, and (when you sign up with an email/password) a salted-and-hashed password. If you sign in with Google, we receive only your basic profile (name, email, picture) from Google.
  • Workspace data: Workspace names, member roles, per-member access settings, client and project names and colors, budgets, payment references, and time entries (including free-text descriptions you enter on those entries).
  • Google Calendar integration data (only when you connect Google Calendar):
    • OAuth access and refresh tokens for the Google Calendar API, encrypted at rest with AES-256-GCM.
    • The list of your Google calendars and which ones you choose to display in Timero.
    • Event metadata (title, start, end, source calendar) fetched live from the Google Calendar API for the date range currently visible in your calendar view. We do not store these events in our database.
    • Event dismissals: when you mark a Google event as "don't count as unlogged", we store the event identifier so Timero can keep that opt-out in future loads.
    • When you log a time entry from a Google event (one-click or via the dialog), the source event identifier is stored alongside the resulting time entry so the event can be shown as "logged" on subsequent loads.
  • Usage and diagnostic data: Browser type, IP address, pages visited, request timestamps, and crash / error context, used for security, error monitoring, and service improvement.
  • Cookies: Session cookies for authentication (NextAuth), an active-workspace cookie, and a short-lived state cookie used during the Google Calendar connect flow. We do not use tracking or advertising cookies.

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To authenticate your identity and manage your account.
  • To provide the Google Calendar integration: read events from the calendars you have explicitly enabled in Timero, display them on your calendar view, suggest the most likely client / project when you log time from an event, and reconcile logged time against planned meetings.
  • To monitor errors and ensure the reliability of the Service (via Sentry).
  • To communicate with you about the Service (e.g., security alerts, updates).
  • To comply with legal obligations.

4. Legal Basis for Processing

We process your personal data based on:

  • Contract performance: Processing necessary to provide the Service you signed up for.
  • Legitimate interest: Error monitoring, security, and service improvement.
  • Legal obligation: Where required by applicable law.

5. Third-Party Services (Sub-processors)

We use the following third-party services that may process your data on our behalf:

  • Google (OAuth + Calendar API): For sign-in and, optionally, the calendar integration. Sign-in uses only your basic Google profile (name, email, picture). The calendar integration uses the read-only calendar.readonlyscope and is only enabled if you explicitly connect it. Subject to Google's Privacy Policy.
  • Sentry (Functional Software GmbH, EU instance): For error monitoring and performance tracing. Receives error context including stack traces, request URLs, browser information, and IP address.
  • DigitalOcean: Application hosting. Primary servers and the SQLite database are located in Frankfurt, Germany. SQLite write-ahead log replication (Litestream) writes encrypted backups to DigitalOcean Spaces in the same Frankfurt region.

6. Google API Services User Data Policy

Timero's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use data from the Google Calendar API only to provide the calendar integration feature inside Timero (display events on your calendar view, pre-fill the time-entry dialog when you clone an event, and reconcile logged time against planned events).
  • We do not transfer or sell Google user data to third parties, except as strictly necessary to operate the integration (the hosting infrastructure described above) or when required by law.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless (a) you give us explicit consent for specific data, (b) doing so is necessary for security purposes, or (c) we are compelled by law.
  • You can disconnect the Google Calendar integration at any time from Account Settings → Integrations. Disconnecting deletes the stored OAuth tokens and your calendar preferences. Time entries you previously created from Google events remain in your account as ordinary time entries.

7. Data Storage & Security

Your data is stored on secure servers hosted by DigitalOcean in Frankfurt, Germany. We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS/SSL), secure authentication, and access controls. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law. Workspace data is retained as long as the Workspace exists.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request restriction of processing in certain circumstances.

To exercise these rights, contact us at privacy@kendoo.co.

10. Children's Privacy

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, by email notification. Your continued use of the Service after changes take effect constitutes acceptance.

12. Contact

For privacy-related inquiries:

Kendoo Tech Consulting LTD
Email: privacy@kendoo.co