Privacy Policy
TEMPLATE — REVIEW WITH LEGAL COUNSEL BEFORE PRODUCTION USE. This document is structurally complete and reflects how the product actually handles personal data, but the legal language has not been reviewed by qualified counsel and is not binding until counsel approves it.
[TEMPLATE — counsel to confirm or replace the product name “TimeTracker” throughout.]
The English version of this document is authoritative; translations are provided for convenience and have no legal force.
1. Introduction and data controller
This Privacy Policy describes how TimeTracker (the “Service”) collects, uses, and protects personal information when you use the Service. It applies whether you use the Service as an individual user or as a member of an Organization.
The data controller for personal information processed by the Service is [TEMPLATE — counsel to fill operating-entity legal name, registered address, and (if applicable) EU/UK representative or DPO].
We follow the General Data Protection Regulation (GDPR) for users in the European Economic Area and the United Kingdom, and the California Consumer Privacy Act (CCPA) as amended for California residents. Where this Policy refers to a “right” or “request”, it should be interpreted under whichever regime applies to you.
2. Information we collect
We collect the following categories of personal information:
- Account and profile data — email address, name, password hash, OAuth provider identifier (if you sign in with Google, GitHub, Apple, Microsoft, or Facebook), language preference, profile photo.
- Organization and team data — Organization name, your role (member, admin, owner), team membership, invitation history.
- Time-tracking data — time entries you create (description, duration, date, project, tags, billable flag, approval state).
- Project and client data — projects you create or are invited to, client records, invoice metadata.
- Billing data — Subscription plan, billing email, last four digits of payment card (full card data is held only by our payment processor, Stripe — never by us).
- Calendar data — if you connect a Google Calendar, calendar event metadata for events you have chosen to sync; we store OAuth tokens encrypted at rest using AES-256-GCM.
- Technical data — IP address, user-agent string, request timestamps, audit-log entries for security-relevant actions.
- Cookies and similar technologies — see Section 4.
3. How we use information and the legal basis under GDPR
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Provide the Service (authenticate, store time entries, generate invoices) | Performance of a contract — Art. 6(1)(b) |
| Bill paid subscriptions | Performance of a contract — Art. 6(1)(b) |
| Send transactional email (invitations, password resets, billing receipts) | Performance of a contract — Art. 6(1)(b) |
| Operate security controls (audit logs, anomaly detection, rate limits) | Legitimate interests — Art. 6(1)(f) — security of the Service |
| Comply with legal obligations (tax records, lawful requests) | Legal obligation — Art. 6(1)(c) |
| Send product update or marketing email | Consent — Art. 6(1)(a) (you can withdraw at any time from the Privacy Center) |
| Analyze aggregate usage to improve the Service | Legitimate interests — Art. 6(1)(f) — service improvement, with no profiling decisions |
We do not engage in automated decision-making with legal or similarly significant effects, and we do not profile users for advertising purposes.
4. Cookies and tracking technologies
We use first-party cookies for: session authentication, CSRF protection, language preference, and remembering you across visits. We do not use third-party advertising cookies and we do not allow third parties to set tracking cookies through the Service.
A cookie banner is shown on your first visit, allowing you to manage cookie preferences. Optional analytics cookies are off by default; you can manage your preferences from the Privacy Center.
5. Data sharing
We share personal information only with the following categories of recipients:
- Stripe — to process payments. Stripe acts as a payment processor and (depending on the transaction) a controller in its own right. Stripe receives billing data; it does not receive your time-entry or project data.
- Google — if you sign in with Google or connect Google Calendar. Google receives only the OAuth claims you authorize.
- Email delivery providers — to send transactional email. They receive your email address and the message contents.
- Cloud hosting providers — to host the Service. They receive whatever passes through their infrastructure but do not process it for their own purposes.
- Law enforcement and regulators — where required by a valid legal request.
We do not sell personal information. We do not share personal information with advertising networks or data brokers.
6. International data transfers
If you are located in the European Economic Area or the United Kingdom and we transfer your personal information to a country outside the EEA/UK, we rely on the European Commission’s Standard Contractual Clauses or an adequacy decision as the transfer safeguard. You can request a copy of the safeguard we rely on by contacting us.
7. Data retention
We retain personal information for as long as your Account is active and for a limited period afterwards as set out below:
- Account and profile data — retained while the Account is active. Deleted within thirty (30) days of Account closure, subject to the legal-retention exceptions below.
- Time-tracking data — retained while the Organization exists. On Organization deletion, retained for ninety (90) days in case of restoration request, then permanently deleted.
- Audit logs — retained for twelve (12) months for security purposes, then archived in aggregate form.
- Billing records — retained for the period required by applicable tax and accounting law (typically seven (7) years).
- Backups — copies in encrypted backups are purged on the next backup-rotation cycle following deletion (typically thirty (30) days).
You can request earlier deletion via the Privacy Center (“Delete my data”), subject to the legal-retention exceptions.
8. Your rights under GDPR
If you are in the EEA or UK, you have the following rights regarding your personal information:
- Right of access (Article 15) — request a copy of the personal information we hold about you. Use the Privacy Center → Export Data.
- Right to rectification (Article 16) — correct inaccurate or incomplete personal information from your profile settings.
- Right to erasure (Article 17) — request deletion of your personal information. Use the Privacy Center → Delete My Data.
- Right to restriction (Article 18) — request that we restrict processing pending verification or in other limited cases.
- Right to data portability (Article 20) — receive a machine-readable export of the data you provided to us. Use the Privacy Center → Export Data.
- Right to object (Article 21) — object to processing carried out on the basis of legitimate interests (Section 3).
- Right to lodge a complaint — with your local supervisory authority. We encourage you to contact us first so we can address the issue directly.
We respond to verified requests within one (1) calendar month and may extend by two (2) further months for complex requests, in which case we will notify you of the extension and the reason.
9. Your rights under CCPA
If you are a California resident, you have the following rights regarding your personal information:
- Right to know — what personal information we collect, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it. Sections 2, 3, and 5 of this Policy disclose this information.
- Right to delete — request deletion of personal information we have collected from you. Use the Privacy Center → Delete My Data.
- Right to opt out of “sale” or “sharing” of personal information — we do not sell or share your personal information as those terms are defined under the CCPA. There is therefore nothing for you to opt out of.
- Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.
To exercise a CCPA right, use the Privacy Center or contact us at the address in Section 13.
10. Security measures
We protect personal information with industry-standard safeguards, including:
- TLS encryption for all data in transit;
- encryption at rest for the database, including AES-256-GCM encryption of stored OAuth tokens;
- multi-tenant isolation at the database row level via PostgreSQL Row-Level Security;
- audit logging of security-relevant actions (login, role change, data export, deletion);
- rate-limiting and anomaly detection on authentication endpoints;
- regular security review of code changes.
No security control is perfect; we will notify you and (where required) the relevant supervisory authority of any personal-data breach without undue delay and in accordance with applicable law.
11. Children’s data
The Service is not directed at children under sixteen (16). We do not knowingly collect personal information from children under sixteen. If you believe a child under sixteen has provided personal information to us, please contact us and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify Account holders by email or in-app notice at least thirty (30) days before the changes take effect, and we will require re-acceptance before continued use of the Service. The current version, together with the precise wording you accepted, is recorded in our acceptance log.
13. Contact and complaints
Privacy questions, requests, and complaints can be sent to [TEMPLATE — counsel to fill DPO contact email and postal address, plus the name of the relevant supervisory authority in your primary EU jurisdiction].
If you are in the EEA or UK and are dissatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.