Security & Privacy
Privacy is the architecture, not a feature.
Time-Pop was built from the ground up as a local-first application. Your data sovereignty is guaranteed by how the software works — not by a privacy policy you have to trust us to follow.
Six privacy principles
Local-first storage
Time entries are written to a SQLite database on your device. Cloud sync is opt-in, not the default. If you never enable sync, nothing leaves your machine.
No telemetry, ever
We do not collect crash reports, usage analytics, or behavioural data. The app makes no network requests in Personal Mode unless you explicitly connect to cloud sync.
GDPR data residency
When cloud sync is enabled, data is stored on Supabase infrastructure in the EU. You retain full ownership. Export or delete your data at any time — no restrictions.
Transparent record keeping
Employees can see exactly what is recorded about them. There are no hidden fields, no background captures, no screenshot or keystroke monitoring of any kind.
Minimal data surface
We record: project, activity category, and duration. We do not record: URLs, applications used, screenshots, keystrokes, location, or any background process data.
Append-only audit log
The v1 data schema uses a CRDT append-only log. Records are immutable once written — no silent edits, no data loss, full history preserved.
Technical architecture
For security reviewers and technical evaluators
Local database (Personal Mode)
All time entries are stored in a local SQLite database managed by the Drift ORM. The database file is written to the application's standard data directory on your device (Windows: %APPDATA%\TimePop). No network connection is required to create, read, or export records. The app makes zero outbound requests in this mode.
Cloud sync (Pro & Enterprise — opt-in)
When sync is enabled, time entry records are replicated to Supabase Postgres hosted in the EU (Frankfurt). Authentication uses passwordless email OTP — no passwords stored. All data in transit uses TLS 1.3. Row-level security policies ensure users can only access their own data, and org admins can only access records within their organisation.
What we never capture
Time-Pop has no access to and makes no attempt to record: keystrokes, clipboard content, screenshots, window titles, application focus events, file system activity, network traffic, location data, biometrics, or any other form of behavioural monitoring. Architecture documentation and a codebase audit session are available to enterprise evaluators under NDA — contact us for a security review package.
Exactly what we store
Full inventory of every data field Time-Pop touches
| Data field | Stored locally | Synced to cloud | Purpose |
|---|---|---|---|
| Project name | Yes — local | Yes — if sync enabled | Time entry attribution |
| Activity category | Yes — local | Yes — if sync enabled | Utilisation reporting |
| Time duration | Yes — local | Yes — if sync enabled | Billing and payroll |
| Device hostname | Identifier only | Yes — for multi-device sync | Sync deduplication |
| User email | Yes — if signed in | Yes — auth token only | Account authentication |
| Keystrokes / typing | Never | Never | N/A |
| Screenshots | Never | Never | N/A |
| Location data | Never | Never | N/A |
| Application usage | Never | Never | N/A |
| Crash / error reports | Never | Never | N/A |
Security review requests
Enterprise customers can request a full security review package including architecture documentation, data processing agreements, and a codebase audit session.