TimeFlov AB ("We") is the data controller for the personal data we process when you use our service. This privacy policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR).
First and last name, email address, role, company affiliation, profile picture (via OAuth provider).
Time entries, expense reports, invoices, projects, clients, vendors, approval workflows, and accounting records you create in the Service.
IP address, browser type, device information, session data, and usage analytics to provide and improve the Service.
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Contract (Art. 6.1.b) |
| Account management & authentication | Contract (Art. 6.1.b) |
| Billing & payment processing | Contract (Art. 6.1.b) |
| Improving the Service | Legitimate interest (Art. 6.1.f) |
| Legal obligations (accounting) | Legal obligation (Art. 6.1.c) |
We retain your personal data for as long as your account is active or as needed to fulfill the purpose of processing. Upon account deletion, your data is removed within 30 days, except for data we are legally required to retain (e.g., accounting records for 7 years).
Under GDPR, you have the following rights regarding your personal data:
To exercise your rights, contact us at privacy@timeflov.com.
We use session cookies for authentication (Supabase Auth) and localStorage for language preferences (i18nextLng) and UI preferences (theme, sidebar). We do not use third-party cookies for advertising or tracking.
We share your data with the following sub-processors: Supabase (database hosting, EU), Cloudflare (CDN/hosting), Stripe (payment processing). We do not transfer your data outside the EU/EEA without appropriate safeguards.
We employ technical and organizational measures to protect your data, including: encryption in transit (TLS) and at rest, row-level security (RLS) for data isolation, regular security audits, and multi-factor authentication via OAuth providers.
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with Integritetsskyddsmyndigheten (IMY), the Swedish data protection authority.