Privacy Policy
Last updated: June 2025
Timi is a privately hosted CalDAV and CardDAV service. This policy explains what personal data we collect, why we collect it, how long we keep it, and what rights you have over it. We process data in accordance with the General Data Protection Regulation (GDPR).
1. Who we are
Timi is operated by Samn. If you have questions about this policy or how your data is handled, you can reach us at privacy@samn.me.
2. Data we collect and why
Account data
When you create an account we store your email address. This is used solely to send you sign-in links (magic links) and service notices. We do not use your email for marketing without your explicit consent.
Authentication data
Each time you sign in we issue a short-lived magic link token and, on verification, a session token. Token values are stored as secure hashes — we cannot read the plain-text value. Along with each session and token we store the IP address and browser/client user agent at the time of creation. This is used for security purposes (detecting suspicious activity) and fraud prevention.
App tokens
App tokens let CalDAV/CardDAV clients authenticate with Timi. The token value itself is stored as a bcrypt hash. We store the token name you choose, its creation date, expiry date (if set), last-used date, last-used IP address, and last-used user agent.
Calendar and contact data
Your calendars (`.ics` files) and address books (`.vcf` files) are stored on our servers and synced to your devices via the CalDAV and CardDAV protocols. This data belongs to you. We do not read, analyse, or share it.
Usage and storage data
We track how much disk space your data occupies (in megabytes) to enforce your plan's storage quota. We also keep a count of how many collections (calendars and address books) you have.
Payment data
If you upgrade to the Pro plan, payments are processed by Paddle, our payment provider and merchant of record. Paddle handles your card details directly — we never see or store them. We receive and store a Paddle customer ID and subscription ID so we can update your account when your subscription status changes.
Audit log
We maintain an internal audit log recording security-relevant events such as sign-ins, token creation, and account deletion. Each entry includes an event type, a timestamp, and the IP address and user agent of the request.
3. Legal basis for processing
We rely on the following legal bases under GDPR:
- Contract — processing your email, session, and calendar/contact data is necessary to provide the service you signed up for.
- Legitimate interest — storing IP addresses and user agents for security, fraud prevention, and abuse detection.
- Legal obligation — retaining records where required by applicable law.
4. Data storage and security
All data is stored on European servers. Data is encrypted in transit (HTTPS/TLS). Session tokens and app token values are stored as one-way hashes and cannot be recovered. We apply strict access controls so that only the processes that need your data can access it.
5. Third-party services
- Paddle — payment processing and subscription management. Paddle acts as merchant of record and is subject to its own privacy policy.
- Email provider (SMTP) — used to deliver magic-link sign-in emails. Only your email address and the sign-in link are transmitted.
We do not sell your data to any third party.
6. Data retention
- Account and calendar/contact data — kept for as long as your account is active. Deleting your account permanently erases all data we hold about you.
- Sessions — expire after 30 days of inactivity and are periodically purged.
- Magic links — single-use and short-lived; expired links are purged automatically.
- Audit logs — retained for a limited period for security and compliance purposes, then deleted.
7. Your rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — delete your account and all associated data at any time from the dashboard. We will process the deletion immediately.
- Portability — your calendar and contact data is stored in standard `.ics` and `.vcf` formats, which you can export from any compatible client at any time.
- Object or restrict processing — contact us if you wish to object to or restrict how we process your data.
- Lodge a complaint — you have the right to lodge a complaint with your local data protection authority.
8. Cookies
We use a single, strictly necessary HTTP cookie to maintain your authenticated session. No tracking or advertising cookies are used.
9. Changes to this policy
If we make material changes to this policy we will update the date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.
10. Contact
For any privacy-related questions or requests, please email us at privacy@samn.me.