Status: Public Beta v0.2 · ProofSpec v0.1 · API v0.2 · Privacy-first · No blockchain

Privacy

TimeProofs is hash-only and stateless. Your files never need to be uploaded: you create and keep a proof file (.tproof.json) and verify it later.

↑ Top

Last updated: 2025-12-30 · Contact: contact@timeproofs.io · See also: Legal · Security

1. Summary

No content upload: originals stay on your device.
Hash-only: we process SHA-256 hashes and proof fields, not files.
Stateless verification: verification is based on the proof file (.tproof.json), not a database lookup.
No accounts (v0.2): you can create/verify without identity.
No behavioral ads: we do not run advertising targeting.

Important: a hash can be linkable to a person if your own systems or publications link it to identity. Avoid placing personal data or secrets in metadata.

2. What we collect

Website

Operational logs (hosting/CDN): typical security and reliability logs may include IP/user-agent for limited time (abuse prevention, diagnostics).
Analytics (optional): Plausible for aggregate usage (no behavioral advertising by us).

API

Required: a hash (SHA-256) and proof parameters needed to issue/verify signatures.
Optional: metadata (meta) — do not include personal data.

Reminder: a file date is local and editable. A proof file is independently verifiable later for a specific hash at a specific time.

3. Proof data model

A proof file typically contains:

hash (SHA-256 hex)
issuedAt (UTC timestamp)
issuer / algorithm / key id (verification context)
signature (verifiable cryptographic signature)
meta (optional, user-provided context)

It does not contain your original content.

{
  "hash": "<64-hex>",
  "issuedAt": "2025-01-01T00:00:00.000Z",
  "issuer": "timeproofs.io",
  "alg": "HMAC-SHA256",
  "kid": "v1",
  "meta": { "context": "optional-non-personal" }
}

Best practice: keep meta generic. If you need identity binding, do it in your own system and timestamp only the resulting hash.

4. Analytics

We use Plausible Analytics to understand aggregated website usage and improve docs and UX. Blocking analytics does not prevent core site functionality.

5. Security

We keep the product minimal to reduce data exposure.
Proofs are verifiable via signatures and public verification rules (ProofSpec).
Security contact is published in /.well-known/security.txt.

6. Retention

Proofs: you keep your proof files (.tproof.json).
Website/API: operational logs (if any) are retained only as needed for reliability and abuse prevention.

7. Your rights

Depending on your location, you may have rights related to personal data (access, deletion, objection). TimeProofs is designed to minimize personal data collection.

If you believe information processed by our services relates to you, contact us with the relevant context.

8. Contact

General: contact@timeproofs.io · Security: /.well-known/security.txt