Timill
Sign in Book a call

Privacy Policy

Last updated: 2026-05-31

Privacy Policy

Last updated: 31 May 2026

This Privacy Policy (“Policy”) explains how Timill Ab Oy (“Timill”, “we”, “us”, or “our”) collects, processes, and protects personal information when you use our website (timill.com), platform (app.timill.com), or related services (“Services”).

Who we are

Timill Ab Oy Wolffintie 36 F 12 65200 Vaasa, Finland VAT: FI35580869

Contact: contact@timill.com

Information we collect

Information you provide

When you create an account, we collect:

  • Email address
  • Display name (nickname)
  • Profile picture (if you choose to upload one)
  • Profile avatar (if you select a predefined one)

All profile information is visible to other users within the same group.

When you contact us through our website or email, we collect the information you provide in your message.

How you sign in

On Timill Teams Free and Timill Teams Plus, you can sign in in two ways:

  • Email code — we send a one-time code to your email address to confirm it is you. No password is stored.
  • Google sign-in — available on the web app (app.timill.com) and in the mobile app. When you choose to sign in with Google, you authenticate with Google, and Google returns a signed token confirming your identity together with the information shown on its consent screen — your name, email address, and profile picture. We verify that token and use it only to create or update your Timill account. From that point on, your Timill session is issued and managed entirely on our side: we use Google solely to confirm who you are at the moment you sign in, not to run your session. We only ever receive that basic profile and email information, we never receive your Google password, and we do not create any profile for you on Google’s side — we simply register an application with Google that you grant access to. Google is naturally aware of the sign-in itself, since it is the party authenticating you, and your use of Google sign-in is also subject to Google’s own privacy policy.

SSO login data (Timill Pro Cloud and Custom Services)

On dedicated servers, administrators configure their organization’s own identity provider. We support Google, Microsoft, and any OIDC-compliant provider. When you log in through SSO, we receive your name, email, and profile picture from that identity provider and use it to create or update your account. The login methods available on a dedicated instance are decided by that organization’s administrators.

Payment data

Payments are processed by Stripe, a PCI DSS Level 1 payment provider. Our contracting entity is Stripe Payments Europe, Ltd. (Ireland), part of the Stripe, Inc. group (United States). We never see or store your card details. All payment data is handled directly by Stripe.

Timill Pro Cloud and Custom Services customers can opt for direct invoicing from Timill Ab Oy in Finland (bank transfer in EUR). In that case no card payment is collected and Stripe is not involved in the billing.

AI features

When you use Timill’s AI features, the content of your request is sent to an AI provider to generate the response. By default we use Mistral AI, based in Paris, France. Requests are processed within the European Union. We do not train any model on your data, and the AI provider does not retain your prompts beyond what is needed to return a response.

Timill Pro Custom customers can choose a different AI provider, including a self-hosted or on-premise model. In that case the customer’s chosen provider, not Mistral, processes the AI request.

Push notifications

If you use the Timill mobile or web apps and have enabled notifications, we send notification payloads through the push transport your device supports:

  • iOS: Apple Push Notification Service (APNs), operated by Apple Inc. APNs is required by iOS for push delivery.
  • Android: When your device has a UniPush-compatible distributor installed (for example NextPush, ntfy, or another), we deliver notifications through that distributor, and the operator is the one you have chosen on your phone. If no UniPush distributor is present, we fall back to Firebase Cloud Messaging (FCM), operated by Google LLC.
  • Web: Web Push using the push endpoint announced by your browser (each browser uses its own push service).

Only the data needed to deliver the notification (a device token and the notification payload) is sent through these transports. We do not impose a specific push provider on Android or in the browser; the transport follows what your device or browser already uses.

Information collected automatically

When you access our Services, our servers automatically record:

  • IP address
  • Device information (type, operating system)
  • Access timestamps

This data is used only to detect abuse and maintain service quality. It is not aggregated in a way that would identify a specific user.

We do not collect

  • Location data
  • Contacts
  • Photos or media (unless you upload a profile picture)
  • Health or financial data
  • Browsing behavior across third-party websites

Cookies

We use only essential cookies to operate the platform. We do not set or use marketing or tracking cookies.

Analytics

We do not use analytics (such as Google Analytics) on this site or the app. Your usage is not tracked or profiled.

How we use your information

We use collected information to:

  • Create and manage user accounts
  • Synchronize account details between group members
  • Operate and improve our Services
  • Respond to support requests
  • Enforce our Terms and detect abuse
  • Comply with legal obligations

Under the EU GDPR, we process personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)): Creating accounts, processing payments, and operating the Services you have requested.
  • Legal obligation (Article 6(1)(c)): Retaining transaction records as required by Finnish and EU law.
  • Legitimate interests (Article 6(1)(f)): Detecting abuse, maintaining service quality, and improving the platform.

Data processing roles

Timill processes personal data in two distinct roles:

Data Controller — We act as Data Controller for information we collect directly from users, including account registration data and communications you send to us (e.g., support emails). We determine the purposes and means of processing this data.

Data Processor — When our customers (Free, Plus, or Cloud) use Timill to process personal data of their employees, colleagues, or contacts, the customer is the Data Controller and we are the Data Processor. We process personal data only on your instructions, to provide and operate the Services.

For Cloud or Custom Services customers, the separate Cloud/Custom Services agreement includes a detailed data processing addendum that supplements this Privacy Policy.

Data retention

We retain your personal information for as long as your account is active. When you delete your account or modify personal information (profile picture, display name, email), the data is permanently deleted from our systems within 30 days.

We may retain aggregated, anonymized data that cannot be used to identify you personally.

Your rights

Under the EU GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you
  • Correction: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data and account
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time where processing is consent-based

To exercise these rights, contact us at contact@timill.com. We will respond within 30 days.

Data storage and transfers

Timill is a European sovereign platform. Our infrastructure is hosted by Hetzner (Hetzner Online GmbH) within the European Union. Helsinki (Finland) is the default location, and any Hetzner European location is available on request, including Nuremberg (Germany). Your stored data is not transferred outside the EU.

The only third-party services that may process data outside the EU are unavoidable transport providers used to deliver specific functions, named in the Subprocessors section below: Stripe for payment processing, Google when you choose to sign in with your Google account, and Apple Push Notification Service or Google Firebase Cloud Messaging when those are the only push transports available on your device.

Subprocessors

We engage the following third-party service providers to operate our Services. Each subprocessor is bound by a data processing agreement and has access only to the data necessary for their role.

EU-based:

  • Hetzner Online GmbH (Germany) — Cloud hosting and infrastructure for all customer data, backups, and processing.
  • Mistral AI (France) — Default AI provider for AI features. Pro Custom customers may opt out and select an alternative or self-hosted provider.

Non-EU, used only as a transport when no European alternative is available:

  • Stripe Payments Europe, Ltd. (Ireland, our contracting entity) and its parent Stripe, Inc. (United States) — Payment processing for self-serve plans. We do not see or store your card details. As Stripe is part of a US-headquartered group, it is subject to US laws that can apply to data held by US companies. EU data transfers are covered by the EU-US Data Privacy Framework and Standard Contractual Clauses. Pro Cloud and Custom Services customers who choose direct invoicing from Timill Ab Oy in Finland are not processed through Stripe at all.
  • Apple Inc. — Apple Push Notification Service (APNs), used to deliver mobile push notifications on iOS. Required by the iOS platform.
  • Google LLC (United States) — Two optional, user-initiated functions: Google sign-in as an authentication method on Timill Teams Free and Plus, used only when you choose to sign in with your Google account; and Firebase Cloud Messaging (FCM), used to deliver mobile push notifications on Android only when no UniPush-compatible distributor is present on the device.

We do not impose a specific push provider on Android or in the browser. On Android we use whichever UniPush distributor you have installed before falling back to FCM. On the web we use the push endpoint announced by your browser.

For booking.timill.com, we use a self-hosted Nextcloud instance running on our own Hetzner infrastructure. No third-party booking provider is involved.

Third-party sharing

We do not sell or share your personal information with third parties. We do not have arrangements with third parties to track or collect data about your browsing habits.

We may share data with:

  • Service providers who assist in operating our Services, under strict data processing agreements
  • Legal authorities when required by law or to protect our rights and safety

Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and regular security assessments.

No transmission or storage can be guaranteed 100% secure. By using our Services, you acknowledge the inherent risks of internet-based communication.

Data breach notification

If we experience a data breach that is likely to adversely affect your rights or freedoms, we will notify the relevant supervisory authority and, where required, affected individuals without undue delay.

Children’s privacy

Our Services are not designed for children under 16. We do not knowingly collect data from children under 16. If you are under 16, a parent or legal guardian must create and manage the account.

If you believe a child has provided personal information without parental consent, contact us immediately and we will delete the data.

Changes to this policy

We may update this policy when we make changes to our data practices. We will notify users of material changes by posting the new policy on this page and updating the “Last updated” date.

Your continued use of our Services after changes constitutes acceptance of the updated policy. However, we will not materially change how we use data already collected without your consent where consent is the legal basis.

Contact

For questions about this Policy, to exercise your rights, or to report concerns:

  • Email: contact@timill.com
  • Address: Timill Ab Oy, Wolffintie 36 F 12, 65200 Vaasa, Finland