Privacy Policy

Last updated: 9 April 2026

Timesaver Task Manager ("Timesaver", "we", "us", "our") is operated by Mad Fitness Ltd, a company registered in Malta. This Privacy Policy explains what information we collect when you use our web app at timesavertaskmanager.com and our mobile apps on iOS and Android, how we use it, and the rights you have over it.

We are committed to protecting your personal data and complying with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act.

1. Who We Are

Data controller: Mad Fitness Ltd
Address: Fort Cambridge Level -2, Tigne Street, Sliema, Malta
Contact: support@timesavertaskmanager.com

2. Information We Collect

Account information

• Email address — required for account creation and sign-in
• Name — displayed to your team members
• Profile photo — optional, shown on tasks and staff lists
• Role — Owner, Manager or Employee within your workspace
• Workspace data — business name, locations, business type

Workspace content you create

• Tasks — title, description, assignee, priority, due date, photos, voice notes, comments, checklists, completion photos
• Daily checklists — opening and closing checklist items per location
• Clock in/out records — time stamps, location, duration
• Inventory and equipment records
• Announcements and handover notes

Communications data

• WhatsApp messages — if you or your workspace connects a Twilio WhatsApp number, the content of messages sent to that number is processed to create tasks
• Support emails — kept for up to 2 years after the issue is resolved

Payment information

• Stripe customer ID — we store an identifier linking your workspace to your Stripe subscription
• We do NOT store payment card details — these are handled entirely by Stripe, a PCI-DSS compliant payment processor
• Subscription status — plan, trial end date, current period end

Technical information

• IP address (for Firebase authentication security)
• Device information (browser type, OS version)
• Push notification tokens (Firebase Cloud Messaging)
• Last sign-in time

3. How We Use Your Information

We process your personal data for the following purposes:

• Providing the service — creating and managing your workspace, tasks, and team
• Authentication — signing you in securely via Firebase Auth
• Billing — processing subscription payments via Stripe
• Notifications — sending task assignments, reminders and daily digests via push notifications and optionally WhatsApp
• Support — responding to questions and troubleshooting issues
• Security — detecting and preventing abuse, fraud, and unauthorised access
• Legal compliance — meeting our obligations under applicable laws

4. Legal Basis for Processing (GDPR)

• Contract — processing necessary to provide the service you signed up for
• Legitimate interest — keeping the service secure and improving it
• Consent — push notifications and marketing emails (you can opt out at any time)
• Legal obligation — keeping records as required by tax and accounting laws

5. Who Has Access to Your Data

Within your workspace

Other members of your workspace can see data according to their role:

• Owners see everything in the workspace
• Managers see all tasks and staff at their location and across the workspace
• Employees only see tasks assigned to them

Your data is never shared between different workspaces. Multi-tenant isolation is enforced at the database level via Firestore security rules.

Third-party service providers (sub-processors)

We use the following processors to deliver Timesaver. Each has committed to GDPR-compliant data handling:

• Google Firebase (Alphabet Inc.) — authentication, database, hosting, cloud functions, push notifications. Privacy
• Stripe (Stripe Payments Europe, Ltd.) — subscription billing. Privacy
• Twilio (Twilio Inc.) — WhatsApp message delivery if your workspace uses the WhatsApp integration. Privacy
• Google Cloud Speech-to-Text — voice task transcription. Audio is processed and immediately discarded. Privacy

We do not sell your personal data. We do not share it with advertisers or data brokers.

6. International Data Transfers

Some of our processors operate data centres outside the European Economic Area, including the United States. When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission to ensure your data is protected to GDPR standards.

7. Data Retention

• Active workspace data — retained for as long as your subscription is active
• Cancelled workspaces — retained for 30 days after cancellation to allow reactivation, then permanently deleted
• Support emails — up to 2 years
• Billing records — 7 years (legal requirement under Maltese tax law)
• Backups — rolling 30-day backups, automatically overwritten

8. Your Rights

Under GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure ("right to be forgotten") — request deletion of your personal data
• Restriction — request that we stop processing your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — where we rely on consent (e.g. notifications)
• Lodge a complaint — with the Maltese Information and Data Protection Commissioner (idpc.org.mt)

To exercise any of these rights, email us at support@timesavertaskmanager.com. We will respond within 30 days.

9. Security

We take reasonable technical and organisational measures to protect your personal data:

• All data transmitted over the internet is encrypted with TLS 1.2+
• Firestore data is encrypted at rest by Google
• Access controls: workspace members can only see data they have permission for
• Authentication via Firebase Auth with industry-standard password hashing and Google OAuth
• Audit logs of significant account actions

No method of internet transmission or electronic storage is 100% secure. If a data breach occurs that is likely to affect your rights, we will notify you and the Information and Data Protection Commissioner within 72 hours as required by GDPR.

10. Children's Privacy

Timesaver is a business tool intended for use by adults in a workplace setting. It is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be communicated via email to workspace owners at least 14 days before taking effect.

12. Contact Us

Questions about this policy or your personal data?

Mad Fitness Ltd
Fort Cambridge Level -2, Tigne Street, Sliema, Malta
support@timesavertaskmanager.com