Last updated: May 6, 2026
TimeLock ("we," "us," or "our") is a scheduling and availability coordination service operated by Baxter Research Group. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the TimeLock website and services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
1.1 Account Information
When you create a TimeLock account, we collect your email address. We use a passwordless authentication system — no passwords are stored. Your display name is initially derived from your email address and can be updated at any time. You may also select an avatar color and a preferred timezone.
1.2 Event and Scheduling Data
When you create or participate in a scheduling event, we collect the event title, optional description, proposed time slots, and your availability responses (available, maybe, or unavailable). If you are an event organizer, we also store your organizer name and email, participant lists (names and email addresses), invitation records, response deadlines, and event configuration preferences such as whether responses are hidden or sharing is allowed.
1.3 Comments
TimeLock allows participants to leave comments on events. Any comments you submit are stored alongside the event data and are visible to the event organizer and, depending on event settings, other participants.
1.4 Payment Information
If you subscribe to a paid plan (Pro or Team), payment processing is handled entirely by Stripe, Inc. We do not collect, store, or have access to your full credit card number, bank account details, or other sensitive financial information. We receive and store your Stripe customer ID and subscription ID to manage your plan. Please review Stripe's privacy policy at stripe.com/privacy for details on how Stripe handles your payment data.
1.5 Technical and Session Data
When you sign in, we create a session record that includes your IP address and browser user-agent string. This information is used for security purposes, including detecting unauthorized access and enforcing rate limits. Session tokens expire after 30 days.
1.6 AI Feature Data
TimeLock offers optional AI-powered suggestions (best times, agenda generation, and response summaries). When you use these features, your event title, description, participant names, availability data, and timezone are sent to Anthropic's Claude API for processing. AI-generated suggestions are cached for up to 24 hours to improve performance. We track AI usage per account for billing and rate-limiting purposes. We do not use your data to train AI models — please see Anthropic's API data policy at anthropic.com/policies/privacy for more information.
2. How We Use Your Information
We use the information we collect to: provide, operate, and maintain the Service; authenticate your identity and manage your account; process scheduling events and deliver availability results; send sign-in codes, event invitations, and service-related notifications via email; process payments and manage subscriptions through Stripe; generate AI-powered scheduling suggestions when requested; enforce rate limits and prevent abuse; improve and develop the Service; and comply with legal obligations.
3. How We Share Your Information
3.1 With Event Participants
When you respond to a scheduling event, your name and availability selections are visible to the event organizer and, depending on event settings, to other participants. The organizer controls whether responses are visible to all participants or hidden.
3.2 With Service Providers
We share information with the following third-party service providers who assist us in operating the Service:
3.3 Legal Requirements
We may disclose your information if required to do so by law, in response to valid legal process (such as a court order or subpoena), or to protect the rights, property, or safety of TimeLock, our users, or the public.
3.4 Business Transfers
If TimeLock or Baxter Research Group is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
4. Data Retention
We retain your account information for as long as your account is active. Event data is retained for as long as the event exists or until the organizer deletes it. Session data is retained until sessions expire (30 days). AI suggestion caches expire after 24 hours. Sign-in codes are temporary and are cleared after use or expiration (15 minutes). You may delete your account at any time through your dashboard settings, which will remove your account data and associated sessions.
5. Data Security
We implement appropriate technical and organizational measures to protect your information, including: encrypted data transmission via TLS/SSL; secure, cryptographically signed authentication tokens (JWT); timing-safe token comparisons to prevent timing attacks; rate limiting on authentication and data mutation endpoints; input validation and HTML sanitization; SameSite cookie attributes to prevent cross-site request forgery; and secure cookie flags in production environments. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
6. International Data Transfers
TimeLock is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. Where required by applicable law (such as the EU General Data Protection Regulation), we rely on appropriate legal mechanisms for such transfers, including standard contractual clauses.
7. Your Rights
7.1 All Users
Regardless of your location, you have the right to: access the personal information we hold about you; update or correct your account information through your dashboard settings; delete your account and associated data; and opt out of non-essential communications.
7.2 European Economic Area, UK, and Switzerland (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including: the right to request a portable copy of your data; the right to restrict or object to processing of your data; the right to withdraw consent at any time (where processing is based on consent); and the right to lodge a complaint with your local data protection authority. Our legal bases for processing your data are: performance of our contract with you (providing the Service), your consent (for AI features and optional communications), our legitimate interests (security, fraud prevention, and service improvement), and compliance with legal obligations.
7.3 California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information, including: the right to know what personal information we collect, use, and disclose; the right to delete your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information; the right to limit the use of sensitive personal information; and the right to non-discrimination for exercising your privacy rights. We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising purposes. To exercise these rights, please contact us using the details below.
7.4 Brazil (LGPD)
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights including: confirmation of the existence of processing; access to your data; correction of incomplete, inaccurate, or out-of-date data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; deletion of data processed with consent; and information about sharing with third parties.
7.5 Other Jurisdictions
We respect data protection laws worldwide. Residents of Canada (PIPEDA/CPPA), Australia (Privacy Act 1988), Japan (APPI), South Korea (PIPA), Singapore (PDPA), Thailand (PDPA), South Africa (POPIA), and other jurisdictions with applicable data protection laws may have similar rights, including the right to access, correct, and delete personal information, and to object to or restrict certain processing. We will honor valid requests in accordance with applicable law. Please contact us to exercise your rights.
8. Children's Privacy
The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). In the United States, in compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13. We do not knowingly collect personal information from any child under the applicable minimum age. If we learn that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us.
9. Third-Party Links
The Service may contain links to third-party websites or services that are not operated by us (for example, links to Baxter Research Group or Stripe). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party site you visit.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where required by applicable law, by sending you an email notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your information, please contact us at:
TimeLock — Baxter Research Group
Email: privacy@brc.com
For purposes of the GDPR and UK GDPR, Baxter Research Group is the data controller responsible for your personal information. For EU, UK, or Switzerland-specific inquiries, you may also contact your local data protection authority.