Privacy Policy

Last updated: June 2025

Timi is a privately hosted CalDAV and CardDAV service. This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have over it. We process data in accordance with the General Data Protection Regulation (GDPR).

1. Who we are

Timi is operated by Samn. If you have questions about this policy or how your data is handled, you can reach us at privacy@samn.me.

2. Data we collect and why

Account data

When you create an account we store your email address. This is used solely to send you sign-in links (magic links) and service notices. We do not use your email for marketing without your explicit consent.

Authentication data

Each time you sign in we issue a short-lived magic link token and, on verification, a session token. Token values are stored as secure hashes — we cannot read the plain-text value. Along with each session and token we store the IP address and browser/client user agent at the time of creation. This is used for security purposes (detecting suspicious activity) and fraud prevention.

App tokens

App tokens let CalDAV/CardDAV clients authenticate with Timi. The token value itself is stored as a bcrypt hash. We store the token name you choose, its creation date, expiry date (if set), last-used date, last-used IP address, and last-used user agent.

Calendar and contact data

Your calendars (`.ics` files) and address books (`.vcf` files) are stored on our servers and synced to your devices via the CalDAV and CardDAV protocols. This data belongs to you. We do not read, analyse, or share it.

Usage and storage data

We track how much disk space your data occupies (in megabytes) to enforce your plan's storage quota. We also keep a count of how many collections (calendars and address books) you have.

Payment data

If you upgrade to the Pro plan, payments are processed by Paddle, our payment provider and merchant of record. Paddle handles your card details directly — we never see or store them. We receive and store a Paddle customer ID and subscription ID so we can update your account when your subscription status changes.

Audit log

We maintain an internal audit log recording security-relevant events such as sign-ins, token creation, and account deletion. Each entry includes an event type, a timestamp, and the IP address and user agent of the request.

3. Legal basis for processing

We rely on the following legal bases under GDPR:

4. Data storage and security

All data is stored on European servers. Data is encrypted in transit (HTTPS/TLS). Session tokens and app token values are stored as one-way hashes and cannot be recovered. We apply strict access controls so that only the processes that need your data can access it.

5. Third-party services

We do not sell your data to any third party.

6. Data retention

7. Your rights

Under GDPR you have the right to:

8. Cookies

We use a single, strictly necessary HTTP cookie to maintain your authenticated session. No tracking or advertising cookies are used.

9. Changes to this policy

If we make material changes to this policy we will update the date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions or requests, please email us at privacy@samn.me.