Privacy Policy
Last updated: 10 March 2026
This Privacy Policy explains how Timeitt ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Timeitt Chrome extension, Telegram bot, or any related services (collectively, the "Service"). Timeitt is operated by Jose Maria Trave Villalba, a freelance professional based in Spain.
We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and other applicable data protection laws.
1. Data Controller
Jose Maria Trave Villalba
Spain
Email: josem.tvillalba@gmail.com
For any questions regarding this Privacy Policy or your personal data, you may contact us at the email address above.
2. Data We Collect
2.1 Account Data (provided by you via Google OAuth)
- Google account ID
- Email address
- Name
- Profile picture URL
2.2 Telegram Data (if using the Telegram bot)
- Telegram chat ID (a numeric identifier — we do not store your Telegram username or phone number)
2.3 Content Data
- URLs of X (Twitter) posts you save
- Tweet text, author name, and author handle (retrieved via public APIs)
- Media thumbnail URLs from saved tweets
2.4 Calendar Data
- Google Calendar free/busy information (used to schedule reading sessions — we only query availability, not event details)
- Calendar event IDs for reading sessions we create on your behalf
2.5 Preference Data
- Timezone
- Scheduling preferences (agenda type, preferred reading times, sessions per day)
- Email notification preferences
2.6 Authentication Tokens
- Google OAuth refresh token (stored securely to maintain calendar access on your behalf)
- Session JWT (short-lived authentication token)
2.7 Data We Do NOT Collect
- We do not read the content of your existing Google Calendar events
- We do not collect your browsing history beyond X.com interactions with Timeitt
- We do not collect your Google password
- We do not sell or share personal data with third parties for advertising purposes
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Saving tweets and scheduling reading sessions | Contract performance (Art. 6(1)(b)) |
| Google Calendar integration | Consent (Art. 6(1)(a)) — via explicit OAuth grant |
| Email notifications (digest, reminders, recap, nudges) | Legitimate interest (Art. 6(1)(f)) — service functionality |
| Storing refresh tokens for calendar access | Consent (Art. 6(1)(a)) — via explicit OAuth grant |
4. How We Use Your Data
- To provide the core Service: saving tweets, scheduling reading sessions, and creating Google Calendar events
- To send email notifications you have opted into (digest, reminders, weekly recap, nudges)
- To maintain your authenticated session across the extension and Telegram bot
- To improve the Service (aggregate, anonymized usage patterns only)
5. Data Storage and Security
- Database: Your data is stored in a PostgreSQL database hosted by Neon (serverless PostgreSQL) in the United States. Neon complies with SOC 2 Type II standards.
- Backend: API routes are hosted on Vercel (serverless functions) with data centers in the United States.
- Encryption: All data in transit is encrypted via TLS/HTTPS. Database connections use SSL.
- Access: Only the data controller has administrative access to the database and infrastructure.
5.1 International Data Transfers
Your data is processed in the United States by our infrastructure providers (Vercel, Neon). These transfers are protected under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) where applicable. By using the Service, you acknowledge this transfer.
6. Data Retention
- Account data: Retained while your account is active. Deleted upon account deletion.
- Saved tweets and reading sessions: Retained while your account is active. Deleted upon account deletion.
- Authentication tokens: Refresh tokens are retained while your calendar is connected. Revoked upon calendar disconnection or account deletion.
- Email logs: Timestamp-only deduplication records (e.g., "last digest sent at"). Deleted upon account deletion.
When you delete your account, all personal data is permanently deleted from our database, including saved tweets, reading sessions, and authentication tokens. Google Calendar events created by Timeitt are also deleted from your calendar.
7. Your Rights (GDPR Articles 15–22)
As an EU resident, you have the following rights:
- Right of access (Art. 15) — Request a copy of your personal data
- Right to rectification (Art. 16) — Request correction of inaccurate data
- Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten"). You can do this directly via the extension's Settings → Delete Account, or by contacting us.
- Right to restriction (Art. 18) — Request restriction of processing
- Right to data portability (Art. 20) — Request your data in a structured, machine-readable format. You can export all your data at any time via the extension Settings or by contacting us.
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time (e.g., disconnect Google Calendar, disable email notifications)
To exercise any of these rights, email us at josem.tvillalba@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with any EU supervisory authority.
8. Recipients & Data Sharing
Timeitt shares your data only with the following third-party service providers, strictly for the purposes of operating the Service. We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.
- Google (OAuth, Calendar API): Authentication and calendar event management. Receives your Google account data and calendar free/busy information. Subject to Google's Privacy Policy.
- Telegram (Bot API): Message handling for the Telegram bot. Receives your Telegram chat ID and message content. Subject to Telegram's Privacy Policy.
- Resend (Email delivery): Transactional email delivery. Receives your email address and notification content. Subject to Resend's Privacy Policy.
- Vercel (Hosting): Serverless infrastructure hosting our API and web pages. Processes all requests to the Service. Subject to Vercel's Privacy Policy.
- Neon (Database): PostgreSQL database hosting. Stores all user data described in Section 2. Subject to Neon's Privacy Policy.
9. Analytics
We collect anonymized usage events (e.g., "tweet saved", "session scheduled") to understand how the Service is used and to improve it. Analytics events may include a user identifier but do not contain tweet content, email addresses, or other personal information beyond what is necessary to aggregate usage patterns. Analytics data is retained for 90 days and then permanently deleted.
10. Cookies and Local Storage
The Timeitt Chrome extension uses chrome.storage.local to store your authentication state, saved tweets, and preferences locally on your device. This is not shared with any third party and is not accessible to websites you visit.
The Timeitt backend does not use cookies.
11. Children's Privacy
Timeitt is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Intellectual Property
The Timeitt name, logo, software, and all associated intellectual property are owned by Jose Maria Trave Villalba. All rights reserved.
- The Service software, design, and documentation are protected by copyright law.
- You may not copy, modify, distribute, reverse-engineer, or create derivative works of the Service without prior written consent.
- Tweet content saved through the Service remains the intellectual property of the original authors. Timeitt stores this content solely to provide the Service to you and does not claim ownership over it.
- "X", "Twitter", and related marks are trademarks of X Corp. "Google", "Google Calendar", and related marks are trademarks of Google LLC. "Telegram" is a trademark of Telegram FZ-LLC. Timeitt is not affiliated with, endorsed by, or sponsored by any of these companies.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.
If you have any questions, concerns, or requests regarding this Privacy Policy, contact us at josem.tvillalba@gmail.com.