Privacy Policy
As of: April 2026
1. Controller (Art. 13(1)(a) GDPR)
Timely OG
Partners: Maximilian Schusser, Jonas Jakob Stefan
Email: [email protected]
Timely OG operates the technical platform and acts – unless otherwise agreed – as a data processor within the meaning of Art. 28 GDPR.
The platform is used on behalf of the respective educational institution. The respective school is the data controller within the meaning of the GDPR.
2. Scope
This privacy policy applies to the school platform Timely(hereinafter "Platform"), which is provided to students, teaching staff, parents/guardians, and school administrators.
It covers:
- the web application
- the chat system (real-time messaging via WebSocket)
- all related services
3. Purposes of Data Processing
Data is processed for the following purposes:
- Organization of school operations
- Communication between school, students, and parents
- Documentation (e.g., class register, absences)
- Provision of digital school services
- Ensuring IT security and system operation
4. What Data We Process
a) User Account / Authentication
- Username
- Password (bcrypt-hashed value, no plaintext)
- Role (student, teacher, parent, admin, principal)
- School ID, link to person
- Language setting
b) Students
- First name, last name, class assignment
- Absences (date, period, status, reason)
- Grades (value, type, weight, subject, teacher, date, comment)
- Exams and return status
- Homework
- Announcements
- Poll participation
c) Parents / Guardians
- First name, last name
- Email address
- Assignment to children
d) Teaching Staff
- First name, last name, academic title
- Email address, phone number, date of birth
- Class assignments, subjects
- Status as class teacher
e) Sick Notes (Special Category – Art. 9 GDPR)
- Reason for absence (health data)
- Period of absence
- Name and contact details of parent/guardian
- Photo of medical certificate (optional)
- Digital signature
- Decision status
Sensitive data is automatically deleted 90 days after the decision; a basic data record is retained in accordance with legal requirements (e.g., SchUG).
f) Chat Messages
- Sender ID, recipient ID
- Message text
- Translated message text (if translation is enabled by the user, processed via DeepL API)
- Original and target language
- Timestamp
- Read status
g) Class Register
- Lesson entries
- Topics, homework, remarks
- Attendance
- Signatures
h) Timetable
- Lessons, subjects, rooms
- Substitutions, cancellations
i) Polls
- Question, options, result
- Account ID and selection
j) Push Notifications
- Device token (Firebase Cloud Messaging or Web Push)
- Platform (web, iOS, Android)
- Account assignment
Push notification tokens are used exclusively for delivering platform notifications. Tokens are automatically deleted when they become invalid.
k) Audit Log (IT Security)
- Action
- Performing person
- Target person
- IP address
- Timestamp
5. Legal Basis
Data processing is based on:
- Art. 6(1)(b) GDPR – Performance of a contract
- Art. 6(1)(c) GDPR – Legal obligation
- Art. 6(1)(e) GDPR – Public interest (school operations)
- Art. 6(1)(f) GDPR – Legitimate interest (IT security)
- Art. 6(1)(a) GDPR – Consent (e.g., polls)
- Art. 9(2)(b) GDPR – Health data
6. Recipients and Processors (Art. 28 GDPR)
- Supabase Inc. – Database and storage (EU, Frankfurt)
- Resend Inc. – Email delivery (USA, Standard Contractual Clauses)
- DeepL SE – Chat message translation (EU, Germany). Chat messages are sent to the DeepL API for optional real-time translation when enabled by the user.
- Google Ireland Ltd (Firebase Cloud Messaging) – Push notifications (USA, Standard Contractual Clauses). Device tokens and notification metadata are processed to deliver push notifications to mobile devices.
Supabase may engage additional sub-processors: https://supabase.com/subprocessors
Data is only disclosed when required by law.
7. Third-Country Transfers
Data is generally processed within the EU (Supabase in Frankfurt, DeepL in Germany). Transfers to the USA occur via Resend Inc. (email delivery) and Google/Firebase (push notifications) and are safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
8. Retention Periods
| Data Category | Retention Period |
|---|---|
| Master data | Until account deletion |
| Sick notes (sensitive) | 90 days |
| Grades | As required by law |
| Class register | 3 years |
| Absences | 3 years |
| Chat | 1 year |
| Announcements | 1 year |
| Audit log | 1 year |
| Reset codes | 10 minutes |
9. Your Rights
You have the following rights under the GDPR:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of consent (Art. 7(3))
Exercise your rights via email or within the platform.
10. Data Security (TOMs)
We implement the following measures:
- TLS encryption
- bcrypt password hashing
- JWT sessions
- Role-based access control
- Signed URLs
- Automatic deletion processes
- Audit logs
- Rate limiting
- Regular backups
11. Cookies
Only technically necessary cookies are used:
- Authentication
- Security
- Language settings
- Accessibility
No tracking or advertising cookies.
12. Email Communication
Emails are used exclusively for the following purposes:
- Account setup codes (for first login)
- Password reset codes
Passwords are never sent via email. Only time-limited verification codes (valid for 10 minutes) are transmitted. No advertising or newsletters are sent.
13. Protection of Minors
Data processing takes place exclusively in the school context. No profiling is carried out.
14. Automated Decisions
No automated decision-making within the meaning of Art. 22 GDPR takes place.
15. Right to Lodge a Complaint
Austrian Data Protection Authority
Barichgasse 40–42, 1030 Vienna
Email: [email protected]
16. Changes
This privacy policy may be updated. The current version is always available on the platform.