Privacy Policy

timelabs npo • Effective date: 1 January 2026 • GDPR-compliant

1. Who We Are

timelabs npo ("timelabs", "we", "us") operates the Rhea multi-model consensus platform. We are committed to protecting your personal data and processing it lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws.

2. Data We Collect

We collect the minimum data necessary to operate the Service:

Account data: Email address, OAuth provider identity (Google/Microsoft/Apple), account creation timestamp.
Usage data: Number of API calls, credit consumption, plan tier, anonymised prompt hashes (SHA-256, non-reversible), response latencies.
Technical data: IP address (retained for 30 days for abuse prevention), User-Agent string, request timestamps.
Billing data: Stripe customer ID, subscription status. Full payment card data is never stored by timelabs — it is handled exclusively by Stripe.
Content you store: Proofs and ontology entries you deliberately save to Aletheia. These are stored under your account and accessible only by you unless you explicitly share them.

We do not collect: your raw prompt text (only its hash), biometric data, or any special categories of personal data as defined by GDPR Article 9.

3. How We Use Your Data

Your data is used exclusively to:

Authenticate you and maintain your session.
Deliver the consensus and proof-storage features you request.
Track and enforce your plan quota.
Detect and prevent abuse and fraudulent activity.
Send transactional emails (account confirmation, quota warnings). No marketing emails without explicit opt-in.

Legal bases under GDPR: contractual necessity (Art. 6(1)(b)) for account and service delivery; legitimate interests (Art. 6(1)(f)) for security and abuse prevention; consent (Art. 6(1)(a)) for any optional communications.

4. Data Storage

Data is stored in SQLite databases (WAL mode) hosted on Fly.io infrastructure in the Amsterdam (AMS) region within the European Economic Area. Fly.io provides SOC 2 Type II certified infrastructure. Backups are retained for 30 days and encrypted at rest using AES-256.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. The Rhea platform is built on a self-hosted paradigm — your data stays within our controlled infrastructure. Limited sharing occurs only with:

AI model providers (e.g. Anthropic, OpenAI, Google): your prompt text is sent to these providers to generate responses. Providers' own privacy policies apply to data they receive. We send only what is necessary for the query.
Stripe: for payment processing. Stripe is a data processor acting under our instructions.
Legal authorities: if required by a valid court order or applicable law, and only to the minimum extent required.

6. Cookies and Local Storage

We use minimal cookies:

JWT session token: a signed, short-lived authentication token stored in localStorage or a Secure; HttpOnly cookie. No tracking cookies.
No advertising pixels, no analytics third-party cookies, no cross-site trackers.

7. Your Rights Under GDPR

As a data subject you have the right to:

Access: request a copy of your personal data at any time.
Rectification: correct inaccurate data we hold about you.
Erasure ("right to be forgotten"): request deletion of your account and associated data. Processing: within 30 days.
Portability: export your stored proofs and account data in JSON format via the API (GET /auth/profile and GET /aletheia/export).
Restriction: request we restrict processing of your data while a dispute is resolved.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any right, email timelabs.ad@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Data Retention

Account data is retained while your account is active. Deleted accounts are purged within 30 days. Server logs (IP, timestamps) are retained for 30 days. Aletheia proof data is retained indefinitely unless you delete it or your account.

9. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will delete it promptly.

10. Changes to This Policy

We may update this policy. Material changes will be communicated by email at least 14 days before taking effect. The current version is always available at /privacy.

Contact

Data controller: timelabs npo. Privacy enquiries: timelabs.ad@gmail.com.