Privacy Policy

1. Introduction

Welcome to TIMF2026 (the "Platform"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, share, and protect your data when you use our multi-tenant workflow automation and white-label SaaS platform.

This policy applies to all users of the TIMF2026 platform, including enterprise workflow users, consultants, agencies using our white-label services, and any individual who creates an account or interacts with our services.

By using our Platform, you agree to the terms outlined in this Privacy Policy. If you do not agree with these terms, please do not use our services.

2. Data We Collect

Personal Information

We collect the following types of personal information when you use our Platform:

• Account Data: Email address, name, and password (securely hashed and never stored in plain text)
• Team Data: Team name, member roles, permissions, and collaboration settings
• Workflow Data: Workflow definitions, execution logs, task assignments, process configurations, and related metadata
• Billing Data: Payment method information (processed securely through Stripe), usage metrics, subscription details, and invoices

Automatically Collected Information

When you use our Platform, we automatically collect certain information:

• Usage Analytics: Page views, feature usage patterns, session duration, and interaction data (collected via Vercel Analytics)
• Error Logs: Browser and server error information with personally identifiable information (PII) redacted (collected via Sentry for monitoring and debugging)
• Authentication Logs: Login timestamps, IP addresses, device information, and session data for security monitoring and fraud prevention

Cookies and Tracking Technologies

We use cookies and similar tracking technologies for the following purposes:

• Essential Cookies: Session tokens managed by Supabase Auth, required for authentication and platform functionality
• Analytics Cookies: Vercel Analytics cookies for understanding usage patterns (optional, based on your consent preferences)
• Third-Party Cookies: Stripe payment form cookies when you process payments

You can manage your cookie preferences through your browser settings. However, disabling essential cookies may affect platform functionality.

3. How We Use Your Data

We use the information we collect for the following purposes:

• Account Management: To authenticate users, manage team collaboration, enforce access control, and provide secure account access
• Service Delivery: To execute workflows, manage tasks, send notifications, and deliver the core functionality of our Platform
• Billing and Subscription Management: To track usage, process payments, manage subscriptions, generate invoices, and enforce billing policies
• Security and Fraud Prevention: To detect and prevent abuse, monitor for suspicious activity, maintain audit logs, and protect the integrity of our Platform
• Product Improvement: To analyze feature usage, monitor performance, identify bugs, and improve our services based on anonymous, aggregated analytics
• Customer Support: To respond to inquiries, troubleshoot issues, and provide technical assistance
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests

4. Data Sharing & Third Parties

Third-Party Service Providers

We share your data with the following trusted third-party service providers who help us operate our Platform:

• Supabase (US-based): Provides authentication services, PostgreSQL database hosting, and Row-Level Security (RLS) enforcement
• Stripe (US-based, PCI DSS compliant): Processes payment information securely. We do not store complete payment card details on our servers
• Vercel (US-based): Provides hosting infrastructure and analytics services
• Sentry (US-based): Monitors errors and performance issues with PII automatically redacted from error logs
• Kafka (internal use only): Used for internal event streaming to track cost and usage metrics. No data is shared externally through Kafka

What We DO NOT Do

• We do not sell your personal data to third parties
• We do not share your data with advertisers or marketing companies
• We do not use your data to train AI models unless you provide explicit, informed consent
• We do not share your workflow data or business information with other platform users

Legal Disclosure

We may disclose your information if required by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5. Data Retention

We retain your data for different periods depending on the type of information and legal requirements:

• Active Accounts: Your account data, workflow data, and team information are retained while your account remains active
• Deleted Accounts: When you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal or regulatory compliance
• Billing Records: Financial records, invoices, and transaction data are retained for 7 years to comply with tax laws and accounting regulations
• Security and Audit Logs: Authentication logs, security events, and audit trails are retained for 90 days for security monitoring and incident response
• Backups: Your data may remain in our backup systems for up to 90 days after deletion from production systems

You may request earlier deletion of your data by contacting us at privacy@[domain]. We will honor such requests to the extent permitted by applicable laws and regulations.

6. Your Rights (GDPR/CCPA Compliance)

Depending on your location and applicable laws, you have the following rights regarding your personal data:

Your Data Rights

• Right to Access: You have the right to request a copy of the personal data we hold about you
• Right to Rectification: You can request that we correct any inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): You can request that we delete your personal data, subject to certain legal exceptions
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV)
• Right to Object: You can object to our processing of your data for marketing purposes or opt out of analytics tracking
• Right to Restriction: You can request that we limit how we process your personal data under certain circumstances
• Right to Withdraw Consent: Where we process data based on your consent, you can withdraw that consent at any time

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to request deletion of your personal information
• Right to opt-out of the sale of your personal information (note: we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

How to Exercise Your Rights

To exercise any of these rights, you can:

• Email us at privacy@[domain]
• Use the privacy settings and data export tools available in your account dashboard
• Contact our support team through the Platform

We will respond to your request within 30 days. We may require verification of your identity to protect your privacy and security before fulfilling your request.

7. Data Security

We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction:

• Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Data at rest in our databases is encrypted using industry-standard encryption algorithms
• Access Control: We implement role-based access control (RBAC) and Row-Level Security (RLS) through Supabase to ensure users can only access data they are authorized to view
• Authentication Security: Passwords are hashed using bcrypt or similar strong hashing algorithms. We support multi-factor authentication (MFA) for enhanced account security
• Monitoring and Incident Response: We use real-time error tracking and security monitoring to detect and respond to potential security incidents
• Session Management: We enforce automatic idle timeout for inactive sessions to prevent unauthorized access. Session timeout duration is configurable by team administrators
• Regular Security Audits: We conduct regular security assessments and vulnerability scans to identify and address potential security risks
• Employee Access: Our employees and contractors are bound by confidentiality obligations and have access to personal data only on a need-to-know basis

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If you become aware of any security vulnerability or breach, please report it immediately to security@[domain].

8. International Data Transfers

Our Platform is hosted in the United States, and our third-party service providers (Supabase, Vercel, Stripe, Sentry) are primarily US-based. If you access our services from outside the United States, your data may be transferred to, stored, and processed in the United States.

EU Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we transfer your personal data to the United States in accordance with applicable data protection laws. We rely on:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for international data transfers
• Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission
• Necessary for Contract Performance: Some data transfers are necessary to provide you with the services you requested

Data Residency Options

We are committed to providing data residency options for EU customers. EU-based hosting is on our product roadmap and will be available in a future release. If data residency is a requirement for your organization, please contact us at sales@[domain] to discuss custom hosting arrangements.

9. Children's Privacy

The TIMF2026 Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16 years of age.

Our services are designed for business and professional use and are not directed at children. If you are under 16 years old, please do not use our Platform or provide any personal information.

If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 16, please contact us immediately at privacy@[domain].

Compliance Note: This policy complies with the Children's Online Privacy Protection Act (COPPA) in the United States and Article 8 of the GDPR in the European Union.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you by:

• Sending an email notification to the email address associated with your account
• Displaying a prominent notice on our Platform
• Updating the "Last updated" date at the top of this Privacy Policy

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

For significant changes that materially affect your rights, we may require your explicit consent before the changes take effect.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to all privacy-related inquiries within 30 days. For urgent security matters, we aim to respond within 48 hours.