timmyshadylex

LAST UPDATED 2026-04-11

Privacy policy

This notice explains what data we collect when you visit timmyshadylex.ai, why we collect it, how long we keep it, and the rights you have over it. It is written in plain English and follows the structure required by the EU General Data Protection Regulation.

Nature of this site

timmyshadylex OÜ is a technology advisory and product company, not a law firm. Nothing on this site or in any correspondence constitutes legal advice. If you need a formal opinion on a matter of law, please speak to a qualified practitioner in your jurisdiction.

We build and maintain software that helps legal teams work faster. Everything on this website — including articles in the resources section — is educational commentary about that work, not guidance you should rely on for a specific matter.

Data controller

The data controller responsible for any personal data processed through this website is:

timmyshadylex OÜ
Estonian OÜ, formation in progress
Estonia
Email: contact@timmyshadylex.ai

timmyshadylex OÜ is an Estonian private limited company in the process of formation through Estonia’s e-Residency programme. The registered Tallinn address will replace the line above once incorporation is finalised. For any data-controller queries in the meantime, email contact@timmyshadylex.ai.

Data we collect

The only personal data we hold about you is data you give us directly, plus aggregate technical signals generated by your browser when you visit a page. Specifically:

  • Contact form submissions. When you send us a message through the contact form at /contact, we receive your name, company name, email address, and the message body. These four fields are the entire payload — we do not ask for, infer, or enrich anything else.
  • Booking data (Cal.com). If you book a call through the Cal.com embed on the contact page, Cal.com receives your name, email address, and the time slot you pick. Any additional questions Cal.com asks are optional and handled directly by Cal.com as a processor.
  • Vercel Analytics.We use Vercel’s cookieless analytics to count page views and referrers in aggregate. Vercel generates a short-lived hashed identifier from the request headers to deduplicate visits within the same day; no tracking cookie is set and no long-term profile is built.
  • Speed Insights. We use Vercel Speed Insights to measure Core Web Vitals (Largest Contentful Paint, Cumulative Layout Shift, Interaction to Next Paint). These are aggregate performance metrics — no personal data is sent.
  • Cookie notice acknowledgment (localStorage). When you dismiss the small notice at the bottom of the page, we set a localStorage key called tsl-consent-ack so the notice does not reappear on your next visit. It never leaves your device.

Purposes and legal bases

Article 6 of the GDPR requires us to identify a lawful basis for every processing activity. For this site:

  • Contact form → Article 6(1)(b) — steps prior to entering into a contract. We process the fields you submit so we can read your enquiry and reply. If we go on to work together, the same data supports the performance of that engagement.
  • Booking (Cal.com) → Article 6(1)(b). Booking a call is a request from you to schedule a specific meeting; processing your name, email, and slot choice is necessary to honour that request.
  • Vercel Analytics and Speed Insights → Article 6(1)(f) — legitimate interest. We have a legitimate interest in understanding, in aggregate, how people find and use the site, and in monitoring whether pages load fast enough for real visitors. Both services are cookieless and handle only aggregate data, so the impact on your privacy is minimal and we consider the balancing test satisfied.
  • Theme preference and cookie-notice acknowledgment → not personal data. Both values are stored in your own browser, never transmitted to us, and cannot be linked to you. They fall outside Article 4(1) of the GDPR and therefore no legal basis is required.

Retention periods

We only keep personal data for as long as we have a concrete reason to keep it.

  • Contact form messages. We retain messages sent through the contact form for 24 months from the date of receipt. After 24 months the record is deleted from our inbox. If a message leads to an ongoing engagement, the project record is retained for the duration of that engagement plus any retention period we are required to keep for tax or book-keeping purposes under Estonian law.
  • Email delivery logs (Resend). Resend, Inc. processes the outbound transactional email that carries your contact-form message to us. Their retention of delivery logs is governed by their own policy, linked in Section 6 below.
  • Booking data (Cal.com). Cal.com, Inc. stores bookings according to their own retention policy, linked in Section 6 below. We only receive a summary email when you book.
  • Analytics and Speed Insights. Both services process aggregate data only and do not maintain a retention window tied to any individual visitor. No per-visitor record exists to delete.

Third-party processors

We rely on three processors to run this website. Each of them receives only the data described above, under a data-processing agreement, and only for the purpose stated here.

International transfers

Some of our processors (Vercel, Inc., Resend Inc., and Cal.com, Inc.) are established in the United States. Where a processor is certified under the EU-U.S. Data Privacy Framework, the transfer is made on the basis of the European Commission’s adequacy decision of 17 July 2023. Otherwise, transfers rely on the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor) under Article 46 GDPR, together with supplementary measures where appropriate.

In practice this means that any data leaving the European Economic Area in the course of operating this website is protected either by the Commission’s DPF adequacy finding or by the standard contractual mechanism the Commission has approved for controller- to-processor transfers, whichever applies to the processor concerned.

Your rights

Under the GDPR you have the following rights in relation to any personal data we hold about you. To exercise any of them, email contact@timmyshadylex.ai — we will reply within one week.

  • Access (Article 15). Ask us for a copy of the data we hold about you and an explanation of how we use it.
  • Rectification (Article 16). Ask us to correct anything that is wrong or incomplete.
  • Erasure (Article 17). Ask us to delete the data we hold about you, subject to any retention obligations we are required by law to keep.
  • Restriction (Article 18). Ask us to pause processing while a dispute about accuracy or lawfulness is being resolved.
  • Portability (Article 20). Ask us to give you the data you submitted in a structured, machine-readable format so you can take it elsewhere.
  • Objection (Article 21). Object to any processing we carry out on the basis of our legitimate interest (this covers the analytics and Speed Insights described above).
  • Lodge a complaint (Article 77). You can complain to a supervisory authority in the EU Member State where you live, work, or where you believe the issue occurred. For this site the competent authority is Estonia’s national regulator, named in the next section.

Cookies and local storage

We do not use tracking cookies. The only client-side storage we touch is a single localStorage key used to remember that you have dismissed the notice at the bottom of the page. It is never shared or transmitted.

That key is tsl-consent-ack. You can clear it at any time from your browser’s storage settings.

Data breach notification

In the event of a personal data breach affecting your rights, we notify Andmekaitse Inspektsioon (the Estonian Data Protection Inspectorate) within 72 hours where required, and affected individuals without undue delay, in line with Articles 33 and 34 of the GDPR.

Our operational posture is to treat any suspected unauthorised access to contact-form data, email delivery logs, or booking records as a breach until proven otherwise, and to keep an internal record of every incident whether or not it is notifiable.

Complaints and contact

We have not appointed a Data Protection Officer. Questions about this policy or requests to exercise your rights can be sent to contact@timmyshadylex.ai. You also have the right to lodge a complaint with Andmekaitse Inspektsioon (Tatari 39, 10134 Tallinn, Estonia; www.aki.ee/en(opens in a new tab)).

We prefer to resolve concerns directly before they escalate, so if something on this page is unclear or wrong, please email us first — we read every message and reply within one week.