That Time…

Privacy

Last updated: Apr 2026

This notice explains what personal information That Time… collects, why we collect it, and what rights you have. It's written in plain English. If anything here is unclear, email support@thattime.org.

Who we are

Tamlyn Ltd (“we”, “us”) is a company registered in England & Wales, company number 9157682, registered address 12 Casimir Road, London, E5 9NU. We are the data controller for personal information collected through That Time… under the UK GDPR and the Data Protection Act 2018.

Contact for any privacy matter: support@thattime.org.

What we collect

To run the service, we collect and store:

  • Your email address, for sign-in and for sending moment emails.
  • A display name you choose, shown to other people in your moments.
  • The content you create: moments, contributions, photos, cast memberships and reactions.
  • A session cookie after you sign in, so the site remembers you. It contains a random session id — nothing else.
  • Minimal request logs (IP address, user-agent, path, timestamp) for security, debugging, and abuse prevention. These rotate after a short window.
  • Email metadata: the fact that we sent you a moment email, and whether inbound replies from you were processed into contributions.

What we don't collect

  • No advertising cookies or ad-network trackers.
  • No access to your contacts or address book.
  • No location data.
  • No behavioural profiling — we don't build a picture of you from your activity.
  • Your moments, contributions, photos, and shared emails are never shared with any third-party analytics or advertising service, and are never used to train AI models.

Product analytics & error reporting

To keep the service working we use a small amount of pseudonymised product analytics and error telemetry, provided by PostHog (hosted in the EU). Specifically:

  • The identifier we send for your account is a one-way cryptographic hash of your internal user ID — not your email, name, or account ID itself. We use it so errors and product events from the same session can be grouped, and so support can look up issues you report. PostHog cannot reverse it to a user without our server secret.
  • Events are limited to what happened (e.g. "a moment was created", "a photo was uploaded") and aggregate properties (counts, booleans). We don't send moment titles, contribution text, photo content, cast memberships, email addresses, display names, or any moment or contribution IDs.

Why we use it (legal bases)

  • Performance of a contract — to provide the service you signed up for: showing you moments you're in, delivering emails, accepting your contributions.
  • Legitimate interests — keeping the service secure, preventing abuse, and fixing bugs.
  • Legal obligation — where we're required to retain or disclose information (for example, responding to a lawful request or reporting illegal content).

Who we share it with

We use a small number of specialist sub-processors to run the service. We don't sell your data to anyone, and we don't share it for advertising.

  • Cloudflare, Inc. — hosts the app, the database, photo storage, and handles inbound/outbound mail routing. Cloudflare also provides Turnstile, a privacy-preserving bot check on the sign-in form. Turnstile evaluates signals from your browser (such as device characteristics and behaviour) to tell humans from automated scripts; it is only used on the sign-in page and does not track you across other sites. See Cloudflare's privacy policy.
  • Resend — delivers outbound email (sign-in links, moment emails). See Resend's privacy policy.
  • PostHog — receives the pseudonymised product analytics and error reports described above. We use their EU hosting. See PostHog's privacy policy.

We will only share your data with anyone else if we're legally required to, or if you explicitly ask us to.

Where it's stored

That Time… runs on Cloudflare's global network. Cloudflare replicates data across regions for reliability; some of those regions may be outside the UK/EEA. Cloudflare and Resend have appropriate safeguards in place for international transfers (Standard Contractual Clauses and equivalent).

How long we keep it

  • Your account and the content you create are kept for as long as your account exists. You can delete your account at any time by emailing support@thattime.org — we'll remove your account, your contributions, and your photos. Content posted by other people in moments you were in remains theirs.
  • Request logs rotate after a short window (currently 30 days).
  • Dev/test email records in non-production environments are discarded with the environment.

Your rights

Under UK GDPR you have the right to:

Access & portability
Ask for a copy of the personal data we hold about you, in a format you can keep. You can also do this yourself from Settings — "Export my data" builds a zip of every moment you're in (titles, contributions, reactions, photos) as a browsable HTML archive and emails you a download link.
Rectification
Correct data that's wrong or out of date.
Erasure
Ask us to delete your account and associated content.
Restriction & objection
Ask us to pause certain processing, or object to processing based on legitimate interests.
Complain
Complain to the UK Information Commissioner's Office (ico.org.uk) if you think we've handled your data badly. We'd rather hear from you first, but it's your right.

To exercise any of these rights, email support@thattime.org. We'll respond within a month.

Cookies

We use a single essential session cookie to allow you to sign in. You can clear it at any time by signing out or clearing your browser cookies. The sign-in page may also briefly set a Cloudflare Turnstile cookie to help block spam sign-ups. We don't use any tracking or advertising cookies.

Children

That Time… isn't intended for children under 16. If you believe a child has created an account, email support@thattime.org and we'll remove it.

Changes to this notice

If we make material changes, we'll update the “last updated” date at the top and email account holders where the changes affect them.