Privacy Policy
Tockly
Version: 1.0
Last updated: 16 May 2026
Website: https://www.tockly.co
Privacy contact: tockly.co@gmail.com
1. Introduction
1.1 This Privacy Policy explains how Tockly (“we”, “us”, “our”) collects, uses, discloses, stores, and protects personal data when you visit https://www.tockly.co or use our timesheet and financial dashboard service (“Service”).
1.2 This Policy applies to Malaysia-focused operations. We do not currently target users outside Malaysia as a primary market.
1.3 This Policy should be read with our Terms and Conditions. By using the Service or subscribing, you acknowledge this Policy. If you do not agree, do not use the Service.
1.4 Operator: Tockly (trading as Tockly). Registration details may be updated when available.
Contact: tockly.co@gmail.com (no postal address published at this time).
2. Roles: who is responsible for what
2.1 Companies (customers) using Tockly often upload personal data about their staff (names, emails, salaries, timesheets). In many cases, the Company decides why that data is collected and is responsible for informing its staff. Tockly processes such data to provide the Service to that Company.
2.2 Tockly also processes data for our own purposes described below (for example service operation, security, analytics, product improvement, and anonymised commercial products).
2.3 If you are a staff user invited by your employer, questions about how your employer uses your data should be directed to your employer first. You may also contact us at tockly.co@gmail.com.
3. Personal data we collect
We may collect the following categories of data.
3.1 Account and identity data
- Name
- Email address
- Password (stored in hashed form, not plain text)
- Role (e.g. user, admin, superadmin)
- Company association
3.2 Employment and financial data (entered by Companies)
- Monthly salary and salary revision history
- Timesheet entries (dates, hours, projects, phases, notes)
- Project and phase names and status
- Company financial settings (e.g. overheads multiplier, phase budgets, contract/fees where entered)
3.3 Company data
- Company name and category
- Company calendar (working days, holidays)
- Company branding settings
- Company logo image (uploaded as image data; large logo files may be handled separately in exports/backups)
3.4 Technical and usage data
- IP address and device/browser information
- Log data (access times, errors, security events)
- Website analytics (e.g. page views, usage patterns) via analytics tools we configure
3.5 Communications
- Emails you send us (e.g. support, tockly.co@gmail.com)
- Service emails (e.g. password reset links)
- Marketing emails (product news, offers, tips) where permitted — you may unsubscribe using the link in those emails or by contacting us
3.6 Payment-related data
- Subscription and billing correspondence (payments may be handled outside the app; we may keep records of fees paid, invoices, and payment status)
We do not currently require Malaysian IC numbers, passport numbers, or home addresses for standard use of the Service.
4. How we collect data
- Directly from you or your Company when registering, configuring the Service, or entering timesheets
- Automatically through cookies, logs, and analytics when you use the website
- From your Company’s administrators when they create or manage your user account
5. Purposes of use
We use personal data for the following purposes:
5.1 Providing the Service
- Creating and managing accounts (one admin email per company)
- Hosting and displaying timesheets, projects, calendars, and financial views
- Authentication, password reset, and security (including session management)
- Customer support
5.2 Operating and improving Tockly
- Monitoring performance, fixing bugs, and developing features
- Website analytics and understanding how the Service is used
- Internal reporting
5.3 Product improvement, benchmarks, and machine learning
- Analysing aggregated and anonymised patterns to improve Tockly
- Creating industry benchmark reports and statistics
- Training and improving machine learning / AI models (using data in accordance with this Policy)
5.4 Marketing
- Sending marketing and promotional emails (with unsubscribe)
- Using non-identifiable statistics in marketing (e.g. general usage trends)
5.5 Commercial licensing (non-identifiable data only)
We may prepare and share anonymised datasets, aggregated statistics, and benchmark reports with third parties such as researchers, software vendors, insurers, media, and other commercial partners.
We will not sell or license identifiable personal data to third parties, including:
- Company names in identifiable form
- User names and email addresses
- Raw timesheet rows tied to a specific company or person
- Individual salary figures tied to a specific company or person
Anonymisation methods may vary and will be applied in a manner intended to prevent identification of a specific company or individual. Methods are not fully specified in this version and may be updated as our practices mature.
5.6 Legal and safety
- Complying with law, court orders, or regulatory requests
- Protecting rights, safety, and security of Tockly, users, and others
- Enforcing our Terms
6. Legal basis (Malaysia / PDPA)
We process personal data in accordance with applicable Malaysian law, including the PDPA, based on one or more of the following as applicable:
- Consent (including consent implied by using the Service and subscribing, and consent for marketing where required)
- Performance of a contract (providing the Service to your Company)
- Legal obligation
- Legitimate interests (security, analytics, improvement, and non-identifiable commercial products), balanced against your rights
Where the PDPA or other law requires separate consent (for example for certain marketing), we will seek it as required.
7. Disclosure of personal data
We may disclose personal data to:
7.1 Service providers (processors)
Third parties that help us run the Service, for example:
- Hosting and database (e.g. Supabase — data may be stored in Singapore and other regions)
- Application hosting (e.g. Vercel — may process data globally)
- Email delivery (e.g. SMTP providers for password reset and notifications)
- Website analytics providers
These providers are authorised to process data only as needed to perform services for us, subject to confidentiality and security obligations.
7.2 Companies using the Service
Administrators of your Company can access data for users in their company as permitted by the product.
7.3 Third parties — non-identifiable commercial products only
As described in Section 5.5 (benchmarks, anonymised datasets, licensed statistics). Not in identifiable form.
7.4 Legal and corporate
- Regulators, courts, or law enforcement when required
- Successors if we sell or reorganise our business (subject to this Policy)
We do not list every possible future buyer; categories may include those described in Section 5.5.
8. International transfers
8.1 Personal data may be transferred to and processed outside Malaysia, including in Singapore and other countries where our service providers operate.
8.2 We take reasonable steps to ensure appropriate safeguards for cross-border transfers as required by applicable law.
9. Retention
9.1 We retain personal data for as long as we reasonably need it for the purposes in this Policy, including:
- Providing the Service
- Legal, tax, billing, and dispute resolution
- Security and fraud prevention
- Anonymised and aggregated products derived from historical data
9.2 We may retain data longer where required by law (for example certain financial or tax records).
9.3 When data is no longer needed, we will delete or anonymise it using reasonable measures. Backups may persist for a limited period before being overwritten.
9.4 If your Company stops using Tockly, we are not obliged to delete all data immediately on cancellation unless required by law or unless we agree otherwise. Deletion requests are handled under Section 11.
10. Security
We use reasonable technical and organisational measures to protect personal data (including access controls, hashed passwords, and hosting provider security). No system is completely secure. You should use strong passwords and protect your login details.
11. Your rights (PDPA)
Subject to Malaysian law (including the PDPA), you may have rights to:
- Access personal data about you
- Correct inaccurate data
- Withdraw consent where processing is based on consent (some features may no longer work)
- Request limitation or raise complaints about processing
To exercise rights, contact tockly.co@gmail.com. We may need to verify your identity. If you are a staff user, we may refer you to your Company’s administrator where appropriate.
We will respond within timeframes required by law.
12. Marketing communications
We may send marketing emails as described in Section 3.5. You may unsubscribe at any time via the link in the email or by emailing tockly.co@gmail.com. Unsubscribing from marketing does not affect essential service emails (e.g. security or account notices).
13. Cookies and analytics
We use cookies and similar technologies for operation, security, and website analytics. You can control cookies through your browser settings; some features may not work if cookies are disabled.
Analytics help us understand traffic and usage of https://www.tockly.co and the Service.
14. Children
The Service is not intended for anyone under 18. We do not knowingly collect data from children. Contact us if you believe we have collected a child’s data.
15. Superadmin and backups
Authorised Tockly operators may access system-wide data for support, security, company creation, and system backups. Backup exports are for operational and disaster-recovery purposes and must be stored securely. Some exports omit very large fields (e.g. full logo binary in Excel) where technically necessary.
16. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the new version on https://www.tockly.co with an updated Version and Last updated date.
Continued use of the Service or continued subscription after changes take effect constitutes acceptance where permitted by law. Material changes may also be notified by email or in-app notice where appropriate.
17. Data protection contact
For privacy questions, requests, or complaints:
Email: tockly.co@gmail.com
A formal Data Protection Officer may be appointed later if required. We will update this Policy if that changes.
If you are not satisfied with our response, you may contact the relevant Malaysian authority (for example the Department of Personal Data Protection / PDPD under the Ministry of Digital) as applicable from time to time.
18. Contact
Tockly
Email: tockly.co@gmail.com
Website: https://www.tockly.co
