Privacy Policy

Last updated: March 14, 2026

1. Data Controller

263 Napse SRL, Str. Sibiului 263, 555301 Cisnadioara, Sibiu, Romania, is the data controller for personal data processed through timelines.me. Contact: contact@timelines.me.

2. Data We Collect

2.1 Account Data (from OAuth provider)

  • Name — your display name from Google, Facebook, or Apple
  • Email address — used as account identifier and for service communications
  • Profile picture URL — displayed as your avatar (optional)
  • Authentication provider — which service you used to sign in

We do not receive or store your password from any provider.

2.2 Content Data (created by you)

  • Timeline names, descriptions, and visibility settings
  • Event titles, descriptions, dates, tags, and importance levels
  • Echoes (names of people you share private events with)
  • Uploaded images (if applicable)

Your content data is encrypted at rest using post-quantum cryptography (Kyber1024 KEM + AES-256-GCM). This means that even in the event of a data breach, your content cannot be read without the corresponding encryption keys.

2.3 Technical Data (automatic)

  • Language preference (stored in a cookie)
  • Theme preference (stored in localStorage)
  • Session identifier (cookie, for authentication)
  • Anonymous usage analytics (page views, feature usage)

3. Legal Basis (GDPR Article 6)

DataLegal basis
Account dataContract performance (Art. 6(1)(b)) — necessary to provide the Service
Content dataContract performance (Art. 6(1)(b)) — the core purpose of the Service
Session cookieContract performance (Art. 6(1)(b)) — necessary for authentication
Language cookieLegitimate interest (Art. 6(1)(f)) — providing the Service in your language
AnalyticsLegitimate interest (Art. 6(1)(f)) — improving the Service

4. How We Use Your Data

  • To provide, maintain, and improve the Service
  • To authenticate you and manage your account
  • To encrypt and store your content securely
  • To send service-related communications (account, security, changes)
  • To comply with legal obligations

We do not use your data for advertising, profiling, or selling to third parties.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

  • OAuth providers (Google, Facebook, Apple) — only during authentication, as initiated by you
  • Stripe — for payment processing (Pro plan only), subject to Stripe's Privacy Policy
  • Google Cloud Platform — as infrastructure provider, subject to Google's Data Processing Addendum
  • Law enforcement — only when required by law or valid legal process

6. Data Storage and Security

  • Location: European Union (Western Europe region, Google Cloud)
  • Encryption at rest: Post-quantum cryptography (Kyber1024 + AES-256-GCM)
  • Encryption in transit: TLS 1.3 (HTTPS)
  • Key separation: Encryption keys stored separately from encrypted data
  • Access control: OAuth-based authentication, per-user data isolation

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — request a copy of your personal data (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — delete your account and all data (Art. 17). Deletion is immediate and permanent (0 days retention).
  • Data portability — export your data in JSON format (Art. 20)
  • Restriction — restrict processing of your data (Art. 18)
  • Objection — object to processing based on legitimate interest (Art. 21)
  • Complaint — file a complaint with ANSPDCP (Romanian Data Protection Authority) or your local supervisory authority

To exercise any of these rights, contact contact@timelines.me. We will respond within 30 days.

8. Cookies

CookiePurposeDurationType
sessionAuthentication — keeps you logged inSessionEssential
langLanguage preference1 yearFunctional
_gaGoogle Analytics — distinguishes unique visitors2 yearsAnalytics
_ga_*Google Analytics — maintains session state2 yearsAnalytics

Essential and functional cookies are set automatically — they are necessary for the site to work. Analytics cookies (Google Analytics) are only set after you give explicit consent via the cookie banner. Theme preference is stored in localStorage (not a cookie).

You can change your cookie preference at any time via the "Cookies" link in the footer.

9. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us data, contact us immediately and we will delete it.

10. International Transfers

Your data is stored within the European Union. If data is transferred outside the EU (e.g., through OAuth providers), such transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions of the European Commission.

11. Data Retention

  • Active account: Data retained as long as your account exists
  • Account deletion: All data permanently deleted immediately (0 days)
  • Backup retention: Encrypted backups, if any, are purged within 30 days of account deletion

12. Changes

We may update this Privacy Policy. Material changes will be notified via email or through the Service at least 30 days in advance. The "Last updated" date at the top reflects the most recent revision.

13. Contact

For privacy-related inquiries:
263 Napse SRL — Data Protection
Str. Sibiului 263, 555301 Cisnadioara, Sibiu, Romania
contact@timelines.me