← Back to home

Privacy Policy

Last updated: 28 May 2026

1. Who we are

This Privacy Policy describes how Tolmon Limited (“we”, “us”, “our”) collects, uses, and protects your personal data when you use the service marketed as APA Timesheet at the-timesheet.com (the “Service”). We are the data controller for the personal data described in this policy, except where stated below in relation to crew data you enter.

The data controller is Tolmon Limited (Companies House no. 14468414), with its registered office at 510 The Chocolate Factory, 5 Clarendon Road, London N22 6XJ, United Kingdom. You can reach us at admin@tolmon.com.

ICO registration: pending (to be added before launch).

2. What we collect

  • Account data: your name, email address, and the sign-in token records used by our magic-link authentication (Auth.js).
  • Subscription data: your Stripe customer ID, subscription status, plan, and billing dates. Payment card details are processed and stored by Stripe; we never see or store them.
  • Production data: the information you enter into the Service, including production names and dates, unit and location records, crew names, agreed rates, day records, call and wrap times, day categories, and any notes you add.
  • Crew contact data (optional): if you choose to record them, email addresses, phone numbers, and free-text notes for crew members on your productions. See “Your responsibilities” below.
  • Discrepancy submissions: when a crew member uses a share link to flag an issue with their timesheet, we store the free-text content of the submission and any contact details they choose to provide.
  • Usage data: standard server logs (IP address, user-agent string, request timestamps) generated by our hosting providers. These are minimal, used only for security and to keep the Service running, and are not used for analytics or marketing tracking.

3. Why we process it

We process the personal data described above on the following lawful bases under UK GDPR:

  • Performance of a contract: to provide the Service to you under our Terms of Service (account creation, calculations, share links, billing).
  • Legitimate interests: to keep the Service secure, prevent fraud and abuse, and improve reliability and product quality. We have balanced these interests against your rights and consider them not to override them.
  • Legal obligation: to keep accounting and tax records as required by UK law.

We do not process your personal data for direct marketing.

4. Who we share it with

We share personal data only with the following sub-processors, each of which is contractually required to protect it:

  • Vercel Inc. (USA): application hosting. Transfers covered by the UK addendum to the EU Standard Contractual Clauses.
  • Railway Corp. (USA): database hosting. Transfers covered by the UK addendum to the EU Standard Contractual Clauses.
  • Stripe Payments Europe Ltd. (Ireland) and Stripe, Inc. (USA): payment processing.
  • Resend (USA, with EU infrastructure available): transactional email delivery (magic-link sign-in, account notifications).

We do not sell your personal data. We do not use it to target advertising. We do not share it with any party other than the sub-processors above, except where we are required to do so by law or in connection with a sale or restructuring of our business (in which case successors are bound to honour this policy).

5. International transfers

Where personal data is transferred outside the UK to the sub-processors listed above, the transfer is covered by the UK addendum to the European Commission’s Standard Contractual Clauses, which provides equivalent protection to UK GDPR.

6. Retention

  • Account data: retained while your account is active, then for 6 years after closure to meet HMRC record-keeping requirements.
  • Subscription / billing data: retained for 6 years from the end of the relevant tax year, as required by UK accounting law.
  • Production data, crew data, and discrepancy submissions: retained while your account is active and for 30 days after you request deletion. After this period, data is permanently removed from active systems; encrypted database backups roll off on a 30-day cycle thereafter.
  • Server logs: retained for up to 30 days.

7. Your rights

Under UK GDPR you have the right to:

  • request a copy of the personal data we hold about you (access);
  • ask us to correct inaccurate or incomplete data (rectification);
  • ask us to delete your data (erasure) where one of the GDPR grounds applies;
  • receive your data in a portable, machine-readable format (portability);
  • object to or restrict certain processing.

To exercise any of these rights, email admin@tolmon.com. We will respond within 30 days. There is no charge for reasonable requests.

8. Your responsibilities re: crew data

When you enter personal data about members of your crew into the Service, you are the data controller for that personal data and we act as your data processor. This means you are responsible for:

  • having a lawful basis to collect and store crew personal data (typically the legitimate interest of running the production, or the consent of the crew member);
  • informing crew members that their data is being stored in the Service;
  • making sure shared timesheet links are sent only to the people entitled to see them.

We will help you meet your obligations (for example, by deleting crew data on your instruction), but the underlying responsibility for that data sits with you.

9. Cookies

We use a single essential cookie set by our authentication library (Auth.js) to keep you signed in. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under UK PECR.

10. Children

The Service is not directed at children under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If a change is material, we will notify you by email at least 14 days before it takes effect.

12. Complaints

If you are unhappy with how we have handled your personal data, please contact us first at admin@tolmon.com and we will do our best to put it right. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

13. Contact

Tolmon Limited (Companies House no. 14468414)
510 The Chocolate Factory, 5 Clarendon Road, London N22 6XJ, United Kingdom
Email: admin@tolmon.com

← Back to home