Privacy Policy

Principles

• Minimization. Only hashes and minimal metadata are processed.
• No content upload. Originals never leave your device.
• Transparency. Public verification endpoints and open spec.

What we process

What we do not process

• No original files or text content.
• No behavioral tracking or cross-site identifiers.
• No sale of personal data.

Logs & retention

• API logs. Minimal request metrics for reliability and abuse prevention.
• Proof records. Hash + proof tuple kept to enable public verification.
• Rotation. Operational logs rotated and aged out per internal policy.

{
  "ok": true,
  "hash": "<64-hex>",
  "ts": "2025-01-01T00:00:00.000Z",
  "sig": "<hex>",
  "alg": "HMAC-SHA256",
  "kid": "v1",
  "issuer": "timeproofs.io",
  "verify_url": "https://timeproofs.io/verify.html?hash=..."
}

Cookies & analytics

• No marketing cookies.
• Privacy-preserving analytics (Plausible) for aggregate traffic only.

Security measures

• HTTPS/TLS everywhere. Strict CSP v0.1.
• Rate limiting, key rotation roadmap, dependency audits.
• Vulnerability disclosure: /.well-known/security.txt.

Your rights

For data-subject requests, contact us with sufficient details to locate the relevant hash-based records. We respond consistent with applicable law.

DPA & contacts

Enterprise plans include a Data Processing Addendum (DPA). Request it via email.

Subject: DPA Request — TimeProofs
To: privacy@timeproofs.io
Body:
Hello,
Please send the TimeProofs DPA for review. Company: <Name>. Use case: <Brief>.
Regards.

Security contact: see security.txt. Ethics: see humans.txt.

This page is verified by TimeProofs

Release: … · Hash: … · Verify

Timestamp created via TimeProofs API (public, privacy-first, no blockchain).