Privacy Policy

1. Who We Are

TimmyHR is a product of Intelura Ltd (“we”, “us”, “our”). When we provide TimmyHR to organisations (our “Customers”), we act as a data processor with respect to the personal data of their employees (“End Users”). For data collected directly from Customers (admins, billing contacts), we act as a data controller.

Contact us at: privacy@intelura.com

2. Data We Collect

2.1 Customer account data (controller)

• Name, work email address, and job title of account administrators
• Company name, size, and industry
• Billing information (processed via our payment provider — we do not store card details)
• Usage data: pages visited, features used, login timestamps
• Communications with our support team

2.2 Employee data processed on behalf of Customers (processor)

When Customers use TimmyHR, they upload and manage employee data including:

• Full name, job title, department, and employment dates
• Contact information (work email, phone number)
• Payroll data: salary, deductions, pay history, bank details
• Attendance records: check-in/out timestamps, leave records, absence records
• Performance data: goals, 1:1 notes, survey responses, review records
• Profile photos and other information employees choose to add
• Documents uploaded to the platform

We process this data solely to provide TimmyHR services as directed by the Customer. Customers are responsible for their own legal basis for processing their employees' data.

2.3 Technical data (all users)

• IP address, browser type, and device information
• Cookies and similar tracking technologies (see Section 8)
• Error logs and diagnostic data

3. How We Use Your Data

3.1 To provide and improve TimmyHR

• Create and manage your account
• Process payroll, attendance, and HR workflows
• Send transactional emails (payslips, notifications, approvals)
• Provide customer support
• Monitor platform performance and fix issues
• Develop new features (using aggregated, anonymised usage data only)

3.2 For billing and legal compliance

• Process subscription payments
• Issue invoices and financial records
• Comply with applicable tax and accounting law
• Respond to legal requests from courts or regulators

3.3 For communications

• Product update announcements (opt-out available at any time)
• Security alerts and important service notices (these cannot be opted out of)
• Responses to your support requests

We never use HR or employee data for advertising, profiling, or sale to third parties.

4. Legal Basis for Processing (GDPR)

For EU/UK users, our legal bases for processing personal data are:

• Contract performance: Processing necessary to provide TimmyHR services under our Terms of Service
• Legitimate interests: Security monitoring, fraud prevention, product improvement using anonymised data
• Legal obligation: Compliance with tax, accounting, and employment law requirements
• Consent: Marketing communications (you can withdraw consent at any time)

For employee data processed as a data processor on behalf of Customers, the Customer is responsible for establishing and documenting their own legal basis under applicable employment and data protection law.

5. Data Sharing and Sub-Processors

We share data with carefully selected sub-processors to operate TimmyHR. All sub-processors are contractually bound to the same data protection standards we apply. Our key sub-processors include:

• Neon (database hosting) — Employee and account data storage
• Vercel (hosting) — Application hosting and CDN
• Resend / email providers — Transactional email delivery
• Payment processors — Billing and subscription management (card data never reaches our servers)
• Google (OAuth) — Optional single sign-on authentication

We do not sell, rent, or share personal data with advertisers, data brokers, or marketing platforms.

We may disclose data if required by law, court order, or to protect the rights, property, or safety of Intelura, our customers, or the public. We will notify affected parties where legally permitted to do so.

6. Data Retention

• Active accounts: Data is retained for the duration of the subscription
• After cancellation: Customer data is retained for 30 days, then permanently deleted unless you request earlier deletion or extended retention for legal compliance purposes
• Payroll records: We recommend Customers retain payroll records for at least 6 years per UK HMRC requirements. Upon cancellation, we provide a full data export before deletion
• Backups: Backup systems retain data for up to 90 days after deletion from live systems
• Anonymised analytics: Aggregated, anonymised usage data may be retained indefinitely

7. Your Rights (GDPR & UK GDPR)

If you are in the EU or UK, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention obligations)
• Right to restriction: Request that we restrict processing of your data
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for marketing communications at any time

To exercise any of these rights, email privacy@intelura.com. We will respond within 30 days. If you are an employee whose data is held by a Customer organisation, please contact your employer (the Customer) directly — they are the data controller for your employment data.

You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

8. Cookies

TimmyHR uses cookies and similar technologies for the following purposes:

• Strictly necessary: Session management and authentication — these cannot be disabled
• Functional: Remembering your preferences (e.g., language, display settings)
• Analytics: Understanding how TimmyHR is used to improve the product (anonymised)

We do not use advertising or tracking cookies. You can manage non-essential cookies through your browser settings. Note that disabling functional cookies may affect your experience using TimmyHR.

9. Data Security

We implement industry-standard security measures to protect personal data:

• All data encrypted in transit using TLS 1.3
• All data encrypted at rest using AES-256
• Access controls: role-based permissions, least-privilege principle
• Regular security reviews and vulnerability assessments
• Secure authentication with session management and automatic timeout
• Audit logging of all administrative actions

In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR.

10. International Data Transfers

TimmyHR may process data using infrastructure and sub-processors in countries outside the EEA or UK. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission and UK International Data Transfer Agreements (IDTAs) where required.

11. Children's Data

TimmyHR is a B2B platform intended for use by individuals aged 18 and over in a professional employment context. We do not knowingly collect personal data from individuals under 18. If you become aware that a minor has provided us with personal data, please contact us at privacy@intelura.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email to account administrators and a prominent notice within TimmyHR. Continued use of TimmyHR after the effective date constitutes acceptance of the updated policy.

The date at the top of this page always reflects when this policy was last updated.

13. Contact Us

For privacy questions, data subject requests, or to report a concern:

• Email: privacy@intelura.com
• General: hello@intelura.com
• Response time: We aim to respond to all privacy requests within 5 business days and to all statutory requests within the legally required timeframe (typically 30 days)