timer.new

Privacy

Last updated: 2026-06-04

Who we are

timer.new is operated by the team behind the timer.new service. We act as the data controller for any personal data we process. Contact us about anything privacy-related at privacy@timer.new.

What we collect, and why

  • If you don't sign in: we store nothing about you on our servers. Your timer state lives in your browser tab and the URL. We do set strictly-necessary cookies (CSRF token, session id) so the site works at all.
  • If you sign in: your email address (mandatory), your name and avatar URL (if your OAuth provider shares them), your Stripe customer id (we never see your card — Stripe stores it), and your saved presets and shared rooms.
  • Anonymous usage measurement (everyone): we count page views and key actions in PostHog (EU) using a privacy-preserving daily hash. No cookies or other identifiers are stored on your device and the data is not linked to you. This runs by default under legitimate interest; declining analytics keeps you in this anonymous-only mode.
  • If you opt in to analytics: we additionally link analytics to you (page views, button clicks, timer events) and record sessions in PostHog so we can improve the product faster. Off until you accept, and revocable anytime below.
  • If you use AI Coach: the text of your prompt is sent to Anthropic for inference. Anthropic does not train on API data.

Lawful basis (GDPR)

  • Strictly-necessary cookies: legitimate interest — the site doesn't work without them.
  • Account data, subscriptions, support: contract — needed to provide the service you signed up for.
  • Anonymous, cookie-free usage measurement: legitimate interest — no device storage, no personal data, used only to operate and improve the service.
  • Identified analytics and session recording: consent (granular, revocable, off by default).
  • AI Coach inference: contract when you use the feature; we send the minimum needed.

Subprocessors

We use the following service providers. Each acts under a DPA and processes only the data needed.

  • Fly.io — application hosting (DE/EU regions where possible)
  • PostHog Cloud EU — product analytics, session recording, error tracking, OTel traces
  • Stripe — payment processing
  • Anthropic (Claude API) — AI Focus Coach inference
  • Mailgun — transactional email (magic links, receipts)
  • Google — OAuth sign-in (only if you use Google to sign in)

Retention

  • Account data: kept while your account exists; deleted within 30 days of account deletion.
  • Magic-link tokens: 15 minutes, then auto-expired.
  • AI Coach prompts (server-side debug log): max 30 days.
  • Stripe invoices: per Stripe's retention policy.
  • PostHog session recordings: 30 days.

Your rights under GDPR

You can request access, correction, deletion, restriction, portability, or object to processing. Email privacy@timer.new from the address attached to your account and we'll act within 30 days.

You also have the right to lodge a complaint with your local supervisory authority.

Cookies

  • _timer_new_key — signed session cookie. Strictly necessary.
  • tn_consent — remembers your consent choice. Strictly necessary.
  • ph_* — PostHog analytics cookies. Set only if you accept analytics; the default anonymous mode stores nothing on your device.

Changes

We'll post material changes at the top of this page and email signed-in users at least 14 days before they take effect.

Slack integration

If you add timer.new to a Slack workspace, we process only what the integration needs:

  • Installation record: your Slack team ID, team name, OAuth bot token, and bot user ID, stored while the app is installed.
  • Account link (optional): if you connect your account from the /timer prompt, we store a mapping from your Slack user ID to your timer.new account so your timers save to it.
  • Slash command: when you run /timer, Slack sends us the duration you type plus your team and channel IDs. We never read your messages and request no read scopes — only the commands scope.

Removing the app from your workspace deletes the installation record and any account links for that workspace. Background images you upload are stored by Fly Tigris (S3-compatible object storage), an additional subprocessor alongside those listed above.