ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
timebank-cc-public/references/gdpr/timebank_cc/2026-01-01/privacy-policy-FULL-en.md
Ronald Huynen 2547717edb Initial commit
2026-03-23 21:37:59 +01:00

18 KiB
Raw Permalink Blame History

Privacy Policy for Timebank.cc

Last Updated: January 1, 2026

1. Introduction

Timebank.cc ("we," "our," or "the platform") is committed to protecting your privacy and giving you control over your personal data. This Privacy Policy explains how we collect, use, store, and protect your information in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Our Privacy Principles:

  • We collect only the data necessary for platform functionality
  • We never sell or share your data with third parties
  • We don't use tracking cookies or external analytics
  • We give you full control over your data
  • We practice data minimization and privacy by design
  • Our platform is built with open source software
  • You control what personal data is stored and its precision level

2. Data Controller

Timebank.cc (legal entity: association Timebank.cc / vereniging Timebank.cc)
Zoutkeetsingel 77
2515 HN Den Haag
The Netherlands

Email: info@timebank.cc
Support: support@timebank.cc

For privacy-related inquiries, contact us at: info@timebank.cc

3. What Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Username (publicly visible)
  • Full name
  • Email address (for authentication and important notifications)
  • Phone number (optional, for account recovery as last resort)
  • Password (encrypted and never stored in plain text)

3.2 Profile Information

You have complete control over what profile information to provide:

  • Profile description
  • Skills and interests
  • Availability preferences
  • Location (you choose the precision level: none, city, region, or custom distance)
  • Any other personal information

Important: You decide what personal data is stored. The platform will not store any profile information without your explicit choice to provide it.

3.3 Transaction Data

To facilitate timebanking, we record:

  • Time exchange transactions
  • Time credits balance
  • Service offerings and requests
  • Messages between users (encrypted where technically feasible)

3.4 Technical Data

We collect minimal technical information necessary for platform security:

  • IP address of your last login (for security monitoring, fraud prevention, and account recovery)
    • Retained for 180 days, then automatically deleted
    • Used only for security purposes and account recovery
  • Online presence data (for real-time messaging features)
    • Online/offline status
    • Last seen timestamp
    • Recent activity for presence detection (within 5-minute threshold)
    • Data is automatically deleted after inactivity or when you log out
  • Browser type and version (for compatibility)
  • Device type (for responsive design)
  • Login timestamps (for security)
  • Error logs (for technical maintenance)

We do NOT collect:

  • Browsing history outside our platform
  • Location tracking data
  • Social media information
  • Data from third-party cookies or trackers
  • Any analytics or behavioral data

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide timebanking services
  • Consent (Art. 6(1)(a)): For optional features like phone number sharing
  • Legitimate Interests (Art. 6(1)(f)): For platform security, fraud prevention, and service improvement
  • Legal Obligation (Art. 6(1)(c)): To comply with legal requirements

5. How We Use Your Data

5.1 Platform Functionality

  • Creating and managing your account
  • Facilitating time exchanges between members
  • Enabling communication between users via in-platform messaging
  • Maintaining time credit balances
  • Sending essential platform notifications via email (account security, transaction confirmations)
  • Delivering user-to-user messages via email notifications (when enabled by you)

5.2 Account Security

  • Verifying your identity during registration
  • Recovering access to lost accounts (via phone verification)
  • Detecting and preventing fraud and abuse
  • Ensuring platform security

5.3 Platform Improvement

  • Analyzing usage patterns (anonymized data only)
  • Fixing technical issues
  • Improving user experience
  • Developing new features

6. Data Sharing and Disclosure

6.1 Within the Platform

  • Usernames only are visible to other platform users (and may appear on social media if you create events/posts that are shared)
  • Full names are not displayed publicly outside the platform or shared on social media
  • Profile information you choose to share is visible to logged-in members
  • Phone numbers are only shared if you explicitly grant permission to specific users
  • Transaction history is visible only to the parties involved
  • Online status (presence) is visible to other logged-in members to facilitate real-time connections and messaging
    • Your online/offline status is shown when you're actively using the platform
    • Last seen timestamps help members know when you were last active
    • This information is used only for platform messaging features
    • No sensitive personal data is exposed through presence tracking
  • Profile visibility automatically adjusts based on account status:
    • Inactive profiles (no login for 2 years) are hidden from search and labeled as inactive
    • Profiles with unverified email addresses have limited visibility
    • Incomplete profiles have limited visibility until profile information is added
    • You control what profile information to make visible

6.2 No External Sharing

We do NOT:

  • Sell your personal data to anyone
  • Share your data with advertisers
  • Provide your data to data brokers
  • Use external analytics or tracking services

Search Engine Protection: We actively prevent search engines from indexing platform content, ensuring your profile and activities are not discoverable through external search engines.

Social Media Sharing: Events and posts may be shared on social media platforms by their organizers/creators. When an event or post is shared on social media, the following information becomes visible outside our platform:

  • Event or post content
  • Username of the organizer/creator

Important: Only usernames are shared on social media, never full names. The sharing of events/posts is controlled by the organizer/creator of that content. Regular platform activities, profiles, and transactions are not shared on social media.

6.3 Legal Requirements

We may disclose data only when:

  • Required by law (court order, legal obligation)
  • Necessary to protect rights, safety, or property
  • In case of suspected illegal activity

In such cases, we will notify you unless legally prohibited.

6.4 Service Providers

We use minimal essential service providers who operate under strict data processing agreements:

Hosting: Greenhost.nl (The Netherlands)

  • Location: EU-based (Netherlands), ensuring GDPR compliance
  • Greenhost is a privacy-focused and sustainable hosting provider committed to internet freedom
  • Data Processing Agreement (DPA) in place as required by GDPR Article 28
  • More information: https://greenhost.net/internet-freedom/

Email Service: Greenhost.nl email service (The Netherlands)

  • Provided by same hosting provider (Greenhost.nl)
  • Location: EU-based (Netherlands)
  • Data Processing Agreement (DPA) in place
  • Privacy-focused email infrastructure

What is a Data Processing Agreement (DPA)? A DPA is a legally binding contract required by GDPR Article 28 between us and our service providers. It ensures that:

  • Service providers only process your data on our instructions
  • Your data is handled according to GDPR standards
  • Service providers implement appropriate security measures
  • Service providers cannot use your data for their own purposes
  • We can audit their data handling practices
  • Data is only used for providing the specific services we contracted

All service providers are GDPR-compliant and process data only on our instructions under formal Data Processing Agreements.

7. International Data Transfers

Your data is stored within the European Union (Netherlands) through our EU-based hosting provider, Greenhost.nl. This means your data benefits from strong EU data protection laws and does not require additional safeguards for international transfers.

We do not transfer personal data outside the EU. If we must transfer data outside the EU in the future, we will ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Other legally approved mechanisms

You will be notified of any changes to our data storage location.

8. Data Retention

We retain your personal data only as long as necessary:

  • Active accounts: Data retained while your account is active and you continue using the platform
  • Inactive accounts: Automated deletion process after 2 years of inactivity:
    • After 2 years (730 days) with no login: First warning email sent
    • After 2 years + 30 days: Second warning email sent
    • After 2 years + 60 days: Final warning email sent
    • After 2 years + 90 days: Profile and personal data automatically deleted, transaction/message data anonymized
  • Account deletion requests: When you delete your account, data is retained for 30 days (allowing recovery if deletion was accidental), then permanently deleted
  • IP address logs:
    • Automatically deleted after 180 days
  • Transaction records: Retained in anonymized form after account deletion or inactivity (for platform integrity and dispute resolution)
  • Messages: Retained while account is active; anonymized after inactivity period or account deletion

After the 30-day account deletion period, all personal identifiers are permanently removed from our systems. All cleanup processes are fully automated via scheduled tasks.

9. Your Rights Under GDPR

You have the following rights:

9.1 Right of Access (Art. 15)

Request a copy of all personal data we hold about you.

9.2 Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data (subject to legal retention requirements).

Account Deletion Process:

  • You can delete your account at any time through your account settings
  • Data is retained for 30 days to allow recovery if deletion was accidental
  • After 30 days, all personal identifiers are permanently removed
  • Transaction and message data is anonymized (removing all identifying information)
  • Time credit balances: You may optionally donate your remaining balance to an organization of your choice before deletion, otherwise the balance is removed from circulation
  • Deletion is irreversible after the 30-day period

9.4 Right to Restriction of Processing (Art. 18)

Limit how we use your data in certain circumstances.

9.5 Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

9.6 Right to Object (Art. 21)

Object to processing based on legitimate interests.

9.7 Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time for consent-based processing.

9.8 Right to Lodge a Complaint

File a complaint with your national data protection authority.

To exercise your rights:

  • Data export: Use the automated export tool in your account dashboard to download all your data (transaction history as CSV, profile data in structured format)
  • Account deletion: Use the self-service deletion option in your account settings
  • Other requests: Contact us at [privacy@timebank.cc]

Most rights can be exercised directly through your account dashboard without needing to contact us.

10. Cookies and Tracking

10.1 Our Cookie Policy

We use only strictly necessary cookies required for platform functionality:

  • Session cookies: To keep you logged in securely
  • Security cookies: To protect against unauthorized access and CSRF attacks
  • Preference cookies: To remember your chosen settings

We do NOT use:

  • Analytics cookies
  • Advertising cookies
  • Tracking cookies
  • Third-party cookies of any kind
  • Social media cookies
  • Profiling cookies

10.2 No Cookie Banner Required

Because we use only essential cookies that are strictly necessary for the platform to function, we do not require cookie consent under GDPR. No cookie banner is displayed.

10.3 Cookie Control

You can delete cookies through your browser settings at any time. However, disabling essential cookies will prevent you from logging in and using the platform.

11. Security Measures

We implement industry-standard security practices:

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest
  • Access controls: Strict internal access policies
  • Session timeouts: Automatic logout after inactivity based on profile type to protect against unauthorized access:
    • User profiles: 120 minutes of inactivity
    • Organization profiles: 60 minutes of inactivity
    • Bank profiles: 30 minutes of inactivity
    • Admin profiles: 360 minutes of inactivity
  • Regular security audits: Routine vulnerability assessments
  • Secure authentication: Password hashing with modern algorithms
  • Two-factor authentication: Optional 2FA via authenticator app (such as Google Authenticator, Authy) for enhanced security
  • Incident response: Procedures for data breach notification within 72 hours (GDPR Art. 33)

12. Open Source Commitment

Timebank.cc is built entirely with open source software. This means:

  • Transparency: Anyone can review the code for security and privacy
  • Community auditing: Security researchers can identify and report vulnerabilities
  • No hidden functionality: What you see is what you get - no secret tracking or data collection
  • Trust through verification: You don't have to take our word for it - verify our privacy claims by reviewing the code
  • Community-driven: Improvements and security patches benefit from community contributions

Our commitment to open source demonstrates our dedication to transparency and user privacy.

13. Children's Privacy

Timebank.cc requires users to be at least 18 years old. During registration, all users must confirm they meet this age requirement via a mandatory checkbox.

We do not knowingly collect data from anyone under 18. If we discover we have inadvertently collected personal data from someone under 18, we will delete it immediately. Parents or guardians can report underage accounts to info@timebank.cc.

14. Phone Number Use

14.1 Purpose

Phone numbers are optional and used solely for:

  • Account recovery as a last resort if you lose access to your account
  • Voluntary display on your profile as a communication method with other platform users (only if you choose to enable this)

14.2 Two-Factor Authentication

We offer two-factor authentication (2FA) via authenticator apps (such as Google Authenticator, Authy, 1Password, etc.), not via SMS or phone-based verification. This provides better security and does not require a phone number.

14.3 Privacy Protection

  • Phone numbers are never shared outside the platform or with third parties
  • Phone numbers are never shared with other service providers or data processors
  • Phone numbers are visible to other platform users only if you explicitly choose to display them on your profile
  • We do not send SMS messages or verification codes to your phone
  • We do not use your phone number for marketing or communications

14.4 User Control

  • Phone number is optional
  • You can add or remove it at any time in your account settings
  • You can choose whether to display it on your profile
  • Removing your phone number does not affect 2FA (which uses authenticator apps)

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

  • Platform features
  • Legal requirements
  • Privacy practices

We will notify you of material changes through:

  • Email notification
  • Prominent notice on the platform
  • Requiring re-acceptance for significant changes

Previous versions will be archived at [URL].

16. Data Protection Officer

[If required] You can contact our Data Protection Officer at:
[DPO name]
[Email]
[Address]

17. Contact Us

For privacy questions or to exercise your rights:

General inquiries: info@timebank.cc
Support: support@timebank.cc
Address:
Timebank.cc
Zoutkeetsingel 77
2515 HN Den Haag
The Netherlands

Response time: We aim to respond within 30 days (GDPR requirement)

Languages: This privacy policy and our platform are available in English, Dutch, French, Spanish, and German.

18. Supervisory Authority

If you believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection authority. Find your authority at: https://edpb.europa.eu/about-edpb/board/members_en

Appendix: Data Processing Activities

For transparency, here's a summary of our data processing:

Purpose Data Types Legal Basis Retention
Account creation Email, username, password Contract Active account + 30 days after deletion
Platform communication Messages, timestamps Contract Active + 2 years inactivity (with warnings), then anonymized
Account recovery Phone number (optional) Consent Until removed by user
Security & fraud prevention IP address (last login) Legitimate interest 180 days
Transaction records Time credits, exchange details Contract Active + 2 years inactivity (with warnings), then anonymized
Profile data User-controlled personal info Contract/Consent Active + 2 years inactivity (with warnings), then deleted

By using Timebank.cc, you acknowledge that you have read and understood this Privacy Policy.

Why Timebank.cc is Different

At Timebank.cc, privacy isn't an afterthought—it's foundational to everything we do:

  • Open Source: Our code is transparent and auditable by anyone
  • No Tracking: We don't use analytics, cookies, or trackers that follow you
  • You Control Your Data: Decide what to share and how precise your information is
  • Auto-Delete: Inactive data doesn't sit forever—it's automatically cleaned up
  • Easy Export: Download your data anytime, no questions asked
  • Easy Delete: One-click account deletion, no runaround
  • Sustainable Hosting: We use Greenhost.nl, a privacy-focused and sustainable hosting provider committed to internet freedom
  • EU-Based: Your data stays in the Netherlands, protected by strong EU privacy laws

We believe time banking should be built on trust, and trust starts with respecting your privacy.

Reference in New Issue View Git Blame Copy Permalink