Privacy Policy

Effective version: 2026-05-11

What this policy covers

This Privacy Policy explains what personal information Timeline Scan LLC (“Timeline Scan,” “we,” “us,” or “our”) collects, how we use it, who we share it with, and what choices you have. It applies to your use of the Service at timelinescan.com.

Information we collect

  • Account information. When you create an account, our authentication provider Clerk receives your email, password (hashed by Clerk), and any profile fields you choose to provide.
  • Photos and files you upload. Image bytes, filenames, original capture dates from EXIF, and file sizes.
  • Derived metadata. Face embeddings (mathematical signatures of detected faces), face cluster assignments, thumbnails, EXIF data, AI-derived date estimates.
  • Payment information. Handled by Stripe; we receive and store the Stripe customer ID, payment intent ID, and amount/status. Card numbers and CVCs are never sent to or stored by us.
  • Usage and device information. IP address, browser type, pages visited, request timestamps, and similar standard server logs. We use these for security, abuse prevention, and operational diagnostics.
  • Analytics, session replay, and advertising data. Where you have consented (and by default outside the EEA/UK), our analytics provider and advertising tags collect page views, clicks, scrolling, navigation paths, session replays of your on-screen interactions (with all form fields masked and your uploaded photos and files never recorded), the ad or campaign that referred you, and approximate location derived from your IP. See “Cookies, analytics, and advertising” below.
  • Consent records. When you accept these documents we record the document version, your IP address, your user-agent, and the timestamp.

How we use your information

  • To operate the Service and deliver the features you request.
  • To extract dates from your photos using AI (see “AI processing” below).
  • To detect and group faces of the same person across your archive.
  • To bill you and process refunds.
  • To detect, investigate, and prevent abuse, fraud, and CSAM (see “Child safety scanning”).
  • To comply with our legal obligations.

We do not sell your personal information. We do not use your photos, metadata, or biometric data to train any AI model.

Cookies, analytics, and advertising

We and our service providers use cookies and similar technologies to operate the site, understand how it is used, and measure our advertising. We group them as follows:

  • Essential. Required for the site and your account to work — for example, your sign-in session and your cookie-consent choice. These are always active.
  • Analytics and session replay (PostHog). We use PostHog to understand how visitors move through our marketing site and dashboard: page views, clicks, scrolling, navigation paths, the campaign or ad that referred you, approximate location derived from your IP, and your browser and device type. PostHog also records “session replays” — playback of on-screen interactions such as mouse movement, clicks, and navigation. Once you sign in, we link this activity to your account (your user ID and email) so we can understand and improve your full experience. Session replays mask all form inputs and never capture your uploaded photos, faces, or files — those regions are blocked from recording. PostHog stores this data in the United States. PostHog cookies are shared across timelinescan.com and app.timelinescan.com so your journey between the marketing site and the app is connected.
  • Advertising (Google Ads). We use Google’s advertising tags to measure the performance of our ads — for example, which ad led to a sign-up — and to reach people who have visited our site. This may set Google cookies and share conversion and remarketing signals with Google.

Your choices.

  • Outside the EEA and UK, analytics, session replay, and advertising cookies are enabled by default. You can opt out at any time using your browser’s cookie controls, Google’s Ads Settings, and PostHog’s opt-out.
  • In the EEA and UK, none of these technologies load until you accept them in the cookie banner shown on your first visit. If you decline, we set only essential cookies — no analytics, replay, or advertising. We implement Google Consent Mode so Google’s tags honor your choice. To change your decision later, clear your site cookies (including the ts_consent cookie) and reload the page.

We do not sell your personal information, including any information collected through these technologies.

AI processing

Timeline Scan uses Google Cloud’s Gemini Enterprise to extract dates and related metadata from your photos. Photos are transmitted to Gemini Enterprise solely for this purpose. Per Google Cloud’s AI/ML Privacy Commitment and our Data Processing Addendum with Google, your photos are not used to train Google’s foundation models, are not retained by Google beyond the duration of the processing request, and remain owned by you.

Operational logging. To diagnose dating errors and improve quality, Timeline Scan retains the text prompts sent to the AI model and the JSON responses returned for each photo, including any names and birthdates you entered as family context. Raw photo bytes are not retained in these logs. The logs are deleted when the underlying archive is deleted, and otherwise follow the retention schedule for that archive. They are not used to train AI models.

Google Photos export

Timeline Scan offers an optional integration that uploads your processed photos directly to your own Google Photos library, so you don’t have to download a ZIP and re-upload it yourself. This integration is entirely optional — you choose, per archive, whether to use it.

Scopes we request. When you connect your Google account, we request only the minimum scopes required to perform the upload:

  • https://www.googleapis.com/auth/photoslibrary.appendonly — lets Timeline Scan add photos to your Google Photos library and create a new album for the export. Under this scope we cannot read, list, modify, or delete any photos or albums that already exist in your library, including ones we previously created.
  • https://www.googleapis.com/auth/userinfo.email and userinfo.profile — so we can show you which Google account is connected and let you disconnect the correct one.

What we do with the data. We use the OAuth tokens solely to upload the photos from your current archive into a new album in your Google Photos library, and to display the connected account’s email and name in your dashboard. We do not use Google user data for advertising, do not sell or transfer it, and do not use it to train, develop, or improve generalized or personalized AI/ML models.

Retention. Refresh tokens are encrypted at rest and stored only while you keep the connection active. You can revoke access at any time from your dashboard’s Connections page or directly at myaccount.google.com/permissions; on revocation we delete the stored token. Tokens are also deleted when you delete your account.

Limited Use disclosure. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.

Biometric information (face embeddings)

When you consent at sign-up, Timeline Scan generates mathematical signatures (“embeddings”) of faces detected in your uploaded photos. We use these signatures only to cluster photos of the same person across your archive and to assist with dating. We do not use them to identify strangers, do not match them against any external face database, and do not sell, lease, or trade them.

Retention and destruction. Face embeddings are deleted (a) immediately when you delete the archive that produced them, (b) within sixty (60) days of you deleting your account, and (c) in any event no later than three (3) years after your last interaction with the Service, whichever is soonest.

You may withdraw your biometric consent at any time by deleting the affected archive or your account. If you live in Illinois, Texas, Colorado, Washington, Virginia, or another state with a biometric privacy law, you have additional statutory rights under those laws.

Child safety scanning

We use Microsoft PhotoDNA to scan every uploaded image for known child sexual abuse material (CSAM). Scanning is performed by computing a perceptual hash of the image and comparing it against the National Center for Missing & Exploited Children (NCMEC) hash database. Image bytes are sent to Microsoft’s PhotoDNA Cloud Service for the purpose of this scan and are not retained by Microsoft beyond the duration of the request.

Confirmed matches are reported to NCMEC and may be shared with law enforcement as required by 18 U.S.C. § 2258A. The matched image, along with associated account information, is preserved in restricted-access storage for a minimum of one year as required by law.

Sub-processors

We rely on the following service providers to operate the Service. We have data-protection terms in place with each. We name the providers that handle your photos directly so you can verify their privacy posture; for the rest we list categories.

  • Google Cloud (Gemini Enterprise) — AI date extraction. Photos are sent to Gemini Enterprise solely for date extraction and are not used to train Google’s models.
  • Microsoft PhotoDNA — child-safety hash scanning (see “Child safety scanning”).
  • Stripe — payment processing. Card numbers and CVCs are sent directly to Stripe and never touch our servers.
  • An authentication provider — account creation, sign-in, and session management.
  • A cloud infrastructure provider — file storage, compute, and database hosting in the United States.
  • PostHog — product analytics and session replay (see “Cookies, analytics, and advertising”); data stored in the United States.
  • Google (Google Ads) — advertising measurement and remarketing.

Sharing

We do not sell your information. We share information only with the sub-processors above, with law enforcement when legally required (see “Government requests”), and in connection with a merger or sale of the company.

Government requests

We require valid legal process for government access to your data. Our position by default:

  • Subscriber information (account email, IP logs, account creation date): provided in response to a valid subpoena.
  • Stored content (your uploaded photos): provided only in response to a valid search warrant, consistent with the Stored Communications Act, 18 U.S.C. § 2703.
  • Emergency disclosures: only when we have a good-faith belief there is an imminent risk of death or serious physical injury.
  • CyberTipline reports (CSAM): made to NCMEC as required by 18 U.S.C. § 2258A; image and metadata preserved for at least one year.

We reserve the right to notify users of legal process unless we are legally prohibited from doing so.

Your choices and rights

  • Access and download. You can download your archive from your account at any time.
  • Delete. You can delete individual archives or your entire account from your account settings. Deletion of biometric data is immediate; deletion of stored photos completes within sixty (60) days.
  • Withdraw biometric consent. Delete the affected archive (or your account).
  • State-law rights. Residents of California (CCPA/CPRA), Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may have additional rights to access, correct, or delete personal information. Email support@timelinescan.com to make a request.

Security

We use TLS for data in transit, server-side encryption (KMS) for data at rest in S3 and DynamoDB, scoped IAM credentials, and per-user data isolation enforced at every API endpoint. No system is perfectly secure; if you believe your account is compromised, email support@timelinescan.com.

DMCA

If you believe content in Timeline Scan infringes your copyright, please send a notice that complies with 17 U.S.C. § 512 to our designated agent:

  • Service Provider: Timeline Scan LLC
  • Designated Agent: Spencer Baker
  • Email: spencer@timelinescan.com
  • U.S. Copyright Office Registration: DMCA-1071599 (full contact information, including mailing address, is on file in the Copyright Office DMCA Designated Agent Directory)

Misrepresentations in a DMCA notice may subject you to liability under § 512(f).

Children

The Service is for users 18 and older. We do not knowingly collect personal information from anyone under 13.

International users

The Service is operated from the United States and is intended for U.S. residents. By using the Service you consent to the transfer of your information to the United States.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and within the Service, and we will update the version date at the top of this page.

Contact

Timeline Scan LLC. For privacy, security, or legal questions, email support@timelinescan.com.