Timbre

Privacy Policy

Last updated: April 5, 2026

Persona Engine (“we,” “us,” or “our”) operates the timbre.fyi platform and related services. This Privacy Policy describes how we collect, use, and share information when you use our managed social media automation service.

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and payment information (processed by our payment provider, Paddle). We do not store credit card numbers.

Social Media Credentials

To operate your persona, you provide Threads/Instagram login credentials or authorize access via Meta OAuth. Credentials are encrypted at rest using AES-256-GCM and stored on your dedicated server instance. We use these credentials solely to perform authorized actions on your behalf (publishing content, engaging with other accounts).

AI Service Credentials

You may provide API keys for Anthropic (Claude) or other AI services. These are encrypted at rest and used exclusively to run your persona’s AI agents.

Content and Activity Data

We store content generated by AI agents, engagement actions, performance metrics, and scheduling data. This data is used to improve your persona’s performance and provide analytics.

Usage Data

We collect standard web analytics: page views, session duration, browser type, and referral source. We use cookies for authentication and session management.

2. How We Use Your Information

  • Operate and maintain your persona (content generation, publishing, engagement)
  • Process payments and manage your subscription
  • Provide analytics and performance reports
  • Improve our service and fix bugs
  • Communicate with you about your account and service updates
  • Comply with legal obligations

3. Data Storage and Isolation

Your data is stored in two locations, both encrypted:

  • Control plane database (Supabase) — account information, encrypted API tokens, persona configuration, and analytics
  • Dedicated VPS instance (Hetzner) — runtime credentials, browser profiles, content cache, and activity logs. Each customer gets an isolated server instance; we do not commingle customer data.

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Service providers: Hetzner (hosting), Supabase (database), Cloudflare (networking), Paddle (payments), Vercel (dashboard hosting)
  • Social media platforms: Meta/Threads, as authorized by you
  • AI providers: Anthropic or other AI services, using your own API keys
  • Law enforcement: When required by law

5. Data Retention

We retain your data for as long as your account is active. When you cancel your subscription, we delete your VPS instance and all associated data within 30 days. You may request immediate deletion at any time by contacting us.

6. Data Deletion

You can request deletion of your data by emailing privacy@timbre.fyi or through the Meta data deletion flow. Upon receiving a valid deletion request, we will:

  • Delete your social media credentials and browser profiles
  • Delete your AI service keys
  • Delete generated content and activity logs
  • Deprovision your VPS instance
  • Remove your account from our database

Deletion is completed within 90 days of the request.

7. Security

We use industry-standard security measures including TLS encryption in transit, AES-256-GCM encryption at rest for sensitive credentials, isolated VPS instances per customer, and residential proxy routing for social media traffic.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict certain processing

To exercise these rights, contact us at privacy@timbre.fyi.

9. Third-Party Platforms

Our service interacts with Meta (Threads/Instagram) on your behalf. Your use of these platforms is subject to their own privacy policies and terms of service. We encourage you to review Meta’s data policies.

10. Legal Basis for Processing (EEA/UK)

If you are located in the European Economic Area or United Kingdom, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you subscribed to (account management, content publishing, analytics)
  • Legitimate interest: Service improvement, security monitoring, and fraud prevention
  • Consent: Where you explicitly authorize access to your social media accounts or provide optional data

Data may be transferred to and processed in the United States, where our infrastructure is located. We rely on Standard Contractual Clauses and service provider agreements to safeguard international transfers.

You have the right to lodge a complaint with your local data protection authority.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal data)
  • Not be discriminated against for exercising your rights

To exercise these rights, contact us at privacy@timbre.fyi.

12. Children’s Privacy

The Service is not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

13. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. By using the Service, you consent to our use of essential cookies.

14. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or through the dashboard. Continued use of the service after changes constitutes acceptance.

15. Contact Us

For privacy-related questions or requests, contact us at privacy@timbre.fyi.