Privacy Policy
Deus Labs Stockholm AB · Version 2.0 · Effective 4 May 2026
This Privacy Policy explains how we collect, use, share, and protect personal data when you use TimeLaw at timelaw.io (the “Service”). It is written to satisfy the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Swedish data-protection law. Capitalised terms not defined here have the meaning given in our Terms of Service.
1. Controller and contact
The data controller is Deus Labs Stockholm AB, registered in Sweden.
- Registered office: Stockholm, Sweden
- Swedish company registration number:
- Privacy contact: privacy@timelaw.io
- Security incidents: security@timelaw.io
We are not currently required to appoint a Data Protection Officer under GDPR Article 37 because our core activities do not consist of large-scale processing of special-category data or large-scale, regular, and systematic monitoring of data subjects. Our privacy contact above acts as the responsible point of contact for data-protection questions.
2. Scope
This policy covers personal data we process as controller in connection with the Service: account holders, prospects who contact us or join the waiting list, and visitors to the marketing site. It does not cover the public legal texts we ingest from EUR-Lex (which are public-sector information and contain no personal data of our users), nor does it cover personal data you may process within the Service about your own data subjects (for that scenario, see Section 14, Business customers).
3. Categories of personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, display name, authentication provider, sign-in timestamps, language preference | You (sign-up); Supabase Auth |
| Profile and preferences | Selected NACE industry codes, alert subscription rules (industry, topic, company, collection), alert frequency, optional company name, optional Slack incoming-webhook URL | You |
| User Content | Projects you create, acts you save, internal notes, project-item annotations, audit-trail entries reflecting your own actions | You |
| Billing data | Plan, subscription status, billing period, Mollie customer ID, Mollie subscription ID, invoices issued. We do not see or store your card details. | Mollie |
| Usage and product telemetry | Pages visited, search queries, acts viewed and saved, alert dispatch logs, request timestamps, feature use | You; server logs |
| Technical data | IP address, user-agent string, device/browser type, request errors | Your device; hosting provider logs |
| Communications | Emails you send us, support tickets, replies to transactional emails, waiting-list signups | You |
| Company-lookup queries | Free-text search terms you submit when looking up a company in our company-lookup feature; matched company records returned by national registries | You; national registries |
We do not knowingly process special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10). Please do not enter such data into project notes or queries.
4. Purposes and lawful bases
| Purpose | Categories used | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Provide the Service: authenticate you, run the regulatory feed, send transactional alerts you have configured, store your projects and saved acts | Account, profile, User Content, technical | Contract performance, Art. 6(1)(b) |
| Bill paid Subscriptions and meet accounting obligations | Account, billing | Contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c) (Swedish Bookkeeping Act, Bokföringslagen) |
| Operate, secure, and debug the Service; prevent abuse and fraud | Technical, usage, communications | Legitimate interest, Art. 6(1)(f) — running and protecting the Service |
| Improve the Service: aggregate analytics on which features are used, debug errors | Usage, technical | Legitimate interest, Art. 6(1)(f) |
| Send product update emails and marketing emails to existing users | Account, communications | Legitimate interest, Art. 6(1)(f) (similar-product rule, soft opt-in) — opt-out in every email |
| Send marketing to non-customers (e.g. waiting-list confirmations, newsletter) | Account, communications | Consent, Art. 6(1)(a) — withdrawable at any time |
| Comply with legal requests and defend legal claims | All as relevant | Legal obligation, Art. 6(1)(c); legitimate interest, Art. 6(1)(f) (defence of claims) |
Where we rely on legitimate interest, we have carried out a balancing test and believe our interest is not overridden by your fundamental rights. You can object (see Section 9).
5. Retention
| Data | Retention |
|---|---|
| Account data and User Content (projects, saved acts, NACE selections, alert rules) | Until you delete your account, then deleted within 30 days from primary systems; up to 35 days from encrypted backups before backup rotation purges them |
| Audit-trail entries you have created within projects | Same as the parent project; deleted on account deletion |
| Billing records and invoices | 7 years after the end of the financial year, as required by the Swedish Bookkeeping Act (Bokföringslagen 1999:1078, ch. 7) |
| Application and security logs | Up to 90 days, then deleted or aggregated |
| Email delivery logs at Resend | As per Resend's retention policy , typically 30 days |
| Alert dispatch log (which user got which act and when) | 12 months, for de-duplication and dispute handling, then deleted |
| Support communications | 3 years from the last interaction, then deleted |
| Waiting-list signups (no account created) | 24 months from signup, or until you unsubscribe, whichever is first |
6. Sub-processors
Operating the Service requires the following sub-processors. We have data-processing terms with each, and where the sub-processor is outside the EEA we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where appropriate, supplementary measures.
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Authentication, primary PostgreSQL database, file storage | EU region (eu-central) | Within EEA — no third-country transfer |
| Vercel Inc. | Frontend hosting and edge delivery for the web app | US, with EU edge nodes | SCCs (controller-to-processor); EU edge regions where available |
| Railway Corp. | Hosting for the Python ingestion service and scheduled jobs | US/EU regions | SCCs |
| Resend, Inc. | Transactional email delivery (alerts, digests, magic links, welcome, waiting-list) | US | SCCs |
| Mollie B.V. | Payment processing for Pro, Team, and Enterprise plans | Netherlands (EU) | Within EEA — no third-country transfer. Mollie acts as an independent controller for AML/payment-services purposes. |
| OpenRouter, Inc. | LLM gateway used to call models for summarisation, classification, and search-query parsing. We send the public legal text and the user's search query string; we do not send account identifiers tied to the prompt. | US | SCCs |
| Google LLC (Generative Language API) | Embedding generation for semantic search (Gemini embedding model). We send the user's query string only. | US | SCCs; EU-US Data Privacy Framework where Google is certified |
| Anthropic PBC (via OpenRouter) | Claude models used as reviewer/scorer in the summarisation pipeline. Claude is invoked through OpenRouter; we have no direct contract with Anthropic. | US | SCCs flowed through OpenRouter |
| Slack Technologies (only if you supply a webhook) | Delivery of alerts and digests to a Slack channel you choose, using an incoming webhook URL you have configured. We send only to hooks.slack.com. | US | SCCs |
| National company registries (Bolagsverket SE, Companies House UK, KBO/CBE BE, KVK NL, CVR DK, Brønnøysund NO, PRH FI, ARES CZ, Lursoft LV, ACRA SG, GLEIF and others) | Real-time company-lookup queries when you use the company search feature. Each registry receives the search string you enter. | EU/EEA, UK (adequacy), and selected non-EEA jurisdictions | Adequacy decision (UK, etc.) or SCCs where required. These registries act as independent controllers of their own data. |
We will notify users of material changes to this list at least 14 days in advance, giving you the opportunity to object to a new sub-processor; an unresolved objection gives you the right to terminate.
7. International data transfers
Personal data may be transferred to the United States and other non-EEA countries via the sub-processors above. Where it is, we rely on:
- European Commission adequacy decisions (e.g. for the United Kingdom);
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
- the EU-US Data Privacy Framework, where the recipient is certified under it; and
- where appropriate, supplementary technical and organisational measures (e.g. encryption in transit and at rest, access minimisation, vendor security audits).
You may request a copy of the safeguards applied to a specific transfer by writing to privacy@timelaw.io.
8. AI and automated decision-making
The Service uses AI (large language models, embeddings, classifiers) to:
- summarise public EU legal acts;
- assign a severity score (low / medium / high) to those acts;
- classify each act into NACE industry sectors;
- generate semantic search results;
- suggest tasks and timelines a compliance team might track for an act.
These outputs concern public legislation, not you. Alert delivery uses a deterministic match: when an act is tagged with a NACE code that matches one of your saved selections, the act enters your feed or digest. There is no AI scoring or profiling of you as a data subject.
As a result, the Service does not carry out automated decision-making that produces legal effects on you or similarly significantly affects you within the meaning of GDPR Article 22(1). You are nevertheless entitled to (a) understand at a high level how our classification and scoring work — they are described in our public documentation — and (b) ask us to review any output you believe is wrong or harmful.
9. Your rights as a data subject
Subject to the conditions in the GDPR, you have the right to:
- access the personal data we hold about you (Art. 15);
- rectification of inaccurate or incomplete data (Art. 16);
- erasure (“right to be forgotten”) where the conditions in Art. 17 are met;
- restriction of processing in the cases set out in Art. 18;
- data portability for data you provided to us, in a structured, commonly used, machine-readable format (Art. 20);
- object to processing based on legitimate interest, including direct marketing (Art. 21); and
- withdraw consent at any time, where processing is based on consent — without affecting the lawfulness of processing before withdrawal (Art. 7(3)).
To exercise any right, email privacy@timelaw.io. We will respond within one month of receipt of a verifiable request, extendable by a further two months for complex or numerous requests, in which case we will inform you of the extension and the reasons within the original month (Art. 12(3)). We may need to verify your identity before responding. There is normally no fee unless requests are manifestly unfounded or excessive.
You also have the right to lodge a complaint with a supervisory authority. In Sweden this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — imy.se. You may also complain to the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
10. Cookies and similar technologies
We use a deliberately small set of first-party cookies and browser storage. We do not set advertising or cross-site tracking cookies, we do not embed third-party analytics scripts, and we do not share device identifiers with ad networks.
| Name | Type | Purpose | Duration | Consent? |
|---|---|---|---|---|
sb-* (Supabase Auth) | First-party HTTP cookie | Keep you signed in; refresh access tokens | Up to 1 year, refreshed on use | Strictly necessary — no consent required (ePrivacy Art. 5(3)) |
Local storage language_preference, NACE selection cache | Browser local storage | Remember your UI preferences and last-viewed industry filters | Until you clear browser storage | Strictly necessary for the feature you actively use |
| CSRF / session-state cookies set by Supabase auth flow | First-party HTTP cookie | Protect against cross-site request forgery during sign-in | Session | Strictly necessary |
Because we currently set only strictly necessary cookies, we do not display a consent banner. If we add analytics or marketing cookies, we will introduce a banner that obtains your prior consent and lets you withdraw it as easily as you give it, in line with the ePrivacy Directive 2002/58/EC and the IMY guidelines.
11. AI training and your data
We do notuse the substantive content of your projects, notes, saved acts, alert configuration, or queries to train, fine-tune, or evaluate generative AI models, our own or anyone else's. Our model providers (Anthropic via OpenRouter, Google) are contractually committed not to use API inputs to train their foundation models in their default API tiers; we operate on those tiers.
We may use aggregated, de-identifiedusage statistics (e.g. “X% of searches included a NACE filter”) to improve features, classifiers, and prompts. Aggregation is irreversible.
12. Security
We apply technical and organisational measures appropriate to the risk, including:
- HTTPS/TLS for all network traffic;
- encryption at rest for the primary database (managed by Supabase);
- PostgreSQL row-level security to enforce per-user data isolation;
- least-privilege access to production systems, scoped service-role keys, and audited credentials;
- strict allow-list of egress destinations for user-supplied webhooks (e.g. Slack webhooks must point to
hooks.slack.com); - secret scanning, dependency monitoring, and routine security review of new sub-processors;
- backups with rotation;
- an internal incident-response process.
13. Personal-data breaches
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the IMY within 72 hours of becoming aware, as required by Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34), describing the nature of the breach, likely consequences, and the measures we are taking.
14. Business customers and shared responsibility
If you are using TimeLaw on behalf of a company, the personal data about you and your colleagues (account holders, billing contacts, usage logs) is processed by us as controller under this policy. Personal data about third partiesthat you bring into the Service yourself (for example, by typing a third-party individual's name into a project note or company-lookup query) is processed by us as processor on your behalf, and you are the controller. Enterprise customers may sign our Data Processing Addendum on request.
15. Children
The Service is not directed to children. You must be at least 18 to use it (see Terms of Service, Section 3). We do not knowingly collect personal data from children. If we learn that a person under 18 has registered, we will close the account and delete associated data.
16. Changes to this Policy
We may update this Privacy Policy. For material changes (new categories of data, new purposes, new sub-processors with material new transfers, narrowing of your rights), we will give you at least 14 days' advance notice by email or in-app notice. The current version is always at timelaw.io/privacy. Past versions are available on request.
17. Contact
Deus Labs Stockholm AB · privacy@timelaw.io· Stockholm, Sweden.
Version 2.0 · Last updated 4 May 2026.