Privacy Policy

Security Foreword

Enterprise-grade security and privacy controls are at the heart of the timetoreply™’s infrastructure and cloud platform. timetoreply™ strives to earn customer trust by enforcing world-class security practices and standards.

We keep customer data both private and secure through a multi-layered physical and network-level security hierarchy.

timetoreply™ is in no way involved in the email flow and has no effect on the successful or unsuccessful delivery of emails. User’s email will continue to perform as normal, and independently of timetoreply™.


timetoreply™ is a Cloud-based email analytics tool that shows businesses how long it takes their staff to respond to emails. Our Website and Software is owned and controlled by Time to Reply Limited, a company incorporated in the United Kingdom.

The system works by ingesting email header information and processing this information to produce email reply time reports and other email performance metrics.

timetoreply™ works with o365, Gmail/GSuite, MS Exchange and Mimecast. Depending on which one of these options is chosen, timetoreply™ works differently in terms of how it ingests the data, the procedure required to add a mailbox, and how it connects to those mailbox(es).

Each option is explained in this document.

Once the data has been ingested, the data resides on Time to Reply’s Amazon Web Services (AWS) servers. The data is stored in a database that is not accessible via the public internet. Usernames and password data (where this is gathered) is encrypted and the keys are stored in a separate database. Data that is transferred between Time to Reply and 3rd parties such as the Gmail API, o365 API, Mimecast API or Nylas API is done so over SSL.

timetoreply™ only views and stores the header information of emails. timetoreply™ does not view nor store the body or attachments of any email.

Before submitting your personal information to our Website and/or Software, please read this Policy carefully to learn about our privacy practices. By visiting timetoreply™’s Website,, you are accepting the practices described herein.

  • What information we collect from you
  • How we use your information
  • With whom we share your information
  • How you can access your information
  • Your choices with respect to the collection and use of your information
  • How we protect your information
  • Children’s privacy
  • External links
  • Changes to this Privacy Policy
  • How you can contact us

What information we collect from you

We receive and store any information you enter on our Website, Live Chat, email and/or Software, including your first and last name, company name, telephone number, e-mail addresses, username and password.

timetoreply™ is a email analytics and email response time software tool. Once a mailbox has been added to our Software to be tracked, we ingest and store the following meta information from your email headers:

TO address
FROM address
CC address
Subject line
Message ID
Conversation ID

We do not ingest or store the body or an email or any attachments.

Our software connects to different mailboxes using different methods. These methods are listed below:


In order to ingest email from an o365 mailbox Time to Reply connects via the MS Graph API using OAuth 2.0 protocol ( To add a mailbox, the user simply enters an Agent’s name and email address, and then clicks “Add”. Note: no password is required. An email will be sent to the email address that has been added, and which includes an “activation” link. The owner of the email address would be required to click the activation link, follow the steps to grant permission to Time to Reply, and Time to Reply’s software begins tracking their email performance. An alternative option is to use timetoreply™’s o365 Bulk Add option. This allows the user to authenticate once with an o365 admin user’s credentials, “tick” the mailboxes they would like to track, and then add them to timetoreply™ without each mailbox needing to authenticate one-by-one.

Gmail / GSuite

In order to ingest email from a Gmail/Gsuite mailbox Time to Reply connects via the Gmail REST API using OAuth 2.0 protocol ( To add a mailbox, the user simply enters the Agent’s name and email address and then clicks “Add”.

Note: no password is required. An email will be sent to the email address that has been added, and which includes an “activation” link. The owner of the email address would be required to click the activation link, follow the steps to grant permission to Time to Reply, and Time to Reply’s software begins tracking their email performance.

The scope that timetoreply™ Limited uses from the Gmail API is: Read resources metadata including labels, history records, and email message headers, but not the message body or attachments.

Microsoft (MS) Exchange

In order to connect to MS Exchange mailboxes (self-hosted or cloud hosted) Time to Reply uses a 3rd party service called Nylas. Nylas is an API service that allows services such as timetoreply™ to access MS Exchange mailboxes securely. Their security document can be found here: To add an MS Exchange mailbox, a user would need to enter their mailbox username, password and mail server address. These credentials are entered into the Nylas system and are stored by Nylas and not by timetoreply™. timetoreply™ has no access to these credentials which are securely stored within the Nylas secure environment. Once the mailboxes have been added, Time to Reply polls the MS Exchange mailboxes and analyses the email header information.


In order to ingest email header information from Mimecast, Time to Reply connects to Mimecast via their API. This connection option is currently in invite-only beta. Please contact for more information.

This website uses Google AdWords

This website uses the Google AdWords remarketing service to advertise on third party websites (including Google) to previous visitors to our site. It could mean that we advertise to previous visitors who haven’t completed a task on our site, for example using the contact form to make an enquiry. This could be in the form of an advertisement on the Google search results page or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits to the website. Of course, any data collected will be used in accordance with our own privacy policy and Google’s privacy policy.

COOKIES DO NOT IN ANYWAY IDENTIFY YOU OR GIVE ACCESS TO YOUR COMPUTER. The cookie is used to say “This person visited this page, so show them ads relating to that page.” Google AdWords Remarketing allows us to tailor our marketing to better suit your needs and only display ads that are relevant to you.

Information About Others

You will have the opportunity to provide contact information for other people through our Website. You should obtain the consent of other individuals prior to providing timetoreply™ with their personal information.

Information from Other Sources

We also may periodically obtain both personal and non-personal information about you from affiliated entities, business partners and other independent third-party sources and add it to other information about you. For example, if you visit timetoreply™ by “clicking-through” from a site operated by one of our business partners, and you have registered with that partner, then information about you that you have provided to that partner may be shared with us, such as contact information and demographic information. As another example, if you access third-party services, such as social media services, through our Web site or before coming to our Website, we may collect information such as your user name, password, and other information made available to us through those services in order to improve and personalize your use of our Website.

Automatic Information

We automatically collect some information about your computer when you visit timetoreply™. For example, we will collect session data, including your IP address, Web browser software, and referring Web site. We also may collect information about your online activity, such as content viewed and pages visited. One of our goals in collecting this automatic information is to help us understand the interests of our users and customize your user experience.

Cookies and Other Web Technologies

Cookies are small data text files and can be stored on your computer’s hard drive (if your Web browser permits). and its affiliated websites use cookies for the following general purposes:

  • To help us recognize your browser as a previous visitor and save and remember any preferences that may have been set while your browser was visiting our site. For example, if you register on our site, we may use cookies to remember your registration information, so you do not need to log into our site each time you visit. We also may record your password in a cookie, if you checked the box entitled “Save this password for automatic sign-in.” Please note that member IDs, passwords, and any other account-related data included in such cookies are encrypted for security purposes.
  • To help us customize the content, website experience, and advertisements provided to you on our websites and on other websites across the Internet. For example, when you access a web page, a cookie is automatically set by us, our service providers, or our partners to recognize your browser as you navigate on the Internet and to present you with information and advertising based on your apparent interests.
  • To help measure and research the effectiveness of website features and offerings, advertisements, and e-mail communications (by determining which e-mails you open and act upon).

The Help portion of the toolbar on most browsers should tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable most types of cookies. Please note that if you refuse to accept cookies, you may not be able to access many of the tools offered on our sites.

Our sites also may use Web beacons (also known as clear gifs, pixel tags or Web bugs), which are tiny graphics with a unique identifier, similar in function to cookies, that are placed in the code of a Web page. We use Web beacons to monitor the traffic patterns of users from one page within our sites to another, to deliver or communicate with cookies, to understand whether you have come to our site from an online advertisement displayed on a third-party website, and to improve Website performance. We also may allow our service providers to use Web beacons to help us understand which emails have been opened by recipients and to track the visitor traffic and actions on our Website. This helps us measure the effectiveness of our content and other offerings.

Call Recording and Monitoring

Please be aware that calls to and from timetoreply™ may be recorded. We may use the call recordings to monitor our customer service for quality or compliance purposes, to check the accuracy of the information you provide us, for fraud prevention purposes, or to provide training to our staff. We will retain the call recordings for as long as reasonably necessary to perform such activities and then delete them. Any personal information obtained from you during the call will be treated in accordance with the provisions of this Privacy Policy.

How we use your information

timetoreply™ uses the information we collect from you for the sole purpose of providing you with our email analytics service and to generate email response time performance metrics for your account.

Your information is not accessible by any other customer.

Your identifiable information will never be shared with a 3rd party and if timetoreply™ decides to use customer data to develop industry benchmark statistics the data will be anonymized and aggregated to protect your data privacy.

Data will only be transferred to a 3rd party if necessary to provide or improve the user-facing features of timetoreply™ to provide email analytics and email response time performance metrics for your company.

Data may also be transferred if necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to users.

All other transfers or sales of the user data is prohibited.

Your data will not be transferred or sold to any 3rd party for serving ads, including retargeting, personalized, or interest-based advertising; and no humans are allowed to read your data, unless

  1. We first obtained your affirmative agreement for specific message headers;
  2. It is necessary for security purposes (such as investigating a bug or abuse);
  3. It is necessary to comply with applicable law; or
  4. Its use is limited to internal operations and the data (including derivations) have been aggregated and anonymized.

These prohibitions apply to the raw data obtained from Restricted Scopes and data aggregated, anonymized, or derived from them.

All timetoreply™ employees, agents, contractors, and successors are bound to comply with the Google API Services: User Data Policy.

timetoreply’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.”

With whom we share your information

timetoreply™ may share your information with the following entities:

  • timetoreply™ Resellers for the sole purpose of selling and supporting timetoreply™.
  • If you use timetoreply™ to track MS Exchange server mailboxes, we use a 3rd Party solution called to connect to MS Exchange servers via their secure API.

We also may share your information:

  • In response to subpoenas, court orders, or other legal processes; to establish or exercise our legal rights; to defend against legal claims, or as otherwise required by law. In such cases, we reserve the right to raise or waive any legal objection or right available to us.
  • When we believe it is necessary to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property, or safety of timetoreply™, our customers, or others; and in connection with our Terms and Conditions and other agreements.
  • In connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.

Other than as set out above, you will be notified when personal information about you will be shared with third parties, and you will have an opportunity to choose not to have us share such information.

timetoreply’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.”

How you can access your information

We take reasonable steps to ensure that your information is relevant to its intended use, accurate, and complete. You can access and update your contact information by emailing us using

You can log in to your timetoreply™ account using your username and password that you create when you sign up.

You can close your timetoreply™ account by contacting us at the email address listed below.

We will send you an e-mail to confirm your request. Please note that after you close an account, you will not be able to sign in or access any of your personal information. However, you can open a new account at any time.

Your choices with respect to the collection and use of your information

  • As discussed above, you can choose not to provide us with any information, although it may be needed to take advantage of certain product features offered on timetoreply™.
  • You can add or update information or close your account as described above.
  • As a registered timetoreply™ customer, you can modify your subscription choices at any time by emailing us.
  • You can unsubscribe from any email correspondence or system notifications using the link provided in all promotional or notification emails.
  • The Help portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Please note that if you refuse to accept cookies from timetoreply, you will not be able to access certain portions of our site.

How we protect your information

Please view the timetoreply™ security document for a detailed explanation of how we protect your data and our security policies:

Who Owns Your Data?

You own the data associated with your account. And, at any time, you can securely remove your data from our servers by logging into your account and requesting such deletion or by emailing

We only access the header information associated with your emails. The actual email body and attachments of your emails are never downloaded or accessed within our computer systems.

When you cancel your subscription all personally identifiable data is securely deleted from our servers.

If for any reason, Time to Reply Limited. decides to close timetoreply™, all users will be contacted by email and their account information will be securely deleted from our servers in a timely manner.

Children’s privacy

timetoreply™ is a general audience site and does not offer services directed at children. Should an individual whom we know to be a child under age 13 send personal information to us, we will delete or destroy such information as soon as reasonably possible.

External links

If any part of the timetoreply™ Web site links you to other websites, those external websites do not operate under this Privacy Policy. We recommend that you examine the privacy statements posted on those other websites to understand their procedures for collecting, using, and disclosing personal information.


timetoreply™ adheres to a high level of operational excellence. timetoreply™ has multiple interlocking policies for incident response, audits, and privacy. We believe security practices should be transparent to customers, and these measures are outlined below.

Incident Response Policy

As part of our basic service to all customers, all Severity Level 1 and Business Critical incidents are closely monitored and responded to 24/7, 365 days a year. Our dedicated Infrastructure Security teams are constantly monitoring both our infrastructure, as well as alerts from upstream vendors, throughout all our Operation Centers. We use notification and alert systems to immediately identify and manage risks and threats. timetoreply™ network status and incidence reports are posted on the live site and on the dashboard should we experience any Severity Level 1 and Business Critical incidents

Audit Policy

timetoreply™ uses to scan our systems for security vulnerabilities. All access to production clusters is logged and audited regularly. The production cluster is accessible only to timetoreply™ operational staff and engineers, whose primary responsibility is the construction and maintenance of the timetoreply™ software system. We also perform regular security audits of our own code, third-party libraries, and our infrastructure automation. We update any software dependencies we have, so as to remain up to date with all the latest security patches at all times.

Encryption and Access Control

timetoreply™ utilizes multiple application-level security mechanisms and features to ensure customer data safety. Each account’s data set is isolated with multi-level permission checks. All API calls require OAuth2 authentication tokens only granted by Microsoft, Google or Nylas, and user data is encrypted.


timetoreply™ ensures user information and identity protection through our adherence to the OAuth protocol. User Authentication to email back-ends (i.e. Gmail, Microsoft Exchange) is completed via OAuth2 where possible, and encrypted password-based Auth otherwise. OAuth2 is the top industry-standard secure authentication protocol that provides developers with individual revocable tokens per e-mail account.


timetoreply™ uses TLS 1.2 to encrypt bidirectional session traffic between our application and our end users’ browser. Customer Data Backups: timetoreply™ does not keep backups of customer data. In the event of a loss of data, timetoreply™ will re-ingest your account data directly from your mail server. It is the customers’ responsibility to backup their own mail server data. As long as the data is on their mail server Time to Reply will be able to restore users’ email analytics data on timetoreply™.

Role-Based Access

timetoreply™ has procedures and controls in place to appropriately limit access to customer data and mitigate the risk of insider threats. Access is granted on a least-privilege basis and all requests require management approval. All access is logged and regularly audited to ensure policies are followed. Customer data may be accessed in the event that a customer account enters a failure state that requires accessing email data for debugging purposes. This data is not accessed for debugging unless an error cannot be resolved without doing so; all private data is excluded from system logs.

Network Transport and Storage

timetoreply™ implements best practices for maintaining service-wide network security. We deploy the latest technology to provide uninterrupted service and guard against attack. Internal sync infrastructure is isolated from the public Internet within separate VPCs, blocking all inbound connections and persistence and storage layers are encrypted and secured behind VPN and firewalls.

Network Firewalls

timetoreply™ adheres to industry standard practices for securing and maintaining our infrastructure, with additional protection being afforded by our firewalls. Each system uses firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.

Denial-of-Service (DOS) Prevention

timetoreply™ implements best practices for preventing DoS attacks and uses Cloudflare to assist in preventing DoS attacks: Distributed Denial-of-Service (DDOS) Prevention: timetoreply™ data centers are hosted at AWS, and AWS uses a variety of proprietary DDoS mitigation techniques to guard against the risk of attacks. In addition, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity and to ensure network availability and timetoreply™ makes use of Cloudflare for additional protection:

Clustered Infrastructure

Automated systems deploy new code to timetoreply™ clusters in real time, to ensure smooth transitions between software updates with no downtime.

TLS Encryption

All web traffic between the user’s mail server and timetoreply™ is encrypted using TLS (Transport Layer Security) to protect customer data. Time to Reply’s systems enforce TLS communication channels over public networks, and only support certificates signed by well-known CAs. The TLS protocol provides data encryption and authentication between the customer’s mail server and timetoreply™ servers and prevents third parties from gaining illegitimate access to information.


Sub processorService
AWSHosting & Data storage
Elastic.ioData storage and calculations

Infrastructure and Physical Security

All timetoreply™ physical infrastructure and data centers are housed in state-of-the-art secure facilities with industry standard access controls and physical security measures. timetoreply™ is hosted at Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1. SSAE 16, or more formally, Statement on Standards for Attestation Engagements No.16, is key guidance for reporting on internal controls for service organizations. SSAE 16 is used for reporting on the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2 and SOC 3. SOC 1 is focused toward an organization’s internal controls over financial reporting, while SOC 2 and SOC 3 cover reporting for the security, availability, processing integrity, confidentiality, and privacy for service organizations, including cloud and data center providers. AWS is certified to ISO 27001, which describes a systematic approach to managing sensitive information so that it remains secure. ISO 27001 covers a risk management process that encompasses people, processes, and IT systems. AWS is also Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS), enabling customers to run applications on AWS’s PCI-compliant infrastructure for storing, processing, and transmitting credit card information in the cloud. Additional AWS physical security measures include:

24×7 Surveillance

At each AWS hosting site, timetoreply™ servers are secured at all times by trained security guards, and access is authorized strictly on a least privileged basis. The data centers use state-of-the-art electronic surveillance to monitor any suspicious activity.

Security Logs

AWS CloudTrail provides logs of all user activity to the timetoreply™ servers. timetoreply™ employees can monitor and track what actions were performed on each of the timetoreply™ resources, and by whom.

SSH Access

timetoreply™ have no access using username and password, and can only access the server through SSH by using a security key. Any other SSH access is disabled.

Multiple Redundancy Zones

AWS spans multiple geographic regions and Availability Zones, which allow timetoreply™ servers to remain resilient in the event of most failure modes, including natural disasters or system failures. In addition, each AWS data center has independent power grids, as well as redundant power, HVAC and fire suppression systems. The AWS data centers use state-of-the-art practices for fault tolerance at each level of the system infrastructure, including Internet connectivity, power, and cooling.

Changes to this Privacy Policy

timetoreply™ may update this Privacy Policy in the future. We will notify our customers about material changes to this Privacy Policy by either sending a notice to the email address you provided to us or by placing a prominent notice on our Website.

How you can contact us

If you have questions about this Privacy Policy, please contact us at: