Privacy Policy

Timpli operates a cloud-based appointment management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy is designed to comply with the Republic of Panama Law 81 of 2019, EU General Data Protection Regulation (GDPR) and internationally recognized data protection standards.

By using the Service, you consent to the practices described here. Material changes will be communicated by email or platform notice.

We collect data in the following categories:

We process your data for the following purposes:

• To provide, maintain, and improve the Service.
• To create and manage your account and business profile.
• To process subscription payments and manage billing.
• To send appointment confirmations and automated reminders to your clients.
• To respond to your support requests and communications.
• To enforce our Terms of Service and protect against fraud or abuse.
• To comply with legal obligations under applicable law.
• To analyze platform usage and improve service quality.

Legal bases for processing include: performance of a contract, legal obligations, legitimate business interests, and your consent where applicable.

Account authentication is handled by Clerk, a third-party provider. Clerk collects and processes your email and password (hashed). Clerk's data handling is governed by its own privacy policy.

We receive a verified user identifier and email from Clerk upon authentication, linked to your Timpli account. We do not store your raw password.

Your account data is used solely to operate the Service for you. You may update it at any time through account settings.

Billing is processed through our third-party payment infrastructure. Payment details are transmitted directly to the processor using encrypted connections and are never stored on Timpli's servers.

We store the following billing-related data:

• Your subscription plan, billing cycle, and status.
• Payment method type and last four digits (for display only).
• Transaction dates, amounts, and invoice references.
• Billing address if required for tax purposes.

This information is used to manage your subscription, issue receipts, handle billing disputes, and comply with financial record-keeping obligations.

We use analytics services to understand how the Service is used and improve our platform. This may involve collection of anonymized usage data such as feature interaction frequency and session length.

Cookies and similar technologies: The Service uses session and persistent cookies for authentication, remembering preferences, and maintaining login state. Some cookies are strictly necessary for the Service to function.

You may configure your browser to refuse cookies, though this may prevent some features from working. We do not use cookies for behavioral advertising or cross-site tracking.

We work with carefully selected third-party processors who help deliver the Service. They process data only as instructed and are bound to protect your information. Categories include:

We do not sell, rent, or trade your personal data to third parties for marketing. We may disclose data to authorities where required by law.

We implement industry-standard technical and organizational security measures to protect your data. These include:

• Encryption of data in transit using TLS/SSL protocols.
• Encryption of sensitive data at rest in our databases.
• Role-based access controls limiting employee access.
• Regular security assessments and vulnerability monitoring.
• Secure, hashed storage of authentication credentials.
• Automated backups with tested recovery procedures.

No method of electronic storage is 100% secure. We cannot guarantee absolute security. In case of a high-risk data breach, we will notify you as required by law.

We retain your personal data as long as your account is active or as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Specific retention guidelines:

• Account data: retained for the duration of your account and up to 90 days following deletion.
• Billing records: retained for 7 years as required by financial regulations.
• Appointment and client data: retained while your account is active; removed within 90 days of deletion.
• System logs: retained for up to 12 months for security and debugging purposes.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention.
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we restrict processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is consent-based, withdraw at any time.

Contact us at privacy@timpli.io to exercise these rights. We respond within 30 days. You may also lodge a complaint with your applicable data protection authority.

You may request deletion of your account at any time by contacting us at privacy@timpli.io or through account settings.

Upon receiving a deletion request, we will:

• Verify your identity to prevent unauthorized deletion.
• Cancel any active subscription at the end of the current billing period.
• Permanently delete your personal, business, client, and appointment data within 90 days, except data legally required to be retained.
• Confirm deletion by email once complete.

Deletion is irreversible. Data retained for legal compliance will be stored securely and not used for any other purpose.

Timpli is based in the Republic of Panama and our infrastructure may be in data centers across various countries. By using the Service, you acknowledge your data may be transferred to countries outside your residence.

We rely on legally recognized transfer mechanisms including standard contractual clauses and adequacy decisions where applicable to ensure appropriate safeguards.

Our processors who handle data internationally are required to maintain adequate data protection measures as a condition of our agreements.

For privacy-related questions, requests, or concerns, please contact our privacy team:

We aim to respond to all legitimate privacy requests within 30 days. For urgent data breach matters, indicate "URGENT" in the subject line.