Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service. Processing your time entries, managing your account, and delivering the features you use.
• AI Processing. Parsing your freeform text input into structured time entries using OpenAI's language models (see Section 3 for details).
• Integration Sync. Transmitting finalized time entries to connected third-party platforms (such as Clio) when you initiate a sync.
• Communication. Sending you account-related notifications, responding to support requests, and providing service updates.
• Billing. Processing subscription payments through Stripe.
• Security and Fraud Prevention. Detecting and preventing unauthorized access, abuse, or fraudulent activity.
• Service Improvement. Understanding how the Service is used so we can improve features and performance. We do not use your time entry content for training AI models.

3. AI Processing and OpenAI

When you submit text through any of the Service's input methods (typing, describing, dictating, pasting, emailing, or texting), your input text is sent to OpenAI's API for interpretation. Specifically, we send:

• Your input text (the description of time worked).
• Your list of client names, category names, and matter names (so the AI can match entries to your existing data).

We do not send the following to OpenAI:

• Your email address, password, or account credentials.
• Your billing rate or financial information.
• Your payment details.
• Your phone number.

OpenAI processes this data under their API data usage policies. As of this writing, OpenAI does not use data submitted through their API to train their models. We encourage you to review OpenAI's privacy and data usage policies for the most current information.

We do not store AI processing logs beyond what is necessary to generate and return your time entry suggestions. AI-generated entries are stored only as draft time entries in your account.

4. Third-Party Service Providers

We use the following third-party service providers to operate the Service. Each processes your data only as necessary to provide their specific function:

We require all third-party providers to maintain appropriate security measures and to process your data only in accordance with our instructions and applicable law.

5. SMS Privacy and Data Protection

This section applies specifically to information collected through the Text Time (SMS) feature.

Phone Number Collection. We collect your phone number only when you voluntarily provide it and opt in to receive SMS messages by checking the consent checkbox and completing phone verification on your account settings page.

SMS Opt-In Data Protection. We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your Personal Data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages.

No Third-Party Sharing of SMS Consent. All of the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

No SMS Marketing. We do not use phone numbers collected through the Text Time feature for marketing, promotional, or advertising purposes. We do not send marketing text messages.

SMS Content. The content of SMS messages you send to TimeDetail is processed by our AI system to create draft time entries. The original SMS message content is not stored after processing is complete — only the resulting draft time entries are retained in your account.

Opt-Out. You may stop receiving SMS messages at any time by replying STOP to any message from TimeDetail, or by removing your phone number from your account settings. See our SMS Consent page and Terms of Service for full opt-out details.

6. Data Storage and Security

Your data is stored on servers located in the United States, managed by Supabase (which uses Amazon Web Services infrastructure). We implement the following security measures:

• Encryption in Transit. All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at Rest. Database storage is encrypted at rest through our hosting provider's infrastructure.
• OAuth Token Encryption. Access tokens and refresh tokens for third-party integrations (such as Clio) are encrypted at rest using AES-256-GCM encryption with a dedicated encryption key.
• Webhook Verification. Inbound SMS messages are verified using Ed25519 signature verification. Inbound emails are verified using HMAC signatures. Payment webhooks are verified using Stripe's standard signature verification.
• Authentication. User sessions are managed through secure, HTTP-only cookies with Supabase Auth.
• Phone Verification. SMS ingestion requires phone number verification via a one-time code before the feature is activated.

While we take reasonable measures to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

7. Data Retention

• Active Accounts. We retain your data for as long as your account is active and as needed to provide the Service.
• Deleted Accounts. If you request account deletion, we will delete your personal data within 30 days of your request. Some data may be retained for a limited period in encrypted backups, which are overwritten on a regular cycle.
• Sync Logs. Records of integration sync attempts (including entry IDs, timestamps, and status) are retained for auditing purposes for as long as your account is active.
• SMS and Email Content. The original content of SMS messages and emails submitted for time entry creation is not stored after processing. Only the resulting draft time entries are retained in your account.

8. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We share your data only in the following circumstances:

• With Third-Party Providers. As described in Section 4, to operate the Service.
• With Connected Integrations. When you initiate a sync to a connected platform (such as Clio), we transmit your finalized time entry data to that platform. This happens only when you take an explicit action to sync.
• Legal Requirements. If required by law, regulation, legal process, or governmental request.
• Business Transfers. In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
• With Your Consent. In any other circumstance where you provide explicit consent.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. This includes phone numbers, SMS opt-in status, and SMS consent data collected through the Text Time feature.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access. You may request a copy of the personal data we hold about you.
• Correction. You may request that we correct inaccurate personal data.
• Deletion. You may request that we delete your personal data. Note that deletion of your account will permanently remove your time entries and associated data.
• Export. You may export your time entries in CSV format from the Service at any time.
• Restrict Processing. You may request that we restrict the processing of your personal data in certain circumstances.
• Object. You may object to our processing of your personal data in certain circumstances.
• Withdraw Consent. Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before the withdrawal.

To exercise any of these rights, contact us at support@timedetail.com. We will respond to your request within 30 days.

10. Clio Integration — Specific Disclosures

When you connect TimeDetail to Clio Manage, the following applies:

• Authorization. You authorize TimeDetail to access your Clio account through OAuth 2.0 with the specific permissions you grant (Users, Activities, Contacts, and Matters).
• Data Accessed. TimeDetail accesses your Clio contacts, matters, and activity descriptions to facilitate mapping between your TimeDetail data and Clio records. This data is used for matching purposes and is not stored in bulk.
• Data Sent to Clio. When you initiate a sync, TimeDetail sends finalized time entry data (date, duration, description, billing rate, and billable status) to Clio as Activities. If mappings are configured, the entry is associated with the corresponding Clio contact, matter, and activity description.
• One-Way Sync. Data flows from TimeDetail to Clio only. TimeDetail does not modify or delete existing data in your Clio account.
• Token Storage. Your Clio OAuth tokens are encrypted at rest using AES-256-GCM encryption and are automatically refreshed as needed. Tokens are deleted when you disconnect the integration.
• Disconnection. You may disconnect the Clio integration at any time from your account settings. Disconnecting revokes TimeDetail's access and deletes stored tokens. You may also revoke access directly from your Clio account.
• Regional Support. The Clio integration supports Clio's US, Canada, EU, and Australia regions. Your Clio data is processed through the API endpoint corresponding to your Clio account's region.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.