GDPR Compliance
Last updated: February 23, 2026
1. Introduction
MasterTimeline is committed to complying with the European Union's General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This page supplements our Privacy Policy and provides additional information specifically relevant to users in the European Union (EU) and European Economic Area (EEA).
If you are located in the EU/EEA, the GDPR provides you with specific rights regarding your personal data, and we have obligations regarding how we collect, process, and protect that data. This page outlines the legal bases for our data processing, your rights, and how to exercise them.
2. Legal Basis for Processing
Under the GDPR, we must have a valid legal basis for processing your personal data. The following table describes the legal bases we rely on for each category of processing:
| Legal Basis | GDPR Article | Processing Activities |
|---|---|---|
| Contract Performance | Art. 6(1)(b) | Providing the MasterTimeline service you subscribed to, including account management, project storage, AI content generation, subscription billing, and credit allocation. This processing is necessary to fulfill our contractual obligations to you under our Terms of Service. |
| Legitimate Interest | Art. 6(1)(f) | Improving the service based on aggregated usage analytics, detecting and preventing fraud or abuse, ensuring platform security, diagnosing technical issues, and communicating essential service updates. We have conducted a balancing test to ensure these interests do not override your fundamental rights and freedoms. |
| Consent | Art. 6(1)(a) | Marketing communications such as product announcements and feature newsletters (opt-in only), and optional analytics beyond what is strictly necessary for service operation. You may withdraw your consent at any time without affecting the lawfulness of processing performed prior to withdrawal. |
3. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights under the GDPR. We are committed to facilitating the exercise of these rights in a timely and transparent manner.
- Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request access to that data along with information about the purposes of processing, the categories of data concerned, the recipients, and the envisaged retention period.
- Right to Rectification (Art. 16): You have the right to request the correction of inaccurate personal data and to have incomplete personal data completed, including by providing a supplementary statement.
- Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where the data is no longer necessary for its original purpose, you withdraw consent (where consent was the legal basis), or the data has been unlawfully processed. This right is also known as the "right to be forgotten."
- Right to Restrict Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when processing is unlawful but you oppose erasure, or when we no longer need the data but you require it for legal claims.
- Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies to data processed by automated means based on consent or contract performance. MasterTimeline supports content export through its built-in export features.
- Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interest (Art. 6(1)(f)). Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. MasterTimeline does not currently make automated decisions that produce legal or similarly significant effects on users. AI-generated content is creative output directed by your inputs, not automated decision-making about you.
4. How to Exercise Your Rights
To exercise any of the rights described above, please contact our data protection team:
Email: gdpr@mastertimeline.com
When submitting a request, please note:
- Include sufficient information for us to verify your identity and locate your data. At minimum, provide the email address associated with your MasterTimeline account.
- We will acknowledge receipt of your request and respond within 30 days, as required by the GDPR. If your request is particularly complex or we receive a large number of requests, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for it within the initial 30-day period.
- We may need to verify your identity before processing your request to prevent unauthorized access to personal data. Verification may involve confirming information associated with your account or requesting additional identification.
- Exercising your rights is free of charge. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, as permitted by Art. 12(5) GDPR.
5. Data Transfers
MasterTimeline's infrastructure is hosted in the United States through our service providers Supabase and Vercel. As a result, personal data of EU/EEA users is transferred to and processed in the United States.
These international data transfers are protected by appropriate safeguards in accordance with the GDPR:
- Standard Contractual Clauses (SCCs): Our sub-processors maintain Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) to ensure that personal data transferred outside the EEA receives an adequate level of protection.
- Supplementary measures: Where appropriate, our sub-processors implement additional technical and organizational measures, including encryption of data in transit and at rest, access controls, and regular security assessments.
For more information about the specific sub-processors involved in data transfers, please refer to the "AI & Third-Party Data Sharing" section of our Privacy Policy.
6. Data Protection Officer
For any questions or concerns regarding our data protection practices, GDPR compliance, or the processing of your personal data, you may contact our Data Protection Officer directly:
Email: dpo@mastertimeline.com
Our Data Protection Officer is responsible for overseeing our data protection strategy, ensuring compliance with the GDPR, serving as the point of contact for data subjects and supervisory authorities, and conducting data protection impact assessments where required.
7. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
A list of EU/EEA data protection authorities and their contact details can be found on the European Data Protection Board (EDPB) website.
We encourage you to contact us first at gdpr@mastertimeline.com so that we have the opportunity to address your concerns directly. We take all complaints seriously and will work to resolve any issues promptly.
This page should be read in conjunction with our Privacy Policy and Cookie Policy, which provide additional details about our data practices.