Last Updated: 17.11.2025
Version: 1.0
Effective Date: 17.11.2025

1. Introduction

Name: timelit
Brand: timelit
Availability: InStock

1.1 About This Privacy Policy

This Privacy Policy ("Policy") explains how timelit ("we", "us", "our", "Service") collects, uses, processes, stores, and protects your personal data when you use our AI-powered business automation platform available at app.timelit.ai.

This Policy is designed to comply with:

the General Data Protection Regulation (GDPR) (EU) 2016/679, and
applicable national data protection laws in the European Union, in particular Austrian law.

This Privacy Policy is incorporated into our Terms of Service by reference. By using timelit, you acknowledge that you have read and understood this Privacy Policy.

1.2 Controller Information

Data Controller

Name: Timelit FlexCo

Registered Address: Eileen-Gray-Gasse 2/24, 1220 Vienna, Austria
Registration Number: [COMPANY REGISTRATION NUMBER - TO BE SPECIFIED]
Email (Privacy & General): support@timelit.ai

Timelit FlexCo acts as an independent data controller for all processing described in this Policy.

1.3 Data Protection Officer (DPO)

At the time of this Policy, Timelit FlexCo is not required to appoint a Data Protection Officer under Article 37 GDPR.

If you have any questions regarding data protection, you can contact us at: support@timelit.ai

1.4 EU Representative (GDPR Article 27)

Timelit FlexCo is established in the European Union (Austria). An EU representative under Article 27 GDPR is therefore not required.

2. Scope and Applicability

2.1 What This Policy Covers

This Policy applies to personal data processed when you:

register for and sign in to timelit using your Microsoft Work or School account
use our Service through app.timelit.ai
connect your Microsoft 365 data via Microsoft Graph API
use AI-powered features (drafting, summarization, categorization, knowledge search)
interact with our support (e.g., via email)

It specifically covers personal data:

collected during registration and authentication
retrieved and processed through Microsoft Graph API
stored and processed in Microsoft Azure (Sweden Central region)
- including Azure Cosmos DB, Azure Blob Storage (where used), and Azure Application Insights
processed by third-party service providers acting on our behalf (e.g., Microsoft, Stripe, Plausible)

2.2 What This Policy Does Not Cover

This Policy does not cover:

processing performed independently by Microsoft (e.g., Microsoft 365, Outlook, Teams, Microsoft Graph API) – see Microsoft’s own privacy documentation
processing performed independently by Azure OpenAI under Microsoft’s data processing terms
third-party websites or services linked from timelit
data you choose to share outside our Service (e.g., in other applications, messaging tools, or public channels)

2.3 Compliance with EU Regulations

This Privacy Policy is intended to ensure compliance with:

GDPR: Regulation (EU) 2016/679
ePrivacy Directive: Directive 2002/58/EC (and its national implementations)
EU AI Act: Regulation (EU) 2024/1689 (transparency and governance for AI systems)
Digital Services Act (DSA): Regulation (EU) 2022/2065, where applicable
Austrian and other applicable EU member state laws

3. Personal Data We Collect

3.1 Data You Provide Directly

3.1.1 Registration Data

When you register for timelit using your Microsoft Work or School account, we collect:

Email Address: your Microsoft 365 work/school email address
Name: your display name from the Microsoft account
User ID: Microsoft Graph user identifier (object ID)
Tenant ID: your organization’s Microsoft tenant ID
Registration Timestamp: date and time of first registration

Only business accounts (work or school) are supported; personal Microsoft accounts are not intended to be used with timelit.

3.1.2 Authentication Data

During Microsoft OAuth authentication, we receive and securely store:

Access Tokens: Microsoft OAuth access tokens (stored encrypted, with restricted access)
Refresh Tokens: Microsoft OAuth refresh tokens (encrypted and access-controlled)
Token Expiry: expiration timestamps for token management and automatic refresh
Granted Scopes: the Microsoft Graph API permissions you (or your tenant admin) consent to

3.1.3 User Preferences and Configuration

When you configure your account and features, we store:

Feature Preferences: which automation features are enabled/disabled (e.g., email drafting, meeting scheduling, meeting summaries, categorization, knowledge search)
Working Hours & Timezone: your configured working hours and timezone
Email Settings: categorization preferences, auto-draft settings, thresholds for automation
Meeting Settings: preferred meeting length, scheduling preferences, follow-up behavior
Knowledge Search Settings: semantic search preferences, filters, indexing options

These settings can be managed by each user in the timelit control dashboard.

3.2 Data We Collect Automatically

3.2.1 Communication Data (Email)

Through Microsoft Graph API, and based on the permissions you or your tenant admin grant, timelit processes and stores:

Full Email Content
- Email body text (plain and/or HTML)
- Subject lines
- Conversation context / threads
Email Attachments
- We store attachments (e.g., PDF, DOCX, PPTX, images) as needed to provide search, summarization, and knowledge features.
Email Metadata
- Sender and recipient addresses
- CC/BCC information
- Timestamps
- Read/unread status
- Importance flags, categories, conversation IDs

timelit stores email bodies and attachments as long as your account is active, to provide the promised functionality (drafting, search, summaries, knowledge graph).

3.2.2 Calendar Data

Through Microsoft Graph API, we process:

Calendar Events: titles, descriptions, locations
Meeting Invitations: invitation details, responses, recurrence rules
Attendees: names and email addresses of participants
Availability Information: free/busy status and working hours
Time Zone: calendar’s configured timezone

This data is used for features such as scheduling, daily briefings, and summarization.

3.2.3 Meeting Data

When you use meeting-related features (e.g., transcription, summarization), timelit processes:

Meeting Metadata: meeting title, participants, timestamps, duration
Transcriptions: text transcriptions of meeting audio generated by Microsoft services
Meeting Summaries: AI-generated summaries, key topics, decisions, action items

Important:

Audio/video recordings themselves are not stored long-term by timelit.
Where audio/video is temporarily made available (e.g., via Microsoft Teams) for transcription, it is only used transiently for processing and is not stored by us beyond what is strictly necessary to obtain the transcription.
The transcriptions and summaries are stored in our Azure environment (Sweden Central).

3.2.4 Usage Data

We automatically collect usage data to operate and improve the Service, for example:

Service Usage Logs: feature usage (e.g., how often drafting or summarization is triggered), API calls, function executions
Performance Metrics: response times, error rates, throughput
Configuration Changes: changes to your settings and the time they were made
Session Data: sign-in events, last activity timestamp

This is primarily captured using OpenTelemetry and stored in Azure Application Insights (Sweden Central) with personal data minimized.

3.2.5 AI-Generated Data

When you use AI features, timelit generates and stores:

Cached AI Responses: AI-generated email drafts, suggestions, summaries (stored for a limited technical period as part of providing the Service)
Embeddings: vector representations of content (emails, transcripts, etc.) stored in Cosmos DB to power semantic search
Knowledge Base Entries: processed and indexed communication content (e.g., key entities, topics)
AI Processing Logs: token usage, model identifiers, processing timestamps, error information

We do not use your content to train our own or third-party foundation models.

3.3 Data We Receive from Third Parties

3.3.1 Microsoft Graph API

Based on the consent granted by you or your tenant administrator, we receive data from Microsoft Graph API, including:

Microsoft user profile information (e.g., name, email, user ID)
Email messages and associated metadata and attachments
Calendar events, availability, and meeting metadata
Meeting transcriptions (via Microsoft services)
Other Microsoft 365 resources as explicitly enabled in the product

We only request and use Graph scopes necessary for the specific features you activate.

3.3.2 Microsoft Azure Services

We also receive and generate data through Microsoft Azure services, including:

System logs and diagnostics
Performance metrics
Security event logs
Infrastructure metadata for Azure Functions, Cosmos DB, Blob Storage, and Application Insights

All such data is stored exclusively in Azure Sweden Central (EU).

3.4 Special Categories of Personal Data

We do not intentionally seek or require processing of special categories of personal data (Article 9 GDPR), such as:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic or biometric data
health data
data concerning sex life or sexual orientation

However, such data may incidentally appear in:

email content
attachments
calendar descriptions
meeting transcriptions

Because this content is provided or generated within your own Microsoft 365 environment, and you choose to connect it to timelit, any such processing is based on your explicit consent via the Microsoft OAuth and admin consent flow (Articles 6(1)(a) and 9(2)(a) GDPR), and only to the extent necessary to provide the Service.

We do not profile or classify users based on these sensitive attributes.

3.5 AI-Generated and Processed Data

3.5.1 AI Processing Data

When AI features are used, we process:

Model Inputs: content sent to AI models, such as email bodies, subject lines, calendar texts, meeting transcripts, and your prompts
Processing Metadata: token usage, model versions, timestamps
AI Model Outputs: generated drafts, summaries, categorizations, action lists, search results
Performance Metrics: e.g., response time, error rates

3.5.2 Knowledge Base Data

We build a personal knowledge layer to help you find and reuse information:

Indexed Content: processed content of emails, calendar entries, and meeting summaries
Vector Embeddings: mathematical representations of text for semantic search
Knowledge Relationships: inferred links between topics, projects, people, or threads
Search History: your search queries and (where necessary) clicked results

3.5.3 EU AI Act Transparency

We align with the transparency obligations of the EU AI Act:

AI System Disclosure: When content (e.g., drafts or summaries) is AI-generated, this is clearly indicated in the Service.
Model Training Sources: The base models used (Azure OpenAI) are provided and trained by Microsoft. We do not use your data to further train these foundation models.
Decision-Making: timelit does not take legally or similarly significant decisions without human control. You always decide what gets sent or executed.
Human Oversight: You can review, modify, or discard AI suggestions before using them.

4. How We Use Your Personal Data

4.1 Purposes of Processing

We process your personal data for the following purposes:

4.1.1 Service Delivery (Contractual Necessity – GDPR Article 6(1)(b))

Email Processing: analyzing, categorizing, and processing your emails
AI-Generated Responses: generating email drafts and suggestions
Meeting Scheduling: proposing and scheduling meetings based on calendar availability
Meeting Transcription: transcribing and summarizing supported meetings
Daily Briefings: generating personal overviews of emails, meetings, and tasks
Knowledge Management: indexing and searching through your historical emails and summaries
User Preferences: storing and applying your settings and configuration

4.1.2 Authentication and Security (Legitimate Interest – GDPR Article 6(1)(f))

Account Authentication: verifying your identity using Microsoft OAuth
Token Management: storing and refreshing OAuth tokens securely
Security Monitoring: detecting suspicious or unauthorized access
Fraud Prevention: preventing misuse of the Service
System Security: protecting infrastructure and data from attacks

4.1.3 Service Improvement (Legitimate Interest – GDPR Article 6(1)(f))

Performance Optimization: improving speed, reliability, and scalability
Feature Development: building new features based on aggregated usage patterns
Error Resolution: diagnosing and fixing technical issues
Quality Assurance: ensuring service robustness and correctness

4.1.4 Legal Compliance (Legal Obligation – GDPR Article 6(1)(c))

Compliance with regulatory requirements (e.g., GDPR, accounting rules)
Handling and documenting data subject requests
Complying with data breach notification obligations
Maintaining logs where required by law

4.1.5 Communication (Legitimate Interest / Consent – GDPR Article 6(1)(f)/(a))

Service Notifications: important notifications about service status, security, or changes
Support Communications: answering your questions and support requests
Account Management: communicating about your account and subscription status

We do not send marketing communications from the timelit web app without your explicit, separate consent.

4.2 Legal Basis for Processing

We rely on the following legal bases under GDPR:

Processing Activity	Legal Basis	GDPR Article
Service delivery (email, calendar, meetings)	Contractual necessity	6(1)(b)
Microsoft OAuth authentication	Consent	6(1)(a)
Token storage and refresh	Contractual necessity	6(1)(b)
Storage of emails, attachments, transcripts	Contractual necessity	6(1)(b)
AI-based drafting & summarization	Consent (via OAuth & feature activation)	6(1)(a)
Security monitoring	Legitimate interest	6(1)(f)
Service improvement & telemetry	Legitimate interest	6(1)(f)
Compliance and logging	Legal obligation	6(1)(c)

4.3 Legitimate Interests

Where we rely on legitimate interests (Article 6(1)(f) GDPR), they include:

Security & Abuse Prevention: ensuring account and system security
Service Quality: improving performance and stability
Business Operations: operating the Service sustainably
Error Handling: detecting and fixing bugs
Compliance: demonstrating and maintaining legal compliance

You have the right to object to processing based on legitimate interests at any time (see Section 9).

5. Digital Services Act (DSA) Compliance

timelit is a business productivity tool for Microsoft 365 users, not a public social network or content platform. As such, DSA obligations are limited, but we still:

provide ways to report security or abuse issues
log system behavior and access for integrity
cooperate with competent authorities where required by law

timelit does not provide public user-generated content feeds or recommender systems to the general public.

6. How We Share Your Personal Data

6.1 Third-Party Service Providers (Processors)

We share your personal data with selected third-party processors who act on our behalf and only according to our documented instructions.

6.1.1 Microsoft (Azure, Graph, Azure OpenAI)

Services:

Microsoft Azure (Functions, Cosmos DB, Blob Storage, Application Insights)
Azure OpenAI (EU deployment)
Microsoft Graph API (Outlook, Calendar, etc.)

Data Shared:

all data stored and processed in our Azure environment (as described above)
content sent to Azure OpenAI for AI processing
email, calendar, and meeting data accessed via Graph

Purpose:

core infrastructure hosting
AI inference (drafts, summaries, embeddings)
secure access to Microsoft 365 data via Graph

Location:

All services are configured in Azure Sweden Central (EU).
We do not intentionally transfer data to regions outside the EEA.

Safeguards:

Microsoft Data Protection Addendum
EU data boundary commitments
encryption at rest and in transit

6.1.2 Stripe Payments Europe Ltd.

Services:

payment processing and billing

Data Shared:

billing email and name
billing address (if applicable)
subscription details
payment method token (timelit does not store full card numbers)

Purpose:

manage subscriptions
process payments
issue invoices

Location:

Stripe’s EU entity processes data within the EEA (or with appropriate safeguards).

6.1.3 Plausible Analytics

Services:

privacy-friendly, cookie-less analytics for UX and performance insights

Data Shared:

anonymized usage metrics (page views, device type, referrer, approximate region)
Plausible does not use cookies and does not track individual users.

Purpose:

understanding product usage
improving UX and performance

Location:

EU-based infrastructure.

6.1.4 Azure Application Insights (via OpenTelemetry)

Services:

telemetry collection and diagnostics

Data Shared:

technical logs, error traces, performance metrics
pseudonymized identifiers (minimized)

Purpose:

monitoring and maintaining the Service
detecting failures, performance issues, security anomalies

Location:

Azure Sweden Central (EU)

We design all logs and telemetry to avoid storing raw email content or transcripts wherever possible.

6.2 Data Processing Agreements

All processors are bound by:

Data Processing Agreements (DPAs)
obligations to process personal data only on our instructions
appropriate technical and organizational security measures
confidentiality obligations
audit and oversight rights where appropriate

6.3 Legal Requirements

We may disclose personal data if required to do so by law or in response to valid legal requests, such as:

court orders or subpoenas
requests from supervisory authorities or other public bodies

Where legally permissible, we will inform you before disclosing your data.

6.4 Business Transfers

If Timelit FlexCo undergoes a merger, acquisition, or sale of assets:

your personal data may be transferred to the acquiring entity as part of the transaction
any such entity will be required to respect this Policy or a substantially equivalent policy
you will be informed of any material change in controller or purposes

6.5 With Your Consent

Where you explicitly request or consent (in the Service or otherwise), we may share data with additional parties for specific purposes (e.g., integrations). You can withdraw such consent at any time.

7. International Data Transfers

7.1 Data Storage Location

All primary data processing and storage for timelit takes place in:

Microsoft Azure Sweden Central (EU)

This includes:

Azure Functions
Azure Cosmos DB
Azure Blob Storage (where used)
Azure Application Insights
Azure OpenAI EU deployment

We design and configure the Service so that no intentional transfers of personal data outside the EEA occur.

7.2 Current International Transfers

At the time of this Policy:

We do not intentionally transfer personal data to countries outside the EEA.
Azure OpenAI is configured to operate in EU regions only.
Stripe uses its EU entity for payment processing.

If this changes in the future, we will:

update this Policy accordingly, and
implement appropriate safeguards (e.g., Standard Contractual Clauses).

7.3 Your Rights Regarding Transfers

If, in the future, international transfers become necessary, you will have the right to:

request information about such transfers
object to certain transfers (where legally permissible)
request details of the safeguards applied

8. Data Retention and Deletion

8.1 Retention Periods

8.1.1 Active Accounts

While your account remains active, we retain:

Account Data: registration and profile data
Email Data: email bodies, metadata, attachments
Calendar Data: events, metadata
Meeting Data: transcriptions, summaries, meeting metadata
AI Data: knowledge entries, embeddings, cached outputs (for a limited technical duration)
Configuration Data: user settings and preferences
Usage Logs & Telemetry: stored typically for up to 12 months, unless needed longer for security or legal reasons

8.1.2 Cached Data

We temporarily cache:

AI responses (e.g., drafts, suggestions, summaries)
semantic search results

These caches are kept only for a short technical duration necessary to provide the Service and improve responsiveness and are then automatically purged.

8.1.3 Terminated Accounts

When you terminate your account or request deletion:

we revoke your access immediately
we mark all associated personal data for deletion
we delete personal data from active systems within 30 days
backup copies are overwritten according to backup cycles (up to 90 days)

Some data may be retained longer if required by law (e.g., invoicing records).

8.1.4 Legal Requirements

We may retain certain data as required by law, such as:

invoice and billing data (e.g., up to 7 years under tax law)
records needed to resolve disputes or enforce legal claims
logs relevant to security incidents or legal compliance

8.2 Deletion Procedures

When data is deleted:

Access Revocation: your account access is immediately disabled.
Soft Deletion: data is flagged for deletion and removed from active use.
Hard Deletion: data is permanently erased from primary storage within the stated timeframe.
Backup Deletion: data is removed from backup systems through their regular rotation (up to 90 days).

You may request confirmation that deletion has been completed.

8.3 Data Minimization

We implement the principle of data minimization by:

only collecting data needed to provide the Service
avoiding unnecessary duplication of content
pseudonymizing or aggregating data wherever possible
restricting internal access (RBAC) to only those with a need to know

9. Your Data Protection Rights

Under the GDPR, you have the following rights with respect to your personal data:

9.1 Right of Access (Article 15 GDPR)

You can request:

confirmation whether we process your personal data
a copy of personal data we hold about you
information about our processing activities (purposes, categories, recipients, retention periods)

9.2 Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data, e.g.:

your name
your email address (if change is supported by your Microsoft account)
certain configuration or profile details

9.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data, for example when:

it is no longer necessary for the purposes we collected it for
you withdraw consent where processing was based solely on consent
you object to processing and there are no overriding legitimate grounds
processing is unlawful or required to be deleted by law

We may refuse deletion where:

retention is required by law
data is necessary to establish, exercise, or defend legal claims
deletion would adversely affect the rights of others

9.4 Right to Restrict Processing (Article 18 GDPR)

You can request that we restrict processing when:

you contest the accuracy of the data (for a period to verify it)
processing is unlawful but you prefer restriction instead of deletion
we no longer need the data, but you require it for legal claims
you object to processing pending verification of our legitimate interests

9.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you can request:

a copy of your personal data in a structured, commonly used, and machine-readable format
that we transmit such data directly to another controller where technically feasible

9.6 Right to Object (Article 21 GDPR)

You may object at any time to processing based on legitimate interests, including:

certain telemetry and analytics
certain security and monitoring practices (where feasible)

If you object, we will stop processing unless:

we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or
processing is required for legal claims.

9.7 Right to Withdraw Consent (Article 7 GDPR)

Where processing is based on your consent (e.g., Microsoft OAuth integration, AI features), you can withdraw consent at any time by:

removing timelit’s permissions in your Microsoft account / tenant
disabling specific features in the control dashboard (where available)
contacting us at support@timelit.ai

Withdrawing consent does not affect the lawfulness of processing before the withdrawal. However, it may impact your ability to use certain features or the Service at all.

9.8 Rights Related to Automated Decision-Making (Article 22 GDPR)

timelit does not make automated decisions that produce legal or similarly significant effects without human input.

AI systems:

only generate suggestions, drafts, or summaries
require your review and approval before use (e.g., sending an email)

You have the right to:

obtain human intervention
express your point of view
contest AI-generated outcomes
opt-out of specific AI features where technically supported

9.9 How to Exercise Your Rights

You can exercise your rights by contacting us:

Email: support@timelit.ai Postal Address: Timelit FlexCo, Eileen-Gray-Gasse 2/24, 1220 Vienna, Austria

To protect your data, we may ask you to:

verify your identity
provide sufficient detail to locate the data or processing you refer to

Response times:

Standard requests: within 30 days
Complex or multiple requests: may be extended by up to 2 additional months; we will inform you of any extension.

We will not charge a fee unless a request is manifestly unfounded or excessive.

10. Data Security

10.1 Security Measures

We implement appropriate technical and organizational measures, including:

10.1.1 Technical Measures

Encryption in Transit: TLS 1.2+ / 1.3 for all traffic between clients and servers
Encryption at Rest: Azure Storage and Cosmos DB encryption (AES-256)
Token Security: OAuth tokens encrypted and access-controlled
Access Controls: strict Role-Based Access Control (RBAC), enforced in Azure and in our application
Network Security: firewalls, network segmentation, and Azure DDoS protection
Regular Updates: timely patching of operating systems, runtimes, and dependencies
Monitoring: 24/7 monitoring of infrastructure and application metrics

10.1.2 Organizational Measures

Least Privilege: access to data granted only where necessary for the role
Confidentiality: all personnel with access to personal data are bound by confidentiality obligations
Training: regular security and privacy training for staff
Incident Response: documented incident response plan and playbooks
Audits: periodic internal and external reviews of security controls
Data Protection by Design & Default: privacy and security considered throughout development

10.2 Security Incidents

In the event of a personal data breach:

We will promptly assess the scope and impact.
We will contain and mitigate the incident.
Where required by law, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours.
Where the breach is likely to result in a high risk to your rights and freedoms, we will also inform affected users without undue delay.
We will document the incident and corrective measures to prevent recurrence.

10.3 Your Role in Security

You are responsible for:

maintaining the security of your Microsoft account (strong passwords, MFA)
not sharing access tokens or credentials with others
reviewing and maintaining your Microsoft tenant’s permissions and policies
informing us promptly if you suspect unauthorized access to your timelit account

11. Cookies and Tracking Technologies

11.1 Cookies We Use

Within the timelit web app (app.timelit.ai), we use cookies and similar local storage technologies only where necessary for:

Authentication: maintaining your login session
Preferences: storing certain UI and configuration preferences
Security: protecting against fraud and misuse

Plausible Analytics is used in a cookie-less, privacy-friendly mode and does not set identifiers in your browser.

We do not use third-party marketing trackers in the timelit app.

11.2 Cookie Categories

Essential Cookies: strictly necessary for Service functionality and security (cannot be disabled without impacting usage).
Functional Storage (where used): may store local preferences (e.g., UI states).

We do not use separate analytics or marketing cookies in the app.

11.3 Managing Cookies

You can control cookies and local storage through your browser settings. Disabling essential cookies or local storage may prevent you from using the Service.

12. Children’s Privacy

12.1 Age Requirements

timelit is designed exclusively for professional use with Microsoft Work or School accounts and is not intended for children under 16 years of age.

12.2 Age Verification

Because registration requires a work/school Microsoft 365 account, Microsoft’s account management and organizational policies apply. We do not knowingly process personal data of children under 16.

12.3 Parental Rights

If you are a parent or guardian and believe a child under 16 is using timelit, please contact us at support@timelit.ai. We will investigate promptly and delete data where required.

13. Automated Decision-Making and Profiling

13.1 AI-Powered Processing

timelit uses AI to:

generate email drafts and replies
create meeting summaries and action items
categorize and prioritize communications
support semantic search across your communications
extract key information (entities, topics, projects) from text

13.2 Automated Decision-Making

timelit does not make decisions with legal or similarly significant effects on you without human involvement.

AI suggestions remain under your control.
Emails are never sent automatically without your action.
You can always modify or ignore AI output.

13.3 Profiling

We may perform limited profiling to:

personalize the Service (e.g., better suggestions based on prior choices)
improve relevance of summaries and search results

This profiling:

does not use sensitive categories (e.g., race, health)
is used purely to improve your productivity experience
can be limited by disabling certain features or contacting us

You may:

object to profiling
request more information about profiling
opt out of specific AI features where technically supported

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

changes in our processing activities or services
changes in legal requirements or guidance
feedback from users or supervisory authorities

14.2 Notification of Changes

We will inform you of material changes by:

displaying a prominent notice within the timelit app, and/or
sending an email to your registered address (where appropriate).

For significant changes, we will provide reasonable advance notice before the new Policy takes effect.

14.3 Continued Use

Your continued use of the Service after the effective date of the updated Policy will constitute acceptance of the changes.

14.4 Reviewing Changes

We will:

keep a version history of this Policy
indicate the effective date and “last updated” date on top of the Policy
provide a summary of material changes on request

15. Complaints and Supervisory Authorities

15.1 Right to Lodge a Complaint

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority, in particular in:

the EU member state of your habitual residence, place of work, or
the place of the alleged infringement.

15.2 Supervisory Authority (Austria)

As Timelit FlexCo is established in Austria, our primary supervisory authority is:

Austrian Data Protection Authority (Datenschutzbehörde) Website: https://www.dsb.gv.at/

You can also find a list of all EU supervisory authorities here: https://edpb.europa.eu/about-edpb/board/members_en

15.3 Complaint Process

We encourage you to contact us first at support@timelit.ai so we can try to resolve your concerns directly.

If you remain unsatisfied, you can submit a complaint to the competent supervisory authority.

16. Contact Us

16.1 Privacy Inquiries

For any questions or concerns about this Privacy Policy or our data processing, please contact:

Email: support@timelit.ai Postal Address: Timelit FlexCo Eileen-Gray-Gasse 2/24 1220 Vienna Austria

16.2 Response Times

General inquiries: usually within 5 business days
Data subject rights requests: within 30 days, extendable by up to 2 additional months for complex cases

16.3 Language

This Privacy Policy is provided in English. If translations are provided, the English version prevails in case of any conflict.

17. Additional Information

17.1 Links to Other Policies

Terms of Service: Terms of Service
Cookie Information: included in Section 11 of this Policy
Acceptable Use rules are incorporated into the Terms of Service.

17.2 Third-Party Privacy Policies

Microsoft Privacy Policy: https://privacy.microsoft.com/
Microsoft Graph API Terms: https://learn.microsoft.com/graph/terms-of-use
Azure OpenAI Privacy: https://privacy.microsoft.com/
Stripe Privacy Policy: https://stripe.com/privacy
Plausible Data Policy: https://plausible.io/data-policy

17.3 Data Processing Records

We maintain records of our processing activities under Article 30 GDPR, including:

categories of personal data processed
purposes of processing
categories of recipients
data transfers (if any)
retention periods
security measures

You can request high-level information about these records by contacting support@timelit.ai.

Appendix A: Definitions

(You can keep this list as in your template, it already aligns well. Only one change: “Controller” is Timelit FlexCo, not timelit as a product.)

"Controller": The entity that determines the purposes and means of processing personal data; here, Timelit FlexCo.
"Processor": An entity that processes personal data on behalf of the controller (e.g., Microsoft Azure, Stripe, Plausible).
"Personal Data": Any information relating to an identified or identifiable natural person.
"Processing": Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
"Consent": Freely given, specific, informed, and unambiguous indication of the data subject’s wishes.
"Data Subject": The individual whose personal data is processed (you).
"GDPR": General Data Protection Regulation (EU) 2016/679.
"EEA": European Economic Area (EU member states plus Iceland, Liechtenstein, Norway).
"Supervisory Authority": Independent public authority responsible for monitoring GDPR compliance.
"Data Breach": A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Appendix B: Data Processing Activities Summary

Processing Activity	Data Categories	Legal Basis	Retention Period
User Registration	Identity, Authentication	Contract (6(1)(b)) & Consent (OAuth)	While account active
Email Processing & Storage	Emails, metadata, attachments	Contract (6(1)(b))	While account active
Calendar Processing	Calendar events, availability	Contract (6(1)(b))	While account active
Meeting Transcription & Summaries	Meeting metadata, transcripts, summaries	Consent (6(1)(a))	While account active
AI Content Generation	AI inputs/outputs, embeddings	Consent (6(1)(a)) & Contract (6(1)(b))	Active + short cache
Knowledge Management	Indexed communication & embeddings	Contract (6(1)(b))	While account active
Security Monitoring	Usage, logs, telemetry	Legitimate interest (6(1)(f))	~12 months (unless longer required)
Service Improvement	Aggregated, pseudonymized usage data	Legitimate interest (6(1)(f))	As long as data is truly anonymized
Billing & Payments	Billing data, Stripe token	Legal obligation (6(1)(c)) & Contract (6(1)(b))	Up to 7 years (tax/finance)

Appendix C: Technical Architecture and Data Processing

(Adapted to match your actual setup – Sweden Central only, no long-term recording storage)

C.1 Azure Infrastructure Details

C.1.1 Primary Services Used

Azure Functions: API endpoints and background jobs
Azure Cosmos DB: main data store (emails, metadata, transcripts, embeddings)
Azure Blob Storage: storage for certain structured data or generated files (no long-term meeting recordings)
Azure OpenAI (EU deployment): model inference (drafts, summaries, embeddings)
Azure Application Insights: logging and monitoring
OpenTelemetry: instrumentation layer sending telemetry to App Insights

C.1.2 Data Residency

All services are deployed in Azure Sweden Central (EU).
Backups and geo-redundancy, where enabled, remain within the EU.

C.2 Data Processing Pipelines

C.2.1 Email Processing Workflow

Microsoft Graph API notifies timelit of new/updated emails (or data is pulled on schedule).
timelit retrieves email content and attachments from Graph.
Emails are stored and indexed in Cosmos DB and processed for categorization, summaries, and knowledge graph.
AI-generated drafts and suggestions are created via Azure OpenAI (EU).
Results are presented to you in the UI; you decide whether to use or discard them.

C.2.2 Knowledge Base Processing

Content from emails, calendars, and transcripts is processed into:
- semantic embeddings
- indexed entities and relationships
Stored per user/tenant in Cosmos DB (partitioning) to ensure isolation.
Used to power semantic search and daily briefing features.

C.2.3 Meeting Processing

Meetings are identified via calendar data.
Where transcription is enabled, Microsoft services generate transcripts.
timelit ingests transcripts and metadata, then:
- summarizes the meeting
- extracts action items
- indexes content for search
Audio/video are not stored long-term by timelit; only textual transcripts and summaries are stored.

C.3 Security Architecture

C.3.1 Authentication and Authorization

Authentication is handled via Microsoft OAuth 2.0 (enterprise-grade).
Tokens are stored encrypted and rotated according to best practices.
Internal services use managed identities and secure configs.
RBAC is enforced in Azure and within the application.

C.3.2 Data Protection at Rest and in Transit

All data in Azure is encrypted at rest (AES-256).
All communications use HTTPS/TLS with modern cipher suites.
Internal service connections are protected by Azure networking features.

C.4 Monitoring and Audit

Application logs and metrics are collected via OpenTelemetry and Azure Application Insights.
Logs are designed to avoid raw personal content wherever possible.
Access to production systems is audited and limited to key personnel.

C.5 Data Deletion Architecture

Account deletion triggers a system-wide deletion workflow that:
- revokes access
- deletes user partitions in Cosmos DB
- deletes related content in Blob Storage (if any)
- invalidates caches and derived data
Logs and backups are cleaned up in line with retention policies.

C.6 Incident Response

24/7 monitoring and alerting for suspicious behavior.
Defined incident response plan: detection → containment → investigation → notification → remediation.
All incidents are documented and reviewed for improvements.