Skip to content
Privacy policy (UK GDPR)

Privacy policy

Clear, practical privacy. This policy explains what we process, why we process it, and your rights under the UK GDPR.

Last updated: 2 February 2026.

1. Who we are

Timelint (“we”, “us”) is a ticket-first project management and service desk application for agencies. Timelint is a product by Codebased Ltd. For the purposes of UK data protection law, we may act as a controller for some personal data and a processor for other personal data (see below).

Contact. If you have privacy questions, contact us at privacy@codebased.co.uk. You can also write to us at: Codebased Ltd, Rookery Farm, Wheaton Aston, Stafford, Staffordshire, ST19 9QF, United Kingdom.

2. Roles: controller vs processor

Customer account data (controller). When you create an account, we act as controller for account administration data (for example: user names, emails, authentication data, and billing communications).

Customer content (processor). When your team and your clients use Timelint to manage tickets, comments, portal messages, files, and contact records, we process that information on your instructions. In that context, your organisation is the controller and we are the processor.

3. What personal data we process

The app is designed around tickets, service desk workflows, and a client portal. Depending on how you use it, we may process:

  • Account users: name, email address, password hash, membership/role data, and session data.
  • Client/portal contacts: name, email address, phone, job title, and organisation relationships.
  • Ticket content: titles, descriptions, comments/messages, mentions, and activity metadata.
  • Attachments: files uploaded to tickets/messages (file name, size, MIME type, and the file itself).
  • Operational data: logs and audit events needed to keep the service secure, reliable, and traceable.

4. Why we process personal data (purposes and lawful bases)

Under the UK GDPR, we rely on different lawful bases depending on the context:

  • Contract: to provide the service, authenticate users, and deliver core features (tickets, portal, service desk, time tracking).
  • Legitimate interests: to secure and improve the service, prevent abuse, and maintain operational integrity (balanced against your rights).
  • Legal obligation: where we must comply with applicable laws (for example, tax and accounting obligations if applicable).
  • Consent: where required for optional non-essential cookies or marketing communications (if used).

5. Sharing and subprocessors

We do not sell personal data. We may share data with service providers (“subprocessors”) who help us run Timelint. Examples include hosting providers, email delivery providers, and file storage providers.

Fonts. Our marketing site loads fonts from Bunny.net. Your browser may request font assets from that domain.

Subprocessors. We maintain a current list of subprocessors on request. Contact privacy@codebased.co.uk. At minimum, the marketing site uses Bunny.net for font delivery. Other subprocessors depend on deployment (for example, hosting, email delivery, and attachment storage providers).

6. International transfers

Depending on where our service providers are located, personal data may be transferred outside the UK. Where this happens, we use appropriate safeguards (for example, the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses), and we take steps to ensure an equivalent level of protection.

7. Retention

We retain personal data for as long as needed to provide the service and for legitimate operational reasons. Customer content is retained while an account is active and for a limited period after deletion to support restoration and backups.

Current retention approach (summary).

  • Account data and customer content: retained for the life of the account, unless deleted by the customer.
  • Deleted content/accounts: may remain in backups for a limited period before being overwritten (typically up to 35 days).
  • Support and security logs: retained only as long as needed for security, debugging, and operational integrity (typically 90 days).

If you need a specific retention commitment for procurement or a DPIA, contact privacy@codebased.co.uk.

8. Security

We use technical and organisational measures to protect personal data. Examples include access controls, private attachment storage served through authenticated routes, and audit trails for key actions. No method of transmission or storage is 100% secure, but we aim for security that holds shape under real use.

9. Cookies and similar technologies

Timelint uses essential cookies for authentication and session management. These are required for the service to function. The marketing site may also store a theme preference in your browser (local storage) if you use the theme toggle.

If we introduce optional analytics or marketing cookies, we will provide a clear choice and collect consent where required under UK PECR.

10. Your rights (UK GDPR)

Depending on the context and applicable law, you may have rights including:

  • access to your personal data
  • correction of inaccurate data
  • erasure (in some circumstances)
  • restriction of processing
  • data portability
  • objection to processing (including legitimate interests, in some circumstances)

If we act as a processor for your data (for example, ticket content in an agency account), requests should be directed to the account owner/controller first. We will support controllers in responding to requests.

11. Complaints

If you are unhappy with how we handle personal data, contact us first at privacy@codebased.co.uk. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

12. Changes

We may update this policy from time to time. When we do, we will update the “Last updated” date above.

Want the calmer workflow?

Start with a Jira-style system that’s dramatically easier to navigate.

Start free Security