Privacy Policy

Last updated: July 7, 2026

1. Introduction

Kendoo Tech Consulting LTD ("Company", "we", "us"), a company registered in Israel, operates Timero.work ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Service.

2. Data We Collect

We collect the following categories of data:

  • Account data: Name, email address, profile picture, and (when you sign up with an email/password) a salted-and-hashed password. If you sign in with Google, we receive only your basic profile (name, email, picture) from Google.
  • Workspace data: Workspace names, member roles, per-member access settings, client and project names and colors, budgets, payment references, and time entries (including free-text descriptions you enter on those entries).
  • Google Calendar integration data (only when you connect Google Calendar):
    • OAuth access and refresh tokens for the Google Calendar API, encrypted at rest with AES-256-GCM.
    • The list of your Google calendars and which ones you choose to display in Timero.
    • Event metadata (title, start, end, source calendar) fetched live from the Google Calendar API for the date range currently visible in your calendar view. We do not store these events in our database.
    • Event dismissals: when you mark a Google event as "don't count as unlogged", we store the event identifier so Timero can keep that opt-out in future loads.
    • When you log a time entry from a Google event (one-click or via the dialog), the source event identifier is stored alongside the resulting time entry so the event can be shown as "logged" on subsequent loads.
  • Billing data: When you subscribe to a paid plan, payments are handled by Lemon Squeezy, our merchant of record. We receive your billing contact name and email, country, and subscription status. Card details are collected and stored by Lemon Squeezy and never reach our servers.
  • Usage and diagnostic data: Browser type, IP address, pages visited, request timestamps, and crash / error context, used for security, error monitoring, and service improvement.
  • Cookies: Session cookies for authentication (NextAuth), an active-workspace cookie, and a short-lived state cookie used during the Google Calendar connect flow. We do not use tracking or advertising cookies.

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To authenticate your identity and manage your account.
  • To provide the Google Calendar integration: read events from the calendars you have explicitly enabled in Timero, display them on your calendar view, suggest the most likely client / project when you log time from an event, and reconcile logged time against planned meetings.
  • To manage subscriptions and process payments through our payment provider, Lemon Squeezy (acting as merchant of record).
  • To monitor errors and ensure the reliability of the Service (via Sentry).
  • To communicate with you about the Service (e.g., security alerts, updates).
  • To comply with legal obligations.

4. Legal Basis for Processing

We process your personal data based on:

  • Contract performance: Processing necessary to provide the Service you signed up for.
  • Legitimate interest: Error monitoring, security, and service improvement.
  • Legal obligation: Where required by applicable law.

5. Third-Party Services (Sub-processors)

We use a small number of third-party sub-processors to operate the Service. Each may process personal data on our behalf, under a data processing agreement, and only as needed to provide the Service. The current list, including what each one does, the data it processes, and where it is located, is maintained on our Sub-processors page. We will update that list before adding or replacing a sub-processor.

6. Google API Services User Data Policy

Timero's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use data from the Google Calendar API only to provide the calendar integration feature inside Timero (display events on your calendar view, pre-fill the time-entry dialog when you clone an event, and reconcile logged time against planned events).
  • We do not transfer or sell Google user data to third parties, except as strictly necessary to operate the integration (our sub-processors listed above) or when required by law.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless (a) you give us explicit consent for specific data, (b) doing so is necessary for security purposes, or (c) we are compelled by law.
  • You can disconnect the Google Calendar integration at any time from Account Settings → Integrations. Disconnecting deletes the stored OAuth tokens and your calendar preferences. Time entries you previously created from Google events remain in your account as ordinary time entries.

7. Data Storage & Security

Your data is stored on secure servers located in the EU (Germany). We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS/SSL), secure authentication, and access controls. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion, we will delete your personal data within 30 days, except where retention is required by law. Workspace data is retained as long as the Workspace exists.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request restriction of processing in certain circumstances.

To exercise these rights, contact us at privacy@kendoo.co.

10. Children's Privacy

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, by email notification. Your continued use of the Service after changes take effect constitutes acceptance.

12. Contact

For privacy-related inquiries:

Kendoo Tech Consulting LTD
Email: privacy@kendoo.co