![timetoreply-logo-white-1.png]](https://help.timetoreply.com/hs-fs/hubfs/timetoreply-logo-white-1.png?height=40&name=timetoreply-logo-white-1.png){kind=logo}
How timetoreply Handles Your Data
timetoreply is designed to give teams clear insights into email performance while maintaining a strong commitment to security, privacy, and transparency. This article explains what data we process, how we use it, and the safeguards in place to protect it.
What Data We Ingest
By default, timetoreply processes email metadata only. This includes:
- Timestamps
- Sender and recipient information
- Subject lines
This allows us to deliver core reporting without accessing the content of your emails.
When Smart Features are enabled (opt-in), we also process email body content. This enables more advanced insights such as:
- Sentiment
- Urgency
- Intent
- Response requirements
All processing is read-only. We do not modify your emails or take any actions on your behalf.
Why Email Body Content Is Used
Metadata alone provides a high-level view of response times. By securely analysing email body content, timetoreply can deliver deeper and more accurate insights, helping teams better understand communication patterns and priorities.
Only the minimum necessary plain text is processed. Attachments are never ingested.
Where and How Data Is Processed
All data is processed within AWS London (eu-west-2). This includes both timetoreply infrastructure and AI-powered analysis via Amazon Bedrock. Your data does not leave this region for processing.
We follow a data minimisation approach, ensuring only the required information is used, and we rely on ephemeral processing wherever possible.
AI and Your Data
- Your data is not used to train AI models
- Amazon Bedrock does not store or reuse your data for training
- Any improvements to the system come from internal optimisations, not model training on customer data
AI outputs are probabilistic but designed using structured schemas for consistency. If needed, users can correct outputs, and updates are reflected immediately.
Data Storage and Deletion
When Smart Features are enabled:
- Email body content and derived insights are stored to support functionality
- You can use a delete-all control to permanently remove this data at any time
After deletion, only minimal, non-sensitive metrics (such as token usage) are retained for system monitoring.
Security Measures
We use industry-standard security practices to protect your data:
- Encryption in transit: TLS 1.2+
- Encryption at rest: AES-256 via AWS KMS
- Access control: Role-Based Access Control (RBAC)
- Infrastructure security: IAM least privilege, VPC isolation, and logging
Access and Privacy Controls
Access to data is tightly controlled through permissions. Email content may appear in reports and logs, so we recommend carefully managing user roles within your organisation.
Additional privacy controls include:
- Privacy Mode: Hides email content in the UI while still enabling insights
- Mailbox-level control: Smart Features can be enabled or disabled per mailbox
Handling Sensitive Information
We do not perform PII redaction. Instead, we prioritise:
- Strong encryption
- Secure infrastructure
- Data minimisation
- Controlled access
This approach ensures higher accuracy in insights while maintaining robust data protection.
Compliance
timetoreply is:
- GDPR-aligned, with full data deletion capabilities
- Independently audited under SOC 2 standards
- Continuously monitored for compliance
Reliability
Core timetoreply functionality (based on metadata) remains fully operational at all times. If AI-powered features are unavailable, they will degrade gracefully without affecting your reporting.