Privacy Policy

TimeCinch is a multi-tenant SaaS scheduling platform for service businesses. Contact us at support@timecinch.com for any privacy-related question, including data subject requests, Data Processing Agreement (DPA) requests, and breach notifications.

Because TimeCinch is a multi-tenant platform, we play two different roles under data-protection law:

• Controller for data we collect directly from the business owner who signs up (account, billing, and product-usage data). This Privacy Policy describes that processing.
• Processor for personal data the business owner inputs into the Service about their own customers, staff, and bookings. The business owner is the Controller; we process it on their behalf under our Terms of Service and a Data Processing Agreement available on request.

Account data. When you sign up, we collect your email address, name, business name, and password (stored as a salted hash by our auth provider). Purpose: create and secure your account. Legal basis (GDPR): contract performance.

Billing data. Subscription plan, billing cycle, payment method tokens (we never see card numbers — Stripe handles those), and invoice history. Purpose: process subscription payments and tax compliance. Legal basis: contract performance and legal obligation.

Service usage data. Services you create, staff and locations you add, business hours, appointments, customer messages, and the contents of every booking on your account. Purpose: deliver the Service. Legal basis: contract performance.

End-customer data. When one of your end-customers books an appointment with you through TimeCinch, we collect their name, email, phone, the services they book, notes you or they enter, and the history of their appointments with your business. We process this on your behalf as your Processor. Legal basis (you are the Controller): typically contract or your legitimate interest as the business offering the appointment.

Communications. Emails we send to you and to your customers (booking confirmations, reminders, review requests, billing notices). We retain delivery metadata for troubleshooting. Legal basis: contract performance and legitimate interest in operating the Service.

Technical data. IP address, browser type, device type, pages viewed, timestamps, error logs, and cookies (see the cookies section below). Purpose: security, abuse prevention, debugging, product analytics. Legal basis: legitimate interest.

Optional integration data. If you connect Lightspeed, we mirror the data described in our Lightspeed data-handling page. If you use the AI assistant, the messages you send to the assistant are sent to Anthropic for processing and are not retained by Anthropic for training under our enterprise agreement.

We use the data described above to:

• Operate and improve the Service.
• Process subscription payments and send billing-related emails.
• Send transactional emails on your behalf (booking confirmations, reminders, cancellations, review requests).
• Monitor performance, debug errors, and protect against abuse, fraud, and security threats.
• Comply with legal obligations.
• Communicate with you about your account, product changes, and (only with your consent or to existing customers about similar products) marketing.

We do not sell personal data and we do not use the contents of your bookings, customers, or messages to train AI models for the benefit of any party outside your account.

We share personal data with the following sub-processors, each under a written data-processing agreement that limits their use of the data to providing services to TimeCinch:

Beyond these sub-processors, we may disclose personal data where required by law (court order, subpoena, regulator request), to enforce our Terms, to protect the safety or rights of any person, or in connection with a merger, acquisition, or sale of assets (with continued protection under this Privacy Policy).

Most of our sub-processors are located in the United States. If you are in the European Economic Area, United Kingdom, or Switzerland, your personal data is transferred to the U.S. under the European Commission's Standard Contractual Clauses (SCCs) and / or the EU-U.S. Data Privacy Framework where the recipient is certified. Lightspeed operations may additionally involve transfers to New Zealand under SCCs.

Account and billing data: for as long as your account is active and for seven (7) years after closure for tax and accounting compliance.

Service usage data (your bookings, customers, messages): for as long as your account is active. On termination, we retain a thirty (30) day export window, then delete from active systems within a further thirty (30) days. Standard backups may retain residual copies up to ninety (90) days, after which they are overwritten.

Email delivery logs: twelve (12) months.

Server and security logs: ninety (90) days.

Depending on where you live, you may have the right to:

• Access the personal data we hold about you and receive a copy.
• Correct inaccurate personal data.
• Delete your personal data (right to erasure).
• Restrict or object to our processing.
• Receive your data in a portable format.
• Withdraw consent where processing is consent-based.
• Lodge a complaint with your supervisory authority. EU residents may contact their national Data Protection Authority; California residents may contact the California Privacy Protection Agency.

End-customers of a TimeCinch business: we act as Processor for your data. Direct your request to the business that you booked with; they are the Controller. If you cannot reach them, email us and we will route the request.

How to exercise: email support@timecinch.com from the address on file. We will respond within thirty (30) days. We will not discriminate against you for exercising any privacy right.

In the past twelve (12) months we have collected the categories of personal information described above (identifiers, commercial information, internet activity, geolocation derived from IP, and inferences drawn from product-usage data). We use these categories for the purposes described above. We do not sell or share personal information for cross-context behavioural advertising, and we do not knowingly collect data from children under 16. California residents may exercise the rights described under “Your rights” above.

We use cookies and similar technologies for: (a) essential session management (you can't log in without them), (b) preference storage such as your active location and dark-mode setting, and (c) aggregated product analytics. We do not use third-party advertising cookies.

You can disable non-essential cookies in your browser settings; the Service may not function correctly without essential cookies.

The Service is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided data, email us and we will delete it.

We use encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, audit logging, and least-privilege service credentials. Stripe handles all cardholder data; we never see or store payment-card numbers. No system is perfectly secure; if you suspect a breach affecting your account, contact us immediately.

We may update this Privacy Policy as our practices or the law evolve. We will announce material changes via email or in-app banner at least thirty (30) days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

For any privacy question, data subject request, DPA request, or breach notification, email support@timecinch.com.