Privacy Policy

This Privacy Policy explains how Timpi International Ltd ("we," "us," or "our") collects, uses, stores, and shares your information across all of our properties and products, including Timpi Search, Timpi Ads, the Timpi Data API, MASQ Browser, and our corporate website at timpi.io (collectively, the "Services"). It also describes how we handle personal data that appears within the content indexed by our search infrastructure.

This policy applies to all users of the Services globally and is intended to comply with the New Zealand Privacy Act 2020, the General Data Protection Regulation (GDPR) for users in the European Economic Area, the UK GDPR for users in the United Kingdom, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents.

Timpi Search is currently provided as a Public Beta and is subject to known limitations described in our Terms of Service. The Public Beta caveat applies to Timpi Search only; Timpi Ads, the Timpi Data API, and MASQ Browser are provided as live commercial services.

Information We Collect

What we collect depends on which Timpi Service you use.

When You Visit Our Website

• IP Address: Stored temporarily to detect malicious activity and determine rough geographic location. Not linked to individual user profiles.
• Search Queries: Stored in anonymous form only. Not combined with or linked to any user-identifiable information.
• Server Log Data: Server log data, crash reports, system activity, request dates and times, referring or exit pages.

Timpi Search Profiles

Profiles for Timpi Search are stored initially on our servers and later transferred to decentralised guardian nodes for enhanced privacy and security.

• Web3 Users: wallet address, nickname, email address (if voluntarily provided)
• Web2 Users: email address, nickname

Timpi Ads Account Holders

• Business name and business email address
• Business URL
• Username and password (stored in hashed form)
• Industry and region as selected during registration
• Payment information when you add credit (processed by our payment provider, not stored by Timpi)

Timpi Data API Customers

• Name and contact email address
• Company name and use case category
• Billing details and tax identification as required
• API key usage logs for billing, rate-limiting, and abuse prevention

MASQ Browser Users

Where you use MASQ Browser as part of the Timpi group of products, please refer to the MASQ Browser privacy notice for product-specific details. Timpi International Ltd is the data controller for MASQ Browser following its merger with Timpi.

Personal Data Appearing in Our Index

Timpibot, our web crawler, indexes publicly accessible web content. Some of that content may contain personal data about identifiable individuals, including names, contact details, biographical information, photographs, opinions, and other identifying information published by third parties.

We treat this category of personal data as governed by this Privacy Policy. Individuals whose personal data appears in our index have the rights described in the "Your Privacy Rights" section below, regardless of whether they have any account with us.

Legal Basis for Processing (GDPR)

For users in the EEA and UK, we process your personal data on the following lawful bases under Article 6 of the GDPR:

• Legitimate Interests — fraud and improvement: Processing of IP addresses, server log data, and anonymous search queries for fraud detection, security, and service improvement.
• Legitimate Interests — indexing: Indexing and serving publicly accessible web content, including content that may contain personal data. Assessed against the interests, rights, and freedoms of data subjects, with mechanisms for individuals to exercise their rights.
• Contract Performance: Processing of account data necessary to create and maintain your account and provide the Services.
• Legal Obligation: Disclosure of information where required by applicable law.
• Consent: Where we rely on consent (such as optional communications), you may withdraw at any time.

How We Use Your Information

• To provide, maintain, and improve our Services
• To personalise user experiences based on location or language preferences
• To detect and prevent fraudulent or malicious activities
• To improve our search index using anonymous query data
• To deliver advertising services for Timpi Ads customers
• To provide API access and usage analytics for Timpi Data API customers
• To enable browsing and privacy features through MASQ Browser
• To respond to publisher takedown requests and Data Subject Access Requests
• To comply with legal obligations

Search Query Data

Search queries are anonymous. They are not linked to your identity, profile, IP address, or any other identifying information. We do not attempt to re-identify anonymous query data.

We retain anonymous search queries indefinitely to improve the quality and relevance of the Services.

Because search queries are not linked to any individual user or profile, they do not constitute personal data for the purposes of the GDPR, the New Zealand Privacy Act 2020, or the CCPA. Accordingly, rights of access, deletion, or portability do not apply to anonymous query data.

We do not sell anonymous query data to third parties.

Data Sharing Practices

What We Share

• Ad clicks: Information about ad clicks for advertiser reporting.
• Geolocation: Approximate location data based on IP address.
• Search queries: Shared in aggregate, anonymous form only.

What We Do Not Do

• We do not match sessions across different visits.
• We do not allow retargeting by advertisers or third parties.
• We do not share account profile data unless required by law.
• We do not sell personal data as defined under the CCPA.

Third-Party Service Providers

We may share non-profiled information with third-party vendors who help us provide and improve the Services (data analysis, payment processing, customer service, email delivery, hosting). These providers are authorised to use information only as necessary and are contractually required to protect it.

Legal Disclosure

We may disclose your information if required by law or in response to valid requests by public authorities. We will, where permitted, notify you of such requests.

Business Transfers

If Timpi International Ltd is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred. We will notify you prior to your information becoming subject to a different privacy policy.

Cookies and Similar Technologies

We use cookies and similar tracking technologies. Full details are in our Cookie Notice.

Data Retention

• IP addresses: Up to 90 days.
• Server log data: Up to 12 months.
• Search queries: Retained indefinitely in anonymous form.
• Timpi Search profile data: While account is active, or as necessary to provide Services. Deleted upon verified account deletion request.
• Timpi Ads account data: Active account + 7 years for billing, tax, and regulatory records.
• Timpi Data API customer data: Active subscription + 7 years for billing, tax, and regulatory records.
• API request logs: 90 days, then aggregated.
• Session data: Not retained beyond your active session.

Profile data transferred to decentralised guardian nodes may present technical constraints on deletion. We make best efforts to action deletion across all storage systems. Where full deletion is not technically immediate, we document the limitation and take all available steps to suppress or anonymise the data.

Data Security

We implement appropriate technical and organisational measures to maintain the security of your personal information. However, no method of electronic storage or transmission is 100% secure. In the event of a breach likely to result in a risk to your rights and freedoms, we will notify affected users and regulators as required.

Your Privacy Rights

Depending on your location, you may have rights regarding your personal information. We respond to verified rights requests within one calendar month, extendable by two further months for complex requests.

All Users

• Access your personal information
• Correct inaccurate information
• Request deletion
• Object to processing
• Request restrictions on processing
• Data portability

How to Submit a Rights Request

Submit through our Privacy Rights workflow, or email privacy@timpi.io with subject "Privacy Rights Request." No charge except where a request is manifestly unfounded or excessive.

Individuals Whose Personal Data Appears in Our Index

If personal data about you appears in content indexed by Timpibot, you have the same rights regardless of whether you hold a Timpi account. Use the Privacy Rights workflow.

EEA and UK Residents

You have the right to lodge a complaint with your local supervisory authority. UK: Information Commissioner's Office (ICO).

California Residents

Right to opt out of sale and sharing for cross-context behavioural advertising. We do not sell or share personal information as defined under CCPA/CPRA. Right to non-discrimination.

New Zealand Residents

Rights under the Privacy Act 2020 including access and correction. Complaints to the Office of the Privacy Commissioner.

Children's Privacy

Our Services are not directed to children under the age of 16, and we do not knowingly collect personal information from anyone under 16. By using our Services, you represent that you are at least 16 years old, or that you have the consent of a parent or guardian where required.

Some jurisdictions set a higher age threshold. Where local law sets a higher threshold, it applies.

If you believe we have collected information from a child below the applicable age, contact privacy@timpi.io.

International Data Transfers

Timpi International Ltd is incorporated in New Zealand. Your information may be transferred to and processed in other countries with different data protection laws.

Where we transfer data from the EEA or UK to countries without adequacy, we use:

• European Commission's Standard Contractual Clauses (2021) or successor mechanisms
• The UK International Data Transfer Agreement
• Other lawful transfer mechanisms applicable to your jurisdiction

Other Websites and Services

Our Services link to and index content from third-party websites we do not operate. We are not responsible for their privacy practices, terms, or content.

Search results and indexed content are not endorsements. The presence of a website in our index does not imply we have reviewed or approved its practices.

If you click a link in our search results, the privacy practices of that site — not this Privacy Policy — apply.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date and post the revised policy. For material changes, we provide prominent notice via the Services.

A summary of substantive changes is maintained at legal.timpi.io under "Recent updates". Prior versions available on request.

Contact Us

• Email (privacy): privacy@timpi.io
• Email (general legal): legal@timpi.io
• Postal: Timpi International Ltd, Suite 13297, PO Box 106910, Auckland 1143, New Zealand
• Privacy Rights workflow: legal.timpi.io/privacy-rights