Legal
Privacy Policy
Last updated: April 28, 2026
This Privacy Policy explains how Timebox ("we", "us", "Timebox") collects, uses, stores, and protects personal data when you use timebox.watch (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
1. Who we are
Timebox is an independent watch-collection platform. For the purposes of GDPR, Timebox is the data controller for the personal data described in this policy. You can reach us at hello@timebox.watch for any privacy-related request.
2. What data we collect
| Data | When | Why |
|---|---|---|
| Email address & password (hashed) | When you sign up for an account | Authentication and account recovery |
| Display name (optional) | If you provide it in your profile | Personalising your experience |
| Saved watches & collections | When you save a watch or collection | Providing the core product feature |
| Builder session state | While you use the collection builder | Letting you resume where you left off |
| Email address only | If you join the Pro waitlist | Notifying you when Pro launches |
| Name, email, message | If you submit a contact or concierge request | Responding to your enquiry |
| Payment metadata (Stripe customer / subscription IDs) | If you purchase a paid plan or reserve a TIMEBOX Case | Processing and tracking your purchase |
| Server logs (IP address, user-agent, request timing) | Each time you use the Service | Security, abuse prevention, debugging |
What we do not collect
- We do not use Google Analytics, Meta Pixel, or any third-party advertising trackers.
- We do not sell, rent, or share your personal data with advertisers or data brokers.
- We do not store your credit card details — payments are handled directly by Stripe.
3. Legal bases for processing
- Contract (Art. 6(1)(b) GDPR): account creation, saved collections, payment processing.
- Legitimate interest (Art. 6(1)(f)): security logging, fraud prevention, service improvement.
- Consent (Art. 6(1)(a)): Pro waitlist marketing emails, optional editorial newsletter.
- Legal obligation (Art. 6(1)(c)): tax-related transaction records.
4. Who we share data with (sub-processors)
We use a small set of trusted infrastructure providers. Each is contractually bound by data-processing agreements compliant with GDPR.
| Provider | Purpose | Location |
|---|---|---|
| Supabase (via Lovable Cloud) | Database, authentication, file storage | EU / US |
| Cloudflare | Hosting, CDN, DDoS protection | Global edge |
| Stripe | Payment processing | EU / US |
| Lovable AI Gateway (Google Gemini, OpenAI) | Generating editorial descriptions for watches | US |
Where data is transferred outside the EEA, transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
5. How long we keep data
- Account data: as long as your account is active. Deleted within 30 days of account deletion.
- Saved watches and collections: deleted with your account.
- Waitlist emails: until you unsubscribe or we close the waitlist.
- Contact / concierge messages: up to 24 months for follow-up and quality purposes.
- Payment records: 7 years (statutory accounting retention).
- Server logs: 30 days, then automatically purged.
6. Your rights under GDPR
You have the right, at any time and free of charge, to:
- Access a copy of the personal data we hold about you (Art. 15)
- Rectify inaccurate or incomplete data (Art. 16)
- Erase your account and associated data (Art. 17, "right to be forgotten")
- Restrict processing in certain circumstances (Art. 18)
- Port your data to another service in a machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, where processing is based on consent
Two of these rights are available as one-click self-service tools inside your Time Vault account settings: Download my data (Art. 15 / 20) and Delete my account (Art. 17). For all other requests, email hello@timebox.watch and we will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available on the European Data Protection Board website.
7. Cookies and similar technologies
We use only strictly necessary cookies required to operate the Service — primarily your authentication session and your in-progress builder state. We do not use analytics, tracking, or advertising cookies. Because no non-essential cookies are set, no cookie consent banner is displayed under the ePrivacy Directive (Art. 5(3)).
For full detail see our Cookie Policy.
8. Security
We use industry-standard measures including TLS 1.3 encryption in transit, encryption at rest, Row-Level Security policies on every database table, hashed passwords (bcrypt), and least-privilege access controls. No system is perfectly secure; if you become aware of a vulnerability, please report it to hello@timebox.watch.
9. Children
The Service is not intended for users under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy as our practices evolve. Material changes will be communicated by email (for account holders) or by a notice on the home page at least 14 days before they take effect.
11. Contact
For any privacy-related question or to exercise your rights, contact us at hello@timebox.watch. See also our Legal Notice.