1. INTRODUCTION

1.1 About This Policy

This Privacy Policy explains how [COMPANY LEGAL NAME] ("Timeless", "Company", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website, mobile applications, and services (collectively, the "Service").

1.2 Our Commitment

Timeless is built on a foundation of privacy. We use zero-knowledge encryption to ensure that we cannot access your private content. This Privacy Policy describes what data we can and cannot access, and how we handle the data we do collect.

1.3 Data Controller

For the purposes of data protection law, the data controller is:

[COMPANY LEGAL NAME]
[ADDRESS]
[COUNTRY]

Data Protection Contact: [DPO EMAIL]

1.4 Important Notice About Encryption

Due to our zero-knowledge architecture, we cannot access, read, or process:

Content stored in your Vault
Content in your Spaces
Your master password
Your sharing keys

This Privacy Policy addresses only the data we can access.

2. DATA WE COLLECT

2.1 Data You Provide Directly

We collect information you provide directly, including:

Account Data: Email address, name, password hash (for account creation and authentication)
Profile Data: Display name, profile photo (for personalisation)
Legacy Page Content: Biographical text, photos, audio, video (for providing the Legacy Page service)
Survey Responses: Demographics, views, opinions (for Your Voice analytics)
Communications: Support requests, feedback (for customer service)
Payment Data: Payment method, billing address (for subscription management)

2.2 Data Collected Automatically

We automatically collect:

Usage Data: Pages visited, features used, timestamps (for service improvement)
Device Data: Browser type, operating system, device type (for compatibility and troubleshooting)
Log Data: IP addresses, access times, error logs (for security and debugging)
Cookies: Session identifiers, preferences (for authentication and functionality)

2.3 Data From Third Parties

We may receive data from:

OAuth Providers: Name, email (if you use social login) for account creation
Payment Processors: Transaction confirmations, payment status for billing

2.4 Data We Cannot Access

Due to zero-knowledge encryption, we cannot access:

Vault Content: Files, photos, documents you upload to your Vault
Space Content: Content shared through Spaces
Master Password: Your encryption password (we store only a verification hash)
Sharing Keys: The actual key codes (we store only verification hashes and owner-encrypted copies)
Encrypted Metadata: Space names, descriptions (encrypted with your master key)

We could not provide this data even if legally compelled, because we do not possess the means to decrypt it.

3. HOW WE USE YOUR DATA

3.1 Legal Bases for Processing

We process your personal data under the following legal bases:

Contract Performance: Account management, service provision, payment processing
Legitimate Interests: Security, fraud prevention, service improvement, analytics
Consent: Marketing communications, optional surveys, cookies
Legal Obligation: Tax records, law enforcement requests, regulatory compliance

3.2 Specific Purposes

To Provide the Service:

Create and manage your account
Display your Legacy Page
Process subscription payments
Send transactional notifications
Provide customer support

To Improve the Service:

Analyse usage patterns
Identify and fix bugs
Develop new features
Optimise performance

To Ensure Security:

Detect and prevent fraud
Monitor for abuse
Protect against unauthorised access
Maintain system integrity

For Your Voice Analytics:

Display how your responses compare to others
Generate aggregated, anonymised statistics
Publish demographic insights

4. YOUR VOICE DATA

4.1 What We Collect

If you participate in Your Voice surveys, we collect:

Demographics: Age range, gender, location, ethnicity, education, occupation, relationship status, religion, political leaning
Views: Responses to questions about trust, satisfaction, optimism, values, technology, wellbeing
Historical Context: Responses to questions about daily life and the current era

4.2 How Survey Data Is Used

Personal Insights: Showing you how your responses compare to others
Aggregated Analytics: Generating statistics visible to all users
Public Reports: Publishing anonymised demographic insights
Research: Supporting academic and historical research

4.3 Anonymisation

We anonymise survey data before publication:

Individual responses are never publicly identified
Demographic combinations with fewer than [X] respondents are suppressed
We use statistical techniques to prevent re-identification

4.4 Third-Party Access

Anonymised, aggregated survey data may be shared with:

Academic researchers (under data sharing agreements)
Journalists and media (for reporting)
Other organisations (licensed, aggregated data only)

Individual survey responses are never sold or shared in identifiable form.

5. DATA SHARING

5.1 Categories of Recipients

We may share data with:

Hosting Providers: All stored data (encrypted where applicable) for infrastructure
Payment Processors: Payment and billing information for subscription management
Email Service Providers: Email addresses, names for transactional emails
Analytics Providers: Anonymised usage data for service improvement
Legal Authorities: As required by law for legal compliance

5.2 We Do Not Sell Personal Data

We do not sell your personal data to third parties for their marketing purposes.

5.3 Legal Disclosure

We may disclose personal data if required by law or if we believe disclosure is necessary to:

Comply with legal process
Protect our rights or property
Prevent fraud or abuse
Protect user safety

Note: We cannot disclose encrypted content because we cannot access it.

6. INTERNATIONAL DATA TRANSFERS

6.1 Where Data Is Processed

Your data may be processed in:

United Kingdom
European Economic Area
United States (for certain service providers)

6.2 Transfer Safeguards

For transfers outside the UK/EEA, we use:

Standard Contractual Clauses (SCCs) approved by the UK ICO/European Commission
Adequacy decisions where applicable
Supplementary measures as required

7. DATA RETENTION

7.1 Retention Periods

Account Data: Until account deletion + [X] years (for legal and business records)
Legacy Page (Active): While account is active (for service provision)
Legacy Page (Frozen): Indefinitely (core service commitment)
Vault Content: Until deleted by user or account deletion (for service provision)
Survey Responses: Indefinitely (anonymised after account deletion) for historical record
Payment Records: [X] years after transaction (for tax and legal requirements)
Log Data: [X] months (for security and debugging)
Support Communications: [X] years (for customer service records)

7.2 Frozen Legacy Pages

Frozen Legacy Pages are retained indefinitely as part of our core commitment to permanence. This is a feature, not a limitation.

8. YOUR RIGHTS

8.1 Rights Under Data Protection Law

Depending on your jurisdiction, you have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data
Restriction: Request limitation of processing
Portability: Receive your data in a portable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent where processing is based on consent
Lodge Complaint: Complain to a supervisory authority

8.2 How to Exercise Your Rights

UK/EEA: 30 days (extendable by 60 days for complex requests)
Other jurisdictions: As required by local law

We may request verification of your identity before fulfilling requests.

8.3 Limitations

We cannot:

Provide copies of encrypted content (you must export it yourself)
Delete specific encrypted content (you must delete it yourself)
Delete frozen Legacy Pages (by design)
Delete anonymised data (no longer personal data)

9. COOKIES AND TRACKING

9.1 What Cookies We Use

Essential: Authentication, security, functionality (Session duration)
Functional: Preferences, settings ([X] months)
Analytics: Usage analysis (anonymised) ([X] months)

9.2 We Do Not Use

Advertising cookies
Cross-site tracking
Third-party marketing pixels

10. SECURITY

10.1 Technical Measures

We implement:

Zero-knowledge encryption for Vault and Space content
TLS encryption for data in transit
Encryption at rest for stored data
Regular security assessments
Access controls and authentication
Intrusion detection and monitoring

11. CHILDREN'S PRIVACY

11.1 Age Requirement

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

12. CHANGES TO THIS POLICY

12.1 Notification of Changes

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date.

13. CONTACT US

13.1 General Enquiries

Email: [PRIVACY EMAIL]

Address:

[COMPANY LEGAL NAME]
[ADDRESS]

13.2 Data Protection Enquiries

Data Protection Officer: [DPO EMAIL]

13.3 Complaints

If you are unsatisfied with our response to a privacy concern, you may contact:

UK Information Commissioner's Office
Website: ico.org.uk
Phone: 0303 123 1113

14. JURISDICTION-SPECIFIC PROVISIONS

14.1 UK and EEA Residents

If you are a UK or EEA resident, you have the rights described in this policy under the UK GDPR and EU GDPR respectively. Our legal bases for processing are set out in Section 3.

14.2 California Residents (CCPA)

If you are a California resident, you have the right to:

Know what personal data we collect
Know whether we sell or disclose your data
Say no to the sale of personal data (we do not sell personal data)
Access your personal data
Request deletion of your personal data
Non-discrimination for exercising your rights

To exercise these rights, contact [PRIVACY EMAIL].

TIMELESS — PRIVACY POLICY