Privacy Policy

TimeLine collects only the information needed to operate, secure, and improve the service, to keep you signed in, and to provide personalized ads and content recommendations.

• Account information: email, username, profile details you choose to provide.
• Usage & interactions: features you use, clicks, views, posts, likes, and other activity signals used for content recommendations.
• Device & log data: IP address, device/browser type, language, timestamps, and diagnostic logs to maintain reliability and security.
• Cookies & similar technologies: cookies for authentication and to keep your login session active; cookies/pixels for measuring engagement and supporting personalized ads.
• Ad personalization data: limited signals (e.g., interactions, device info, coarse location) used to make ads more relevant; we do not share sensitive categories.
• From service providers/partners: we may receive limited data needed to deliver ads and analytics.


• Non‑logged‑in use: When you view public content or use basic search without creating an account or logging in, we do not collect personal data, and we do not set cookies or store device identifiers.
• Sign‑up without login: If you sign up but do not log in, we store only the account information you provided during sign‑up (e.g., email, date of birth) for account management. No other data is collected until you log in.

We share only what is necessary with trusted partners under contractual safeguards, and we do not sell personal information. We do not intentionally collect sensitive categories (such as health, biometric, or government IDs). Children's data is handled according to applicable laws. For details on how long we keep data, see the Data Storage section.

We use the data we collect strictly for the following purposes:

• Authentication & sessions: Maintain your login state, prevent unauthorized access, and keep your account secure (via cookies and similar technologies).
• Personalized ads: Make advertising more relevant using limited signals (e.g., interactions, device info, coarse location). We may share necessary subsets of these signals with trusted partners or advertisers under contractual safeguards. We do not use sensitive categories for ad targeting and we do not sell personal data.
• Recommendations & content relevance: Improve feed ranking, discoverability, and content suggestions based on usage signals (e.g., clicks, views, likes).
• Product improvement: Analyze performance and reliability, fix bugs, and guide feature development using aggregate metrics and diagnostic logs; we may use aggregated or de-identified data for analytics.
• Vercel (deployment/hosting): Data processed via Vercel is used strictly for service deployment/hosting, authentication/session continuity, performance monitoring, incident response, and security/fraud/abuse prevention.
• Security, fraud, and abuse prevention: Detect, investigate, and mitigate spam, fraud, and violations of our Terms.
• Payments & transactions (if applicable): Process transactions, prevent fraud, and meet accounting requirements through payment providers; only necessary data is used or shared.
• Stripe (payments): Data processed via Stripe is used strictly for payment processing, refunds/disputes, fraud prevention, and compliance with accounting/tax and other legal obligations. We do not store full card numbers or sensitive payment credentials on our servers.
• Legal and compliance: Comply with legal obligations, enforce policies, and respond to lawful requests from authorities.
• Communications: Send service-related notices (e.g., policy updates, security alerts) and, where permitted, product updates; you can control certain preferences in Your Rights and Choices.


• Non‑logged‑in use: No personal data is processed or used for non‑logged‑in viewing or basic search.
• Sign‑up without login: We use your submitted account information solely to manage your account eligibility (18+ requirement) and to enable future login.

For details on how ads and cookies are handled, please see Your Rights and Choices.

We retain personal data only for as long as it is needed for the purposes described in this Policy.

• Retention periods:
  • Authentication/session data (cookies, tokens): persisted while you remain logged in and through short renewal windows; removed when you log out.
  • Account data (email, username, profile): retained while your account is active. If you delete your account, it enters a 15‑day restoration window; after 15 days, it is permanently deleted or irreversibly anonymized.
  • User content and search history (posts, comments, search history): retained while your account is active. You can manually delete posts, comments, or your search history at any time. If you do not delete them, they remain stored until you delete your account, after which all related content and records are automatically and permanently deleted (or de‑identified) following the 15‑day restoration window. Minimal records may be retained as required by law for reports, legal obligations, or abuse prevention.
  • Usage/analytics logs: stored for a limited period to improve reliability and features, then aggregated or de‑identified.
  • Vercel logs: Hosting and diagnostic logs are retained for a limited period necessary for reliability, security, and product improvement, then aggregated or de‑identified. Backups exist solely for disaster recovery and expire on a rolling schedule.
  • Ad personalization signals: kept for short, rotating windows and refreshed periodically; not stored longer than necessary for relevance.
  • Payment/transaction records (if applicable): retained per accounting and tax laws.
  • Stripe records: Transaction records are retained in accordance with statutory accounting/tax retention periods and dispute handling requirements. Full card numbers and sensitive payment credentials are not stored on our servers.
• Deletion, restoration & anonymization: You can delete your account at any time. Within 15 days you may restore it; after that period, we cannot recover the data. When data is no longer needed, we delete or de‑identify it unless a legal obligation requires temporary retention.
• Backups & recovery: Backups exist for reliability and disaster recovery; they are encrypted and expire on a rolling schedule. Deleted items may persist in backups until the backup window lapses. Restoring from backups requires account authentication (email and password).
• Storage locations: Data may be stored in regional data centers operated by trusted providers. Where required, we apply transfer safeguards consistent with applicable laws.
• Security safeguards: We protect stored data with encryption at rest, role‑based access controls, and monitoring to prevent unauthorized access or loss.


• Non‑logged‑in use: We do not store personal data for non‑logged‑in viewing or basic search.
• Sign‑up without login: We store your account information under the Data Storage retention rules. If you delete your account before logging in, we delete or de‑identify the sign‑up data per our deletion policy.

For how to request deletion or manage retention preferences, see Your Rights and Choices. For cross‑border processing details, see Data Transfers.

We retain personal data only for as long as it is needed for the purposes described in this Policy.

• User content (posts, replies, comments): When you delete content, it is removed immediately and is not backed up. Deleted content cannot be recovered.
• Deletable profile fields: Status, bio, tech stack, and links that you can delete are removed immediately and are not backed up.
• Search history: When you delete your search history, it is erased immediately, is not backed up, and cannot be recovered.
• Non‑deletable identifiers: Core account identifiers such as username, email, and nickname cannot be deleted individually (for service operation, security, and legal compliance). However, when you delete your account, these identifiers are permanently deleted or irreversibly de‑identified after the 15‑day restoration window.
• Account deletion: When you delete your account, a 15‑day restoration window is provided (you can restore by logging in). After 15 days, your account is permanently deleted or irreversibly de‑identified, and recovery is not possible. Upon permanent account deletion, all data you posted (e.g., posts, replies, comments) and associated data are permanently deleted and cannot be recovered.
• Backups & recovery: Backups are used only for account restoration and require email and password authentication. User content, deletable profile fields, and search history are not included in backups.
• Legal/abuse exceptions: Minimal records may be retained as required by law (e.g., accounting, dispute handling) or for abuse/fraud prevention, and are restricted in use.
• Third‑party caches: Search engine caches or partner systems may retain temporary copies, which are removed according to their expiration cycles.

For how to request deletion or manage retention preferences, see Your Rights and Choices. For cross‑border processing details, see Data Transfers.

TimeLine uses the Asia-Pacific (APAC) region as its main data-processing region to provide the service. Accordingly, your personal data may be transferred, stored, and processed within the Asia-Pacific region (e.g., Singapore, Japan, or Korea) and, where necessary, to other regions under equivalent safeguards. We comply with the following when transferring data:

• Legal basis: We ensure an adequate level of protection through applicable international transfer mechanisms, including the EU Standard Contractual Clauses (SCCs) annexed to our Data Processing Addendum (DPA) with Supabase Inc. Where required, we use UK international transfer SCCs or other region‑specific standard clauses.
• Scope of transfer: Data strictly necessary to operate the service may be transferred, including account and authentication data, database/storage data, logs and diagnostics, and payment card transaction data (where applicable).
• Safeguards: We apply technical and organizational measures during transfer, storage, and processing, such as encryption (in transit/at rest), role‑based access controls (RBAC), least‑privilege access, and monitoring/audit logs. We assess risks before and after transfers and introduce additional safeguards where necessary.
• Data subject rights: Requests and inquiries related to data transfers are handled under "Your Rights and Choices." Upon request, we provide information about the transfer mechanisms and applicable clauses.
• Backups and recovery: Backups are used solely for reliability and disaster recovery, are encrypted, and expire on a rolling schedule. Deleted items may persist until the backup window lapses. Restoring from backups requires account authentication (email and password).
• Vercel (deployment/hosting): We use Vercel to deploy and host TimeLine. In connection with providing hosting and ensuring service reliability and security, Vercel may process device and log data (e.g., IP address, browser/device type, language, timestamps, diagnostic logs) and limited account/authentication metadata. This processing may occur on infrastructure located in the United States and is used for availability, performance, and abuse/fraud prevention.
• Stripe (payments): We use Stripe to process payments. In connection with transactions, Stripe processes payment‑related information (e.g., transaction amount, payment method tokens, billing/contact details, and transaction metadata) for payment processing, fraud prevention, refunds/disputes, and legal/accounting compliance. Card numbers and other sensitive payment credentials are not stored on our servers. Stripe’s processing may occur on infrastructure located in the United States.

We protect your personal data using technical and organizational measures appropriate to our service and risk profile.

• Encryption: All data is encrypted in transit using TLS. Data at rest is encrypted by our trusted infrastructure providers (e.g., hosting and database platforms).
• Access controls: We apply role‑based access controls (RBAC), least‑privilege access, and require authentication for all administrative actions. Access is logged and reviewed.
• Secret management:API keys, tokens, and credentials are stored securely and are not committed to source control.
• Credential protection: We do not store plaintext passwords. Password hashing and storage are handled by our authentication provider in line with industry standards (e.g., modern hashing algorithms).
• Monitoring and logging: We maintain operational and security logs to help detect and investigate abuse, fraud, and incidents.
• Application safeguards: We follow secure development practices and use standard protections against common web threats (e.g., CSRF, XSS).
• Backups and recovery:Backups exist solely for reliability and disaster recovery; they are encrypted and expire on a rolling schedule. Deleted items may persist until the backup window lapses.
• Incident response: When we detect a security incident, we investigate, mitigate, and—where legally required—notify affected users and authorities.

These measures complement the safeguards described in Data Transfers and are applied alongside our providers' security controls.

• Public access: We allow viewing of public content and basic search without logging in. For non‑logged‑in visitors, we minimize or avoid processing personal data and do not use behavioral advertising or personalized tracking.
• Age restrictions: Account creation and interactive features (e.g., posting, commenting, saving, notifications) are restricted to users who are at least 18 years old, or the age of legal majority in their country of residence—whichever is higher. During sign‑up, you must provide your date of birth. If you indicate you are under 18, you cannot create an account or use interactive features.
• Data collection policy: We do not knowingly collect personal data through accounts from users under 18, or under the age of legal majority in their country of residence, because such accounts are not permitted. If we learn that an account was created by a user under 18 or that age was misrepresented, we may suspend or delete the account and associated data in accordance with this Policy and applicable law.
• Regional compliance: Regional requirements may apply. Where the law requires additional measures (e.g., parental consent for younger users in certain jurisdictions), we may request further verification. Because accounts are limited to 18+, parental consent is generally not required for our Service; non‑logged‑in viewing does not involve collecting personal data.
• Future analytics: If we introduce optional analytics or advertising cookies for non‑logged‑in visitors, we will obtain consent where required by law, and we will not profile minors for targeted advertising.

This section explains the rights you have and the choices you can make when using TimeLine. We provide minimal, clear options aligned with how the Service operates.

Public Access (No Login)

• You can view public content and use basic search without creating an account.
• For non‑logged‑in visitors, we do not collect or use personal data for personalized advertising, and we do not set cookies or similar tracking for personalization.

Communications (Email & Notifications)

• Beta/MVP scope: During the beta and MVP phases, email delivery (including service emails, product updates, and account restoration notices) is not implemented.
• In‑app notifications: You receive in‑app notifications for activity related to your account (e.g., new followers, comments, replies). You can manage in‑app notifications in Notifications from settings.
• Mandatory vs. optional: When email delivery is introduced in future releases, essential service emails (e.g., policy updates, security alerts) may be mandatory. Optional product update emails will be controllable in Notifications from settings.
• Preference scope: Communication preferences only affect notifications and, when available, optional emails. They do not change mandatory consents for data collection or cookies required for authentication/session continuity.
• Updates: Changes to communication features and availability will be announced in Updates. Please check Updates for the latest information.

Account Creation and Mandatory Consent

• Age requirement: Accounts and interactive features (posting, commenting, saving, notifications) are available only to users aged 18 or older, or the age of legal majority in their country of residence—whichever is higher. Sign‑up requires your date of birth to verify eligibility.
• Mandatory consent at sign‑up: To create an account, you must agree to our personal data collection and use, including the use of cookies for authentication/session continuity and limited signals for advertising relevance as described in this Policy.
• No opt‑out in settings: If you do not agree to these terms at sign‑up, you cannot create an account. After sign‑up, these consents cannot be changed in settings unless required by applicable law.

Language and Core Identifiers

• Language: The Service is provided in English only.
• Core identifiers: Username, email, and nickname cannot be deleted individually. To remove them, delete your account.

Content Visibility Controls

• Post audience: When you upload a post, you can choose who can see it:
  • Everyone: visible to all users and may be discoverable via search.
  • Followers: visible only to your followers.
  • Subscribers: visible only to your subscribers.
  • Followers & Subscribers: visible to both your followers and subscribers.
• Edits and removal: You can edit or delete your own posts and comments. Deleted items are removed immediately and are not backed up.

Deletion and Restoration

• Immediate deletion: Deletable profile fields (status, bio, tech stack, links) and search history you remove are deleted immediately and are not backed up. You can perform immediate deletion from your Profile or via My Account from settings.
• Account deletion: Account deletion must be initiated from My Account from settings. You may delete your account at any time. A 15‑day restoration window applies (you can restore via Restortion Page). After 15 days, your account and all associated data are permanently deleted or irreversibly de‑identified and cannot be recovered.
• Legal/abuse exceptions: Minimal records may be retained as required by law or to prevent fraud/abuse; such records are restricted in use.

Data Access and Portability

• Data download/export: We do not offer data download or export functionality.
• Access in product: While your account is active, you can view your account info, profile, posts, and comments within the Service.

Advertising and Cookies

• Required cookies: Authentication/session cookies are required to keep you signed in and maintain account security.
• Personalized ads: We use limited signals to make ads more relevant, as described in this Policy. There is no setting to opt out of personalized ads or cookies.
• Non‑logged‑in use: For non‑logged‑in visitors, we do not collect or use data for personalized advertising and do not set personalized tracking.

Children and Regional Requirements

• Under‑18 accounts: We do not knowingly allow or maintain accounts for users under 18, or under the age of legal majority in their country of residence. If we learn an account is under 18 or age was misrepresented, we may suspend or delete the account and associated data per this Policy and applicable law.
• Regional compliance: Where law requires additional measures (e.g., specific consent mechanisms), we may request verification. Because accounts are limited to 18+, parental consent generally does not apply.

How to Exercise Your Choices

• In product: Use My Account from settings and Profile page to edit or delete content, manage your profile, and delete your account.
• Help: For help with account deletion or questions about your data, contact Help. We may need to verify your identity to protect your account.
• Policy updates: If this Policy changes, we will notify you via the app or website and/or email. By continuing to use TimeLine, you agree to the updated Policy.