Last updated 2026-07-08. Short version: your stuff is yours, it stays on your device encrypted, and we hold as little as possible.
To sign you in and let one account work across every app, our identity service stores only the email ↔ account map (which emails belong to one account) and a display name if you set one. That's it — no app content ever. Vault entries, boards, notes, documents and credentials are encrypted on your device with a key derived from your passphrase, which we never receive.
Content is encrypted at rest (AES-256-GCM, key from your passphrase) and in transit (TLS 1.3). Any optional sync moves only ciphertext between your devices; a relay, if used, holds encrypted blobs it cannot read and purges them on delivery.
No third-party analytics or ad trackers in the sign-in path or the Apps. Sign-in codes are sent through our own mail service, not a third-party email provider.
The Apps are original works, built clean-room from published behavior — never a competitor's code, assets, logos, or copy. If you believe something infringes your rights, contact legal@timxai.ai and we'll review it promptly.
Source is available under AGPL-3.0. You're free to self-host and verify these claims yourself.