Privacy Policy
Effective date: 31 March 2026
1. Introduction and Data Controller
This Privacy Policy explains how Smart Media Projects (“we”, “us”, “Timply”) collects, uses, and protects your personal data when you use timply.io.
Data Controller
Smart Media Projects
Amsterdam, Netherlands
KVK: 70766088
BTW: NL002431036B69
Contact: support@timply.io
2. What Data We Collect
We collect the following categories of personal data:
- Account data: email address, first name, last name, and a securely hashed password.
- Billing data: Stripe customer ID, subscription tier, and billing interval. We never store your credit card number — Stripe handles all card data directly.
- Template content: HTML and text templates you create or import into Timply.
- Brand data: brand name, website URL, and extracted colours, fonts, and voice attributes.
- Usage data: feature usage, access timestamps, and IP addresses (for security purposes).
- Device data: browser type and operating system, from standard HTTP headers.
3. How We Use Your Data
We process your personal data for the following purposes, each with a specific legal basis under the GDPR:
| Purpose | Legal basis |
|---|---|
| Provide the service (account, templates, library) | Art. 6(1)(b) — contract performance |
| Process payments via Stripe | Art. 6(1)(b) — contract performance |
| AI-assisted template editing and brand analysis | Art. 6(1)(b) — contract performance |
| Send transactional emails (password reset, verification) | Art. 6(1)(b) — contract performance |
| Security and fraud prevention | Art. 6(1)(f) — legitimate interest |
4. AI Processing Disclosure
Timply uses AI to help you edit templates and analyse your brand. Here is how that works:
- When you use AI editing features, your template content is sent to the Google Gemini API for processing.
- During onboarding, your brand information (website URL, brand name) is sent to Google Gemini for brand analysis.
- Google acts as a data processor under our Data Processing Agreement.
- AI outputs are clearly presented as AI-assisted — you always review and approve changes before they are applied.
- We do not use your content to train AI models.
5. Third-Party Processors
We share your data with the following service providers, each acting as a data processor on our behalf:
| Processor | Purpose | Data shared |
|---|---|---|
| Google (Gemini API) | AI template editing and brand analysis | Template content, brand info |
| Stripe | Payment processing | Name, email, subscription metadata |
| SendGrid | Transactional email | Email address, name |
| Hetzner | Hosting (backend and database) | All application data |
| Cloudflare | CDN, DNS, and R2 object storage | Static assets, media uploads |
| Vercel | Frontend hosting | No personal data (static assets only) |
6. International Data Transfers
Some of our processors are based outside the EU:
- Google (US) and Stripe (US): transfers are protected by EU Standard Contractual Clauses (SCCs) and supplementary measures.
- SendGrid (US): transfers under SCCs.
- Hetzner: EU-based — no international transfer.
- Cloudflare: SCCs in place for any data processed outside the EU.
- Vercel: SCCs in place. No personal data is processed.
7. Data Retention
- Account data and template content: retained while your account is active. Deleted within 30 days of account deletion.
- Billing records: retained for 7 years as required by Dutch tax law (fiscale bewaarplicht).
- Security logs: retained for 90 days.
8. Your Rights
Under the GDPR, you have the following rights regarding your data:
- Access (Art. 15): request a copy of your personal data.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): request deletion of your data.
- Restriction (Art. 18): limit how we process your data.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Object (Art. 21): object to processing based on legitimate interest.
To exercise any of these rights, email us at support@timply.io. We will respond within 30 days.
9. Cookies and Local Storage
Timply uses localStorage to store your authentication token. This is strictly necessary for the service to function and does not require consent under the ePrivacy Directive (Telecommunicatiewet).
We do not use third-party tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is needed.
10. Children
Timply is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. Continued use of the service after 30 days constitutes acceptance of the updated policy.
12. Complaints
If you have a concern about how we handle your data, please contact us first at support@timply.io.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.