Legal
Privacy Policy
How Tmbr collects, uses, and protects personal information.
Last updated: June 2026
This Privacy Policy explains how Tmbr (“Tmbr”, “we”, “us”) handles personal information in connection with tmbr.space and the Tmbr platform (the “Service”). Tmbr is operated from Ontario, Canada, and we handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial law. Tmbr is operated by [your registered legal entity], [your registered address].
Two roles: our customers vs. their customers
Tmbr is a business-management platform used by independent operators — studios, coworking spaces, venues, coaches, and creators (each an “Operator”) — to run their own businesses and websites.
- For an Operator’s account and our own billing, Tmbr is the organization responsible for that personal information.
- For the data an Operator loads into Tmbr about their own members, customers, and contacts, the Operator is responsible for that information and Tmbr acts only as their service provider, processing it on their behalf and under their instructions. If you are a member or customer of an Operator, please contact that Operator about their handling of your information; we will support them in responding.
Information we collect
- Account information — name, email, password, business name, and role, when you create a Tmbr account.
- Billing information — your subscription plan and payment status. Card details are collected and stored by Stripe, not by Tmbr.
- Business data — the content Operators create or upload (websites, contacts, bookings, events, classes, memberships, products, messages, and documents).
- Usage and device data — pages visited, actions taken, IP address, browser, and device type, used to operate and improve the Service.
- Cookies and similar technologies — see our Cookie Policy.
How we use information
- To provide, secure, and improve the Service;
- To process payments and manage subscriptions;
- To send transactional messages (confirmations, receipts, security notices) and, where permitted, product updates you can opt out of;
- To provide support and respond to enquiries;
- To detect, prevent, and address fraud, abuse, and security issues;
- To meet legal and regulatory obligations.
We rely on your consent, the performance of our contract with you, and our legitimate business interests as the basis for these uses, consistent with PIPEDA.
Payments
Tmbr does not store full payment card numbers. Operators connect their own Stripe account to take payments from their customers; for those transactions the Operator is the merchant of record and Stripe is the payment processor. Tmbr’s own subscription fees are also processed by Stripe. Stripe’s handling of payment information is governed by Stripe’s privacy policy.
Service providers we share with
We share personal information only with vendors who help us run the Service, under contracts that require them to protect it:
- Supabase — database, file storage, and authentication;
- Vercel — application hosting and content delivery;
- Stripe — payment processing and connected-account payouts;
- Resend — transactional email delivery;
- Google — optional analytics, calendar, and sign-in integrations;
- Anthropic and OpenAI — optional AI features (see below).
We do not sell personal information. We may disclose information if required by law, to enforce our terms, or to protect the rights, safety, and property of Tmbr, our users, or the public.
AI features
Some optional features use third-party AI providers to generate content (for example, draft copy or SEO suggestions). When you use these features, the relevant inputs are sent to the provider to produce the result. We use providers that, under our arrangements, do not train their models on your content.
Gmail add-on (Google Workspace)
Tmbr offers an optional Gmail add-on (“tmbr CRM”) that runs inside Gmail for Operators who choose to install it. When you have the add-on open on a message, it accesses Google user data solely to provide the features you invoke:
- Your Google account email address — used only to match you to your Tmbr staff account so the add-on shows the correct workspace. We do not use it for advertising.
- The open message’s metadata (such as the sender) — used to look the sender up in your Tmbr CRM and show their record.
- The open message’s or thread’s content — read only when you tap a feature such as “Draft reply” or “Summarize thread,” and only for the message or thread you are actively viewing. That content is sent to our AI provider for the sole purpose of producing the on-screen draft or summary. It is not retained by Tmbr after the result is returned, and is not used to train AI models.
- Compose actions — when you choose “Insert booking link,” the add-on adds your booking link to the draft you are composing.
The add-on does not read, store, or transmit your mailbox in the background — it acts only on the message you have open, and only when you use a feature. We do not sell Google user data, use it for advertising, or allow humans to read it except as needed for support with your permission, to comply with the law, or for security.
Tmbr CRM’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
International transfers and data location
Our providers may process and store information in Canada, the United States, and other countries. Where information is processed outside Canada, it may be accessible to courts, law enforcement, and authorities in those jurisdictions. We take steps to ensure a comparable level of protection through our contracts with these providers.
Retention
We keep personal information for as long as your account is active and as needed to provide the Service, then for a reasonable period to meet legal, tax, and security obligations, after which it is deleted or anonymized. Operators control the retention of the business data they load into Tmbr.
Your rights
Subject to applicable law, you may request access to, correction of, or deletion of your personal information, and you may withdraw consent to non-essential processing. To exercise these rights, contact us at privacy@tmbr.space. You also have the right to make a complaint to the Office of the Privacy Commissioner of Canada.
Security
We use encryption in transit (TLS), database-level tenant isolation, access controls, and reputable infrastructure providers to protect personal information. No method of transmission or storage is perfectly secure, but we work to protect your information and to notify you of material breaches as required by law.
Children
The Service is not directed to children under the age of majority in their province, and we do not knowingly collect their personal information.
Changes
We may update this Policy from time to time. We will post the updated version here and revise the “last updated” date. Material changes will be communicated through the Service.
Contact
Questions about this Policy or your information: privacy@tmbr.space.