Dear visitors,
Thank you for using TimeNow. Please read this Privacy Policy carefully, along with the Terms and Conditions and the Cookie Policy, to be fully informed about how we process personal data.
TimeNow is a web platform that allows businesses (Providers) to manage their services and appointments, and customers to make online bookings on Providers' public pages. Some features are optional and may depend on the Provider's configuration (e.g. WhatsApp integration or online payment).
The data controller for the Platform is RIGHT NOW TECHNOLOGIES S.R.L, VAT No. 53096180, registration No. J2025096530006, registered at Str Verzisori, Nr. 6, Municipiul Bucuresti, sector 4.
I. Definitions
For the purposes of this Privacy Policy, the terms below have the following meanings:
- Platform: TimeNow (the website, the web application, all features, including public booking pages and the administration area).
- Visitor: any person who accesses the Platform.
- Customer (Client User): the natural person who makes a booking or interacts with a Provider's public profile through the Platform.
- Provider (Professional User) / Company: the legal entity or sole trader who publishes their services on the Platform and manages appointments.
- Public profile: the public page associated with a Provider through which Customers can make bookings and/or submit requests.
- Personal data: any information relating to an identified or identifiable natural person (e.g. name, email, phone number, online identifiers such as IP address, etc.).
- Processing: any operation or set of operations performed on data (e.g. collection, recording, organisation, structuring, storage, adaptation/alteration, retrieval, consultation, use, disclosure, erasure/destruction).
- Controller: the legal entity that determines the purposes and means of processing personal data; in relation to data processed through the Platform, the Controller is RIGHT NOW TECHNOLOGIES S.R.L.
- Data subject: the natural person whose personal data are processed (e.g. Visitor, Customer, representative/employee of a Provider).
- Processor: the legal entity that processes data on behalf of the Controller (e.g. infrastructure, email, analytics, payment, messaging providers), under a contract.
- Recipient: the legal entity/authority to whom data may be disclosed (e.g. the Provider at which you make a booking, competent authorities, as applicable).
- GDPR: Regulation (EU) 2016/679 on the protection of personal data.
- Supervisory authority: the competent independent public authority (in Romania: ANSPDCP).
- EEA: European Economic Area.
II. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data. Exercising these rights is, in principle, free of charge. In certain situations (e.g. repetitive, manifestly unfounded or excessive requests), we may charge a reasonable fee or refuse the request, in accordance with applicable law.
- Right of access: you may obtain confirmation of processing and access to your data, as well as a copy of it.
- Right to rectification: you may request the correction/completion of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): you may request the deletion of your data, to the extent that there is no legal basis for its retention.
- Right to restriction of processing: you may request the limitation of processing in certain cases provided by the GDPR.
- Right to data portability: you may request to receive your data in a structured, commonly used, machine-readable format.
- Right to object: you may object to processing based on legitimate interests (including profiling, where applicable).
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.
- Right not to be subject to automated decision-making: to the extent Article 22 GDPR applies.
- Right to lodge a complaint: with the ANSPDCP or before competent courts.
How to exercise your rights
- You can contact us at [email protected].
- We may request additional information to verify your identity and prevent unauthorised disclosure of data.
- We will generally respond within 30 calendar days; this period may be extended in justified cases, in accordance with the GDPR.
Our data processing obligations
As Controller, we commit to and comply with the following main obligations (without limitation):
- Lawfulness, fairness and transparency: we process data lawfully and inform you clearly about processing activities.
- Purpose limitation: we process data only for specified, explicit and legitimate purposes.
- Data minimisation: we collect only the data necessary for the Platform's functionality.
- Accuracy: we take reasonable steps to ensure data is correct and up to date.
- Storage limitation: we retain data only for as long as necessary, as described in the "Retention" section.
- Integrity and confidentiality: we apply appropriate security measures to protect data.
- Accountability: we can demonstrate compliance with the GDPR (e.g. through policies, contracts with processors and technical/organisational measures).
- Support for exercising rights: we facilitate the exercise of rights and handle requests within a reasonable timeframe.
- Incident management: we investigate and manage security incidents and, where required, notify the supervisory authority/data subjects in accordance with the GDPR.
III. What Data We Process
1) Data provided directly
- Bookings: name, email, phone number, city/county (where requested), chosen services, date/time, notes.
- Account (dashboard): email, name, role, company, preferences and settings, profile picture (if uploaded).
- Contact / demo requests: name, email, company and message (if provided).
2) Data collected automatically
- technical data: IP address, user-agent, session identifiers/cookies, browser/device settings;
- usage data: pages visited, actions in the TimeNow mobile app, technical events and errors — transmitted via a pseudonymised internal identifier (without email, name or phone number); see Section V (PostHog) for details.
3) Data from third-party services (where applicable)
- Payments: payment status, amount, currency, order identifier (card data is processed by the payment processor, not by us).
- WhatsApp/Meta: technical identifiers, numbers, metadata and message content necessary to deliver the feature (if the Provider enables the integration).
- Google authentication: if you use Google Sign-In, we may receive basic account data (e.g. email, name), subject to your configuration.
IV. Purposes and Legal Bases
- Service delivery (Art. 6(1)(b) GDPR): creation and management of bookings, accounts, and operational communications.
- Legal obligations (Art. 6(1)(c) GDPR): where the law requires retention or reporting.
- Legitimate interests (Art. 6(1)(f) GDPR): security, fraud/abuse prevention, and improvement of the Platform and the TimeNow mobile app through pseudonymised statistical analysis (PostHog).
- Consent (Art. 6(1)(a) GDPR): analytics cookies and certain non-essential communications, where applicable.
V. To Whom We Disclose Data
We do not sell your data. We may disclose data to:
- Providers (companies) at which you make bookings: to deliver the booked service.
- Resend: sending emails (e.g. authentication, notifications), as a processor.
- Netopia: processing online payments (if the Provider has enabled payment).
- Meta/WhatsApp: for messaging features, if configured.
- Google: for Google Tag Manager/Analytics (with consent) and/or Google Sign-In (if used).
- PostHog: statistical analysis of TimeNow mobile app usage (events, navigation, features used), as a processor, on servers located in the EU (eu.posthog.com). We transmit only a pseudonymised internal identifier — without email, name or phone number. Legal basis: legitimate interests (Art. 6(1)(f) GDPR). You can disable analytics at any time from the mobile app (Profile → "Send analytics"). PostHog acts under a Data Processing Agreement (DPA). PostHog Privacy Policy.
- Infrastructure providers: hosting, databases, storage, monitoring (as processors).
- Public authorities: if required by law or pursuant to a valid request.
VI. International Transfers
Some third-party services (e.g. Google, Meta, Resend) may involve transfers of data outside the EEA. In such cases, we rely on applicable legal mechanisms (e.g. Standard Contractual Clauses) and supplementary measures, as appropriate.
VII. Retention
We retain data only for as long as necessary for the purposes for which it was collected, for the provision of services, and for compliance with applicable legal obligations (e.g. accounting/tax obligations), as well as for the defence of our legal rights.
VIII. Data Security
We implement reasonable technical and organisational measures to protect data (access controls, role separation, encryption in transit, logging, anti-abuse protection, backup). No method of transmission or storage is 100% secure, but we make continuous efforts to minimise risks.
IX. Automated Decisions / AI Features
Where a Provider enables the WhatsApp booking assistant, the Platform uses an AI model operated by a third-party provider (Groq) to understand and respond to your messages and facilitate bookings. We do not share more identifiable information with the AI provider than is necessary to process the conversation. We do not pursue exclusively automated decision-making with significant legal effects on you within the meaning of Art. 22 GDPR: AI is used only to facilitate conversation and booking processes, and human oversight is available for all important decisions.
X. Google API Services — Limited Use Disclosure
Where the Platform accesses Google user data (e.g. through the Google Calendar integration or Google Sign-In), our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
XI. Changes to This Policy
We may update this Privacy Policy to reflect changes to our services or legal requirements. The version published on this page is the applicable one.
Controller: RIGHT NOW TECHNOLOGIES S.R.L
VAT No.: 53096180
Registration No.: J2025096530006
Address: Str Verzisori, Nr. 6, Municipiul Bucuresti, sector 4
Email: [email protected]
If you wish to lodge a complaint, you may contact the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro