We track invoices, not people. Here's exactly what we collect, why, and what you can do about it.
Hourtab is a time-tracking and invoicing service provided by Typesoft Technology Inc. ("Typesoft", "Hourtab", "we", "us", "our"), a corporation based in Montréal, Québec, Canada (the "Service"). This policy explains how we handle personal information for visitors to our website, account holders, and the recipients of invoices sent through the Service.
The person responsible for the protection of personal information (our Privacy Officer, as required by Québec's Law 25) can be reached at hi@typesoft.ca. We comply with Canada's PIPEDA and Québec's Law 25; if you're in the EU/EEA or UK, the GDPR/UK GDPR rights described below apply to you too.
For your account and your use of our website, we are the controller of your personal information and this policy governs it.
For the data you put into the Service about your own clients (contacts, billing details, time entries, invoices), you are the controller and we act as your processor / service provider — we handle it only on your instructions, under our Terms of use. You are responsible for having a lawful basis to enter that data and to email your clients.
Account data — your name, email, the third-party account you sign in with (e.g. Google), business name, language and currency preferences, and plan details.
Billing data — subscription status and billing history. Your full payment-card number is collected and processed by Stripe and never touches our servers; we store only limited details (e.g. card brand, last four digits, billing country) returned by Stripe.
Content you create — clients, contacts, billing addresses, projects, rates, time entries, descriptions, and invoices. This often contains personal information about your clients (see §02).
Invoice activity — when an invoice link is opened, viewed again, or downloaded, we record the event with a timestamp so we can show it in your (or the sender's) activity timeline.
Usage & technical data — IP address, browser/device type, pages visited, and basic analytics events, used for security and to improve the product.
Communications — messages you send us (e.g. support email) and your email/notification preferences.
If you received a Hourtab invoice link from someone who bills you: the sender controls the invoice content and is its controller. When you open the link we log the view/download event and show it to the sender — that's the product working as described on the page you opened. We don't build profiles of invoice recipients, we don't sell their data, and we don't contact them except to render that invoice. Privacy requests about an invoice's contents should go to the sender; we'll help where we can.
We use a session cookie to keep you signed in and a small number of preference cookies (for things like your theme and billing-period toggle). Our analytics are cookieless and aggregate. We do not use third-party advertising cookies or cross-site trackers, and we honour Global Privacy Control / "Do Not Track" signals where applicable. Because we don't run ad tech, there's no cookie wall to click through.
We only send marketing or product-update emails if you opt in, and every one has a one-click unsubscribe — consistent with Canada's Anti-Spam Legislation (CASL). Unsubscribing from marketing doesn't stop essential transactional messages (receipts, security alerts, important account notices), which we must send to operate your account.
We share personal information only with service providers necessary to run Hourtab, each bound by data-processing terms and acting only on our instructions. Our significant subprocessors today are:
This list may change as the Service evolves. We may also disclose information if required by law or valid legal process, and we'll tell you when we're legally allowed to. If Hourtab is ever sold or merged, your data remains protected by this policy or one at least as protective, and we'll notify you. We never sell your personal information.
Data is hosted in Canadian and U.S. data centres, with encryption in transit (TLS) and at rest. Because some providers (e.g. Stripe, and depending on region, Supabase and Resend) operate in the United States, your personal information may be processed outside Québec and Canada, where different laws apply and where it may be accessible to local authorities. Before relying on such providers we assess that the information receives adequate protection, and we use contractual safeguards (such as standard contractual clauses) where appropriate. By using the Service you understand your information may be transferred and stored in these locations.
We do not use your personal information to make decisions about you based solely on automated processing that produce legal or similarly significant effects. Invoice tax and total calculations are deterministic arithmetic based on the settings you choose — not profiling.
We keep your data while your account is active. After you delete your account, content is removed from production systems within 30 days and purged from backups within 90 days, except limited records we are required to retain for tax, accounting, and legal purposes. De-identified, aggregate data that can no longer be linked to you may be retained to understand product usage.
We protect personal information with encryption in transit and at rest, authentication handled by our provider, row-level access controls so each account only sees its own data, least-privilege access, and regular dependency updates. No system is perfectly secure; if a confidentiality incident affects your personal information, we will keep a record of it and notify you and the relevant authorities (such as Québec's Commission d'accès à l'information) where the law requires, without undue delay.
Depending on where you live, you have some or all of these rights over your personal information:
To exercise any of these, email hi@typesoft.ca. We may need to verify your identity before acting, and we respond within 30 days (or the period your law requires). These rights are free to exercise, within reason.
Hourtab is a business tool, not directed at children, and may not be used by anyone under 18. We do not knowingly collect personal information from children; if you believe a child has given us information, contact us and we'll delete it.
We'll post any changes here and update the date at the top. For material changes we'll notify you by email or in-app at least 30 days before they take effect. Continuing to use the Service after changes take effect means you accept the updated policy.
Privacy questions, requests, or complaints: hi@typesoft.ca — attn. Privacy Officer · Typesoft Technology Inc. (Hourtab), Montréal, QC, Canada. We respond to every message — see also our Terms of use.