Privacy Policy

Last updated: May 30, 2026

1. Introduction

This notice describes how personal data collected through the website timoai.xyzand the Timo service (hereinafter, “the Service”) are processed, made available to users who activate an account, a free trial or a subscription.

Processing complies with Regulation (EU) 2016/679 (“GDPR”) and Italian Legislative Decree 196/2003 (“Privacy Code”) as updated by Legislative Decree 101/2018.

2. Data controller

Rodolfo de Carvalho
Località Ottelio 1, 33044 Manzano (UD) — Italy
Phone: +39 334 891 9985
Contact email: [email protected]
Dedicated privacy email: [email protected]
VAT number: [VAT to be added before go-live]

The data controller operates as a sole proprietorship. No Data Protection Officer (DPO) has been appointed: the single point of contact for privacy matters is the data controller, reachable at [email protected].

3. What Timo does, briefly

Timo is a service that provides the user with a “space” to hold notes in Markdown format. The space can be consulted and updated by the user's AI assistants (e.g. Claude, ChatGPT) through the MCP protocol. The Service is structured as a dedicated instance for each user: every user has an isolated instance, reserved only for their space and the data they put in it.

This premise matters to understand the distinction between Level 1 data (identity and billing) and Level 2 data (space content), processed in noticeably different ways.

4. Categories of data collected

4.1 Level 1 — Identity and billing data

• Account email (required for registration)
• Password (stored only as a cryptographic hash, never in clear text)
• First and last name (if voluntarily provided)
• Billing address (for users who activate a paid plan)
• VAT / Tax ID (for issuing electronic invoices via SDI)
• Payment data (card number, expiry, CVV): never processed directly by Timo; collected and handled exclusively by Stripe, our payment processor. Timo receives only the opaque transaction reference and the metadata required for billing.
• Technical security data: access timestamps, anonymized hash of the IP address, user agent, session identifiers.

4.2 Level 2 — Space content

• Markdown notes created, imported or modified by the user
• Search indexes derived from notes, computed for in-space search
• Metadata: tags, creation/modification timestamps, paths in the space, sync conflicts

Level 2 content receives reinforced protection: Timo staff does not access it under ordinary operations, it is not used to train AI models, it is not subject to centralized or aggregate analysis, it is not read for metric or profiling purposes (see section 7).

4.3 Data collected automatically on the site

Browsing timoai.xyz alone collects only technical cookies. Web traffic statistics are collected via an internal, self-hosted analytics tool that uses no cookies and processes only aggregate, anonymous data. See the Cookie Policy for details.

5. Purposes of processing and lawful basis

1. Service delivery (account creation, authentication, space access) — Level 1 + Level 2 — Contract, Art. 6(1)(b) GDPR.
2. Billing and tax obligations — Level 1 — Legal obligation, Art. 6(1)(c) GDPR.
3. Transactional emails (registration confirmation, trial expiry, receipts, security notifications) — Contract, Art. 6(1)(b) GDPR.
4. Service security (anomalous access detection, anti-fraud) — Legitimate interest, Art. 6(1)(f) GDPR.
5. Action history for administrative operations — anonymized — Legitimate interest, Art. 6(1)(f) GDPR.
6. Non-transactional service communications (scheduled maintenance, substantial Service changes) — Legitimate interest, Art. 6(1)(f) GDPR.
7. Web traffic statistics via an internal analytics tool (aggregate, anonymous data, no cookies) — Legitimate interest, Art. 6(1)(f) GDPR.

The data controller does not use personal data for direct marketing, commercial profiling, sale to third parties or transfer to data brokers.

6. Retention periods

• Account data (Level 1) — active user: for the entire duration of the contractual relationship.
• Account data — subscription ended: 90 days of space access to allow restore or export, subject to tax obligations (see below).
• Billing data: 10 years from the last invoice issued, pursuant to Art. 2220 of the Italian Civil Code and tax regulations.
• GDPR erasure on user request: 30 days of soft-delete reversible by login; at the end, hard deletion of Level 1 and Level 2 (only the anonymized action history and the billing data required by law remain).
• Encrypted backups: daily 30 days, weekly 12 weeks, monthly 365 days. Backup copies of a deleted account are purged at the natural rollover of the windows.
• Action history: kept indefinitely in fully anonymized form (the actor_id cannot be traced back to any natural person). Indefinite retention is motivated by tax obligations for users with an active subscription and by the need for historical integrity of the Service.
• Technical cookies: session duration or maximum 12 months.
• Web traffic statistics (internal analytics tool): aggregate, anonymous data, not attributable to individual users.
• Transactional emails (send log): 12 months from sending.

7. Reinforced protection of space content (Level 2)

• Exclusive user access: only the owning user can read and modify the content of their space.
• Exceptional support access: possible only on explicit and traced request from the user, for the strictly necessary time, with email notification and entry in the action history.
• No AI training:space content is not used to train, fine-tune or evaluate artificial intelligence models, neither Timo's nor third parties'.
• No aggregate analysis: no statistics, internal dashboards or product metrics are produced based on reading space content.
• Export always available: the user can at any time autonomously export the entire space in standard Markdown format, with no format restrictions or lock-in.
• Granular and total deletion: the user can delete single notes or the entire space. Deletion is effective within seconds on the production system; backup copies are purged according to the windows indicated in section 6.

8. Data recipients (data processors)

To deliver the Service, the data controller relies on the following data processors, each bound by a Data Processing Agreement (DPA) under Art. 28 GDPR:

• Hetzner Online GmbH (Germany, EU) — VPS infrastructure hosting Timo instances and databases. Datacenters located in the EU.
• Stripe — payment service provider: card processing and anti-fraud.
• Zoho Corporation (United States / India) — sending of transactional emails through the Zoho Mail service (authenticated SMTP). EU→non-EU transfers under Standard Contractual Clauses (SCC) and Zoho DPA.
• Cloudflare, Inc. (United States, global presence) — CDN, DDoS protection, application firewall, rate limiting for timoai.xyz and for the publicly exposed MCP endpoints.

The data controller does not share personal data with parties other than those listed above. There are no commercial partnerships, affiliate programs with data sharing, advertising integrations or third-party tracking systems active.

9. Non-EU data transfers

The primary infrastructure of the Service (servers, databases, user spaces) is entirely hosted in the European Union. Transfers to the United States may occur, limited to Level 1 data and operational metadata, within the Stripe, Zoho, Cloudflare services. All transfers are governed by Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR and — where available — by the provider's certification to the EU-US Data Privacy Framework.

No transfer of space content (Level 2) takes place outside the EU.

10. Minimum age

The Service is aimed at people who have reached 18 years of age. Accounts registered in the name of minors will be suspended and deleted upon notice.

11. Data subject rights

Under Articles 15–22 GDPR, the user has the right of access, rectification, erasure, restriction, portability, objection and withdrawal of consent. For the space, standard Markdown export already permanently satisfies the right to data portability.

Requests should be sent to [email protected]. There is no dedicated web form: the only channel is email. The data controller responds within 30 days of receipt, extendable by 60 days in the cases provided for by Art. 12(3) GDPR.

12. GDPR erasure procedure

1. Soft-delete (30 days). Following the request, the account is disabled and flagged for deletion. The user can revoke the request by logging in with the existing credentials.
2. Hard-delete. After 30 days, deletion becomes irrevocable. Level 1 account data, Level 2 space content, embeddings, metadata, and backup copies are deleted according to the windows indicated.

Exceptions to deletion: billing data (10 years for legal obligation), anonymized action history (legitimate interest in historical integrity). In addition, if the user simply ends the subscription without requesting GDPR erasure, a 90-day space access period applies during which they can reactivate the Service.

13. Data security

• Encrypted transport over TLS 1.2+ (HTTPS).
• At-rest encryption of the volumes hosting databases and the space.
• Dedicated-instance isolation for every user: dedicated stack, separate database and file system.
• Periodic encrypted backups, handled via rclone, with separate passphrase.
• Cryptographic password hash (high cost-factor algorithm).
• Email-token authentication for sensitive operations.
• Action history for administrative operations.
• Rate limiting and application firewall (Cloudflare) on public endpoints.
• SPF, DKIM, DMARC on the timoai.xyz domain.
• Regular updates of operating system, dependencies, containers.

The data controller commits to notifying the user and the Italian Data Protection Authority of any personal data breach under Articles 33 and 34 GDPR, within the legal deadlines.

14. Cookies

The site uses only technical cookies. Web traffic statistics are collected via an internal, self-hosted analytics tool, without cookies and on aggregate, anonymous data. For details see the Cookie Policy. The Service (the authenticated area) uses only session cookies strictly necessary for authentication: no profiling cookies, advertising trackers or third-party pixels.

15. Contract language

The Italian version of this notice prevails over any future translation (e.g. English) in case of interpretive discrepancy.

16. Changes

The version in force is always the one published at https://www.timoai.xyz/privacy/, with the last-updated date shown at the top. Substantial changes will be communicated by email to registered users with at least 30 days' notice, where technically possible.

17. Contacts for exercising your rights

Dedicated privacy email: [email protected]
Postal mail: Rodolfo de Carvalho — Località Ottelio 1, 33044 Manzano (UD), Italy
Phone: +39 334 891 9985

18. Complaints to the Italian Data Protection Authority

Users who believe the processing of their data violates the regulations have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali — Art. 77 GDPR):

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Rome — www.garanteprivacy.it