Legal

Privacy Policy

Effective: May 17, 2026 · Last updated: May 17, 2026

This Privacy Policy describes how Timatsu LLC ("Timatsu," "we," "us," or "our") collects, uses, shares, and protects information when you interact with our products and services. It applies to the Timatsu platform and all surfaces operated by Timatsu LLC, including the Timatsu website at timatsu.com, the Timatsu dashboard, the Timatsu iOS application, the public landing pages and customer-facing portals we host on behalf of our business clients (collectively, the "Services"). We are based in North Carolina, United States, and we operate the Services from the United States.

By using the Services you acknowledge that you have read this Privacy Policy. If you do not agree with how we handle information as described here, please do not use the Services. Questions or requests can be sent to the address in Section 15.

1. Who We Are

Timatsu LLC is a North Carolina limited liability company that operates a multi-tenant software platform. The platform supports two primary categories of users. Operators are the business owners and team members who run a Timatsu instance for their own company; each Operator's environment is called a galaxy. Visitors are people who interact with an Operator's public surfaces, including the Operator's landing page on a Timatsu-hosted subdomain, contact forms, and customer-facing portals such as the estimate-acceptance portal used by some Operators.

Where this Privacy Policy refers to "you," it refers to whichever of these categories applies to your interaction with the Services. Where the practices differ between Operators and Visitors, we say so explicitly.

2. Scope of This Policy

This Privacy Policy covers information that Timatsu collects, processes, or otherwise handles in its operation of the Services. It does not cover information that an Operator collects independently from its own customers outside of the Services. Operators are responsible for their own customer-facing privacy practices and for any privacy notices they publish on their own materials.

Some Operators may use the Services to manage information about their own clients, customers, or prospects. When Timatsu processes that information on the Operator's behalf, Timatsu acts as a service provider or processor for the Operator. The Operator is the controller of that information and is responsible for the lawful basis on which it was collected.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you give us when you create an account, configure your environment, or use the Services. This includes:

  • Account information. Email address, password (stored as a salted hash, never in plain text), and the name you use inside the platform.
  • Profile information. Display name, profile photo, time zone, and other preferences you set inside your account.
  • Business and brand configuration. Company name, legal name, business address, phone, email, website, license number, tax identifier, logo image, brand colors, and similar identity information for the galaxy you operate.
  • Content you create. Notes, tasks, projects, milestones, conversations with our AI assistants, voice-mode recordings and transcripts, file uploads, signed estimates, contracts, contacts, activity logs, accounting entries, and any other content you produce inside the Services.
  • Customer and prospect information you record. Names, contact details, addresses, communication history, and other information about your own clients and prospects that you choose to enter into the platform.
  • Payment information. If we charge for a paid tier of the Services, payment is processed by our payment provider (currently planned but not yet active as of the effective date). We do not store full payment card numbers on our own systems; only a payment-provider token, the last four digits of the card, the brand, and the expiration date.
  • Inquiries and support requests. The content of messages you send to us, including subject, body, and any attachments.

3.2 Information Collected Automatically

When you use the Services we automatically collect technical information about your visit, including:

  • Device and connection information. IP address, user-agent string, browser type and version, operating system, device type, screen resolution, language preference, referring page, and similar metadata.
  • Usage information. Pages visited, features used, buttons clicked, requests made to our servers, response codes, error logs, and timing information. We use this to diagnose problems and improve the Services.
  • Authentication state. Session cookies, refresh tokens, and the user-tier cookie that indicates your access level on the platform.
  • Active-context cookies. The active-galaxy cookie, which records which galaxy you are currently viewing in the dashboard; theme cookies; and similar preferences that persist your settings across visits.

3.3 Voice and Audio Information

When you use voice features in the iOS application or the dashboard, the application captures audio from your microphone for the duration of your session. The audio is streamed to our speech-to-text provider (Deepgram, Inc.) to be converted into text. The audio capture happens locally on your device and is transmitted to Deepgram over a secure connection. The transcript is then processed by the relevant AI model provider as described in Section 5.

Transcripts produced from your voice input may be saved to your account history alongside the corresponding chat message. Audio recordings themselves are retained only as long as needed to generate the transcript and produce the response; they are not permanently stored on Timatsu servers unless you explicitly choose to save them (for example, as part of a dictation feature where the audio is the saved artifact).

3.4 Information from Visitors to Hosted Public Surfaces

When a Visitor interacts with a public surface that Timatsu hosts for an Operator (for example, a galaxy landing page at a subdomain such as mosko.timatsu.com, or a customer-facing estimate portal accessed via a unique token), Timatsu may collect and process information necessary to operate that surface. This includes IP address, browser metadata, the content of forms the Visitor submits, signatures captured for estimate acceptance, and similar items. That information is provided to the Operator on whose behalf the surface is hosted.

4. How We Use Information

We use the information described above to:

  • Operate the Services, including authenticating you, persisting your content across devices, routing requests to the right galaxy scope, and synchronizing data between the dashboard and the iOS application.
  • Generate AI responses you request, including chat responses, voice replies, document drafts, and analytical summaries. Information sent to AI providers for this purpose is described in Section 5.
  • Diagnose technical problems, prevent abuse, and maintain the reliability and security of the Services.
  • Communicate with you about your account, including transactional notices, security alerts, and product updates.
  • Comply with legal obligations, including responding to lawful government requests, asserting our legal rights, and protecting the safety of users and the public.
  • Improve the Services. We may analyze aggregated usage information to understand how the Services are being used and where they can be improved. We do not use the content of your conversations or your customer data to train AI models. See Section 5 for the related disclosures.

5. AI Processing and Model Providers

A core function of the Services is to apply artificial intelligence models to information you provide. This section explains in detail how that processing works.

5.1 Routing Your Request to an AI Provider

When you submit a message, voice transcript, file, or other content for AI processing, Timatsu sends the relevant content to the third-party AI provider that hosts the model you selected (or the default model assigned to the feature you are using). The content sent typically includes the message itself, prior turns in the same conversation up to the model's context window, the system prompt that defines the assistant's behavior, any attached files, and an identifier for your session. The AI provider returns a response which Timatsu then displays to you and stores as part of your conversation history.

5.2 AI Model Providers We Use

Depending on which model you select, your request may be sent to one or more of the following providers, each governed by their own privacy policy and terms:

  • Anthropic, PBC for the Claude family of models, including chat, multimodal, and tool-using assistants.
  • OpenAI, L.L.C. for the GPT family of models and for text embeddings used in retrieval features.
  • xAI Corp. for the Grok family of models, voice transcription, and voice synthesis on the xAI text-to-speech endpoint.
  • Google LLC for the Gemini family of models accessed via the Google Generative Language API.
  • DeepSeek for the DeepSeek family of models.
  • Tavily, Inc. for web-search retrievals performed on behalf of the AI assistant when the active assistant has web access.
  • Deepgram, Inc. for speech-to-text conversion of voice input.
  • ElevenLabs, Inc. for text-to-speech synthesis of AI replies in voice mode.

5.3 Training and Provider Retention

Timatsu uses these providers under their published commercial or API terms. As of the effective date of this Policy, the providers we use do not train their models on content submitted through paid commercial API access by default; however, retention windows and policies vary by provider and over time. We monitor those terms and configure our integrations to minimize the retention of your content by providers wherever the option is available. We encourage you to review each provider's privacy policy if you want to understand their specific practices.

Timatsu itself does not train AI models on your content, your conversations, your customer data, or your files. We do not sell your data and we do not share it with advertisers.

5.4 Voice Processing Specifics

Voice input you produce while using a voice feature is streamed to Deepgram for transcription. The text transcript is then routed to the AI provider you selected. The synthesized voice reply is produced by ElevenLabs or by xAI's text-to-speech endpoint depending on the voice configuration of the active assistant. We treat voice audio as personal information and apply the same retention and security practices to it as to other content you submit, subject to the additional retention note in Section 3.3.

5.5 AI Outputs Are Not Professional Advice

AI responses produced through the Services are generated by statistical language models and may contain errors, omissions, or hallucinated facts. They are provided for informational and productivity purposes only. They are not legal, medical, financial, tax, or other professional advice, and they should not be relied upon for material decisions without independent verification. This caveat applies to every AI surface in the Services, including chat, voice mode, summaries, drafts, research results, and tool-call outputs.

6. Service Providers and Subprocessors

Timatsu uses a set of trusted third-party service providers to operate the Services. These providers process information on our behalf in order to provide their services to us. As of the effective date of this Policy, our principal service providers and subprocessors include:

  • Supabase Inc. for managed PostgreSQL hosting, authentication, file storage, and edge functions. Customer data, account credentials, content, and files are stored within Supabase-managed infrastructure.
  • Vercel Inc. for application hosting, edge networking, content delivery, and deployment of our web surfaces.
  • GitHub, Inc. for source-code hosting and continuous-deployment triggers. Operational data is not stored in GitHub, but application logs that surface as part of build output may contain transient diagnostic information.
  • Apple, Inc. as the distributor of the iOS application via the App Store and the operator of the device platforms on which the application runs. Apple's privacy practices govern App Store interactions.
  • Expo Inc. for the EAS Build pipeline used to compile the iOS application binaries.
  • The AI model providers and voice providers listed in Section 5.2.

We may add or change service providers over time. We will update this list when material changes occur. Where required by law, we will obtain your consent before making a change.

7. How We Share Information

We share information about you only in the following circumstances:

  • With service providers and subprocessors as described in Section 6, in order to operate the Services.
  • Within your organization. Operators may invite team members to join their galaxy. Once a team member has access to the galaxy, that team member can view and act on data within that galaxy, including content other team members in the same galaxy have created. We do not share data across galaxies; each galaxy is isolated by row-level security.
  • With Operators when you are a Visitor. When you interact with a public surface that Timatsu hosts on behalf of an Operator (for example, by submitting a contact form on a galaxy landing page, or by signing an estimate in the customer portal), the information you submit is provided to the Operator. The Operator's own privacy practices apply to that information thereafter.
  • For legal reasons. We may disclose information if we believe in good faith that disclosure is required to comply with a law, regulation, legal process, or governmental request; to enforce our Terms of Use; to protect the safety, rights, or property of Timatsu, our users, or the public; or to detect, prevent, or address fraud, abuse, or technical issues.
  • In a corporate transaction. If Timatsu is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, information may be transferred as part of that transaction. Any successor entity will be bound by terms no less protective than this Policy with respect to information acquired in the transaction.
  • With your consent. We may share information for any other purpose disclosed to you and with your consent.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

8. Data Retention

We retain information for as long as your account is active or as needed to provide you with the Services. Specific retention practices include:

  • Content you create. Notes, tasks, projects, contacts, conversations, files, and similar content are retained until you delete them or until your account is closed.
  • Account information. Retained for the life of your account and for a reasonable period after account closure as necessary to complete account-closure obligations and to maintain backups.
  • Logs and diagnostic data. Server logs are retained for a limited period, typically not to exceed ninety (90) days, except where a longer retention is required for security investigation or legal hold.
  • Voice audio. As described in Section 3.3, audio is generally not persisted beyond the session that produced it.
  • Information subject to legal hold. Where information is subject to a legal hold, litigation, regulatory request, or other legal obligation, we retain it for the duration of that obligation.

Once retention is no longer required, we delete or de-identify information using commercially reasonable means. Some information may persist in encrypted backups for a limited period after deletion from active systems.

9. Your Privacy Rights

Depending on where you live, you may have specific privacy rights with respect to information about you. This section summarizes those rights and how to exercise them.

9.1 Rights Available to All Users

Regardless of where you live, you may at any time:

  • Access and download the content stored in your account through the standard features of the Services.
  • Update or correct your account profile through the account settings page.
  • Delete content you have created using the in-product delete affordances. Where a soft-delete is used, the content is hidden from active surfaces and retained for a limited period to allow for recovery; you may request permanent deletion by contacting us as described in Section 15.
  • Close your account by contacting us as described in Section 15.

9.2 North Carolina Residents

North Carolina does not currently have a comprehensive consumer privacy statute analogous to the California Consumer Privacy Act. However, Timatsu is a North Carolina company and we follow the practices set forth in this Policy for all users, including North Carolina residents. You may exercise the rights in Section 9.1 by contacting us as described in Section 15.

9.3 Residents of Other U.S. States

Residents of California, Virginia, Colorado, Connecticut, Utah, and other states with applicable consumer privacy laws may have additional rights, which may include the right to know what personal information we have collected, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of certain sharing or sale of personal information (we do not sell personal information, as noted in Section 7), and the right to non-discrimination for exercising these rights. You may exercise these rights by contacting us as described in Section 15. We may need to verify your identity before responding to your request.

9.4 Residents of the European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, the UK, or Switzerland, you may have additional rights under applicable data protection law, including the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data, and the right to withdraw consent where processing is based on consent. We provide the Services from the United States; please review Section 13 regarding international transfers. To exercise your rights or to lodge a complaint with the supervisory authority in your jurisdiction, you may contact us as described in Section 15.

9.5 Authorized Agents

Where applicable law allows, you may use an authorized agent to make a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly.

10. Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve the Services. The specific cookies we set on first-party domains include:

  • Authentication cookies that keep you signed in to the Services across page loads.
  • The user-tier cookie that records your access level (public, pro, or dev) so the dashboard renders the right surfaces for you.
  • The active-galaxy cookie that records which galaxy you are currently viewing in the dashboard.
  • Theme and preference cookies that record your interface preferences.
  • A cookie consent record if you have responded to a cookie banner on our marketing pages.

We do not use third-party advertising cookies. We do not currently use third-party analytics cookies, although that may change in the future. When it does, we will update this section.

You can control cookies through your browser settings, including by deleting cookies or blocking them. Note that blocking essential cookies will prevent you from signing in to the Services.

11. Security

We take reasonable and appropriate measures to protect the confidentiality, integrity, and availability of information in our care. These measures include:

  • Encryption of data in transit using current Transport Layer Security standards.
  • Encryption of data at rest within our managed-database provider.
  • Row-level security policies that isolate each user's data and each galaxy's data from other galaxies and users at the database layer.
  • Hashed and salted storage of authentication credentials; we never store passwords in plain text.
  • Access controls and the principle of least privilege for Timatsu personnel who may need access to operational systems.
  • Routine review of dependencies, infrastructure, and the security posture of our service providers.

No method of transmission or storage is perfectly secure. While we use commercially reasonable means to protect information, we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you and the appropriate authorities as required by applicable law.

12. Children's Privacy

The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from anyone under thirteen. If you are a parent or legal guardian and you believe your child has provided us with personal information, please contact us as described in Section 15. If we learn that we have collected personal information from a child under thirteen, we will delete that information promptly.

Operators are responsible for ensuring that their own use of the Services complies with any applicable rules regarding the data of minors, including in jurisdictions that impose higher age thresholds.

13. International Users

We are based in the United States and we operate the Services from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to, stored in, and processed in the United States by our service providers and by us. By using the Services, you consent to that transfer and processing.

Where applicable law requires a specific legal mechanism for the transfer of personal data outside your jurisdiction (for example, Standard Contractual Clauses for transfers from the EEA), we will use such mechanisms in our agreements with subprocessors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this Policy and, where the change is material, we will provide additional notice through the Services (for example, by displaying a notice on your dashboard or by sending an email to the address associated with your account). We encourage you to review this Policy periodically.

Your continued use of the Services after a revised Policy takes effect indicates that you accept the revised Policy. If you do not agree to the revised Policy, you should discontinue use of the Services and contact us to close your account.

15. How to Contact Us

If you have questions, requests, or concerns about this Privacy Policy or about how we handle information, please contact us at:

Timatsu LLC
Attn: Privacy
North Carolina, United States
Email: privacy@timatsu.com

We will acknowledge your request within a reasonable period and will respond within the time required by applicable law. Where verification of your identity is required before we can act on your request, we will explain what information we need.

Notice: This Privacy Policy is provided for informational purposes. It describes Timatsu LLC's general practices and is not legal advice. Specific situations may give rise to additional rights or obligations under applicable law; consult a qualified attorney for advice about your particular circumstances.