Privacy Policy

Last updated: March 2026

Tympo ("we", "our", "the app"), a product of Six Yellow Boxes, Lda (Portugal), is a time tracking application. We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR). This policy explains what data we collect, why, and how we handle it.

1. What We Collect

When you use Tympo, we collect and store:

Account information: Email address and encrypted password (or OAuth provider ID if using Google Sign-In)
Time tracking data: Time entries, task descriptions, notes, start/end times, and durations
Organization data: Client names, project names, hourly rates, and color preferences
App settings: Language preference, daily target hours, currency, theme selection
Payment information: Subscription status and billing history (payment details are handled entirely by Stripe — we never see or store your card number)

2. What We Don't Collect

We do not track your location
We do not access your contacts, camera, or microphone
We do not use analytics or tracking cookies (only essential cookies for authentication)
We do not sell or share your data with third parties
We do not display advertisements

3. How Data Is Stored

Your data is stored securely in a Supabase-hosted PostgreSQL database with Row Level Security (RLS) enabled. This means each user can only access their own data — no other user or administrator can read your time entries, clients, or notes.

All data is transmitted over HTTPS. Authentication tokens are stored securely in the browser session storage (web app) or device keychain (native apps).

4. Third-Party Services

We use the following third-party services, all of which are GDPR-compliant:

Supabase — database hosting and authentication (Privacy Policy)
Stripe — payment processing for Pro subscriptions (Privacy Policy)
Cloudflare — web hosting, DNS, and email routing (Privacy Policy)
Resend — weekly summary emails (Privacy Policy)
Google OAuth — optional sign-in method (Privacy Policy)

We do not share your time tracking data with any of these services beyond what is required for the app to function.

5. Cookies

Tympo uses only essential cookies required for authentication and session management. We do not use analytics, marketing, or tracking cookies. You can manage your cookie preferences through the cookie banner shown on your first visit.

6. Data Retention

Your data is retained as long as your account is active. You can delete individual time entries, clients, and projects at any time through the app. To delete your entire account and all associated data, contact us at the email below.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

Access all data associated with your account (available through the app's export features)
Rectification — correct any inaccurate data (editable through the app)
Erasure — delete your data (through the app or by contacting us)
Portability — export your data in CSV format
Object — opt out of non-essential processing (e.g. weekly email in Settings)
Withdraw consent at any time for optional data processing

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

8. Data Transfers

Your data may be processed in data centres located outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses, in compliance with GDPR.

9. Security

We implement multiple layers of security including HTTPS encryption, Row Level Security at the database level, server-side data validation, and secure token storage. Passwords are hashed using bcrypt through Supabase Auth.

10. Children's Privacy

Tympo is not directed at children under 16. We do not knowingly collect personal information from children under 16.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify users of significant changes through the app or via email.

12. Contact & Data Controller

The data controller for your personal data is:

Six Yellow Boxes, Lda
Portugal
[email protected]

For questions about this privacy policy, to exercise your GDPR rights, or to request data deletion, contact us at [email protected].