Policy
Client Privacy Policy
Last updated: 11 Apr 2026
This Client Privacy Policy explains how TimenBill processes personal information in customer workspaces when delivering the TimenBill service. It applies to customer account data, workspace content, and operational data processed on behalf of customers. For public website data practices, see our Website Privacy Policy.
Roles and responsibilities
- The customer organization is the controller/business for workspace content and account administration decisions.
- TimenBill acts as a processor/service provider for customer workspace data, subject to customer instructions and our Data Processing Addendum.
- For certain independent activities (for example account management, billing operations, and legal compliance), TimenBill may act as controller.
Data covered by this policy
- User profile and role data in workspaces.
- Time entries, projects, tasks, invoices, expenses, receipts, notes, note recordings/transcripts, attachments, and client records.
- Integration metadata and customer-authorized content (for example email/calendar sync metadata and connected mailbox/calendar content).
- AI prompt inputs, support-assistant conversations, uploaded documents/images, OCR submissions/results, generated drafts, summaries, and other outputs from enabled AI-assisted features.
- Security telemetry, moderation signals, and audit events tied to workspace activity.
- Billing status, client-facing payment link activity, payer email/receipt details, and operational account metadata needed to run the service.
How customer workspace data is used
- Provide and maintain the core TimenBill platform and customer features.
- Authenticate users, manage access controls, and enforce permissions.
- Support customer-initiated operations such as exports, reports, and integrations.
- Provide enabled AI-assisted features such as prompt assistance, transcription, OCR, drafting, summarization, and support workflows.
- Provide client-facing bill payment, receipts, and reconciliation workflows where customers enable online payment collection.
- Protect service integrity through fraud prevention, malware screening, and abuse detection.
- Troubleshoot incidents, provide support, and improve reliability.
- Comply with legal obligations and enforce our terms and policies.
Automated processing and enforcement
- TimenBill may use automated systems for risk analysis, malware scanning, and abuse detection.
- When Customers enable AI-assisted features, prompts, audio, documents, messages, or related metadata may be processed to generate drafts, summaries, extracted fields, or classifications.
- Automated flags may trigger warning workflows, temporary restrictions, or escalation to human review.
- For severe policy violations or high-risk events, immediate restrictions may apply.
- Customers and affected users may request review through support channels where permitted by law.
Subprocessors and service providers
- We engage vetted providers for hosting, identity, communications, payment processing, analytics, and security operations.
- Current provider categories and subprocessors are described in our Data Processing Addendum.
- We remain responsible for subprocessor performance under applicable law and contract.
International transfers
Customer workspace data may be processed in regional customer environments and in the United States for TimenBillGlobal directory and analytics operations. Where required, transfer safeguards such as SCCs/IDTA-style contractual mechanisms are applied.
Security measures
- Role-based access control and least-privilege operational access.
- Encryption in transit and secure secrets management.
- Segregation controls for customer data, regional tenancy boundaries, and the USA-hosted global directory/analytics environment.
- Monitoring, logging, incident response, and vulnerability management procedures.
- Backup and recovery controls proportionate to risk and service commitments.
Retention and deletion
- Retention periods are driven by customer configuration, plan settings, legal obligations, and security needs.
- When services terminate, return/deletion controls follow customer instructions and applicable law.
- AI prompts, transcripts, OCR outputs, and similar feature artifacts follow workspace retention settings unless separate legal or security retention applies.
- Certain logs, audit records, and legal/compliance artifacts may be retained for legitimate business or legal reasons.
Data subject requests
- If TimenBill receives a data subject request related to workspace content, we generally direct the requester to the responsible customer organization.
- We provide reasonable assistance to customers responding to verified requests under applicable privacy laws.
- Where TimenBill acts as controller for specific processing, requests may be sent to support@timenbill.com.
Children and restricted data
- The service is not intended for child-directed use.
- Customers should not submit restricted categories of data unless explicitly authorized by contract and law.
- Use of highly regulated data types remains subject to our Acceptable Use Policy and contractual terms.
Policy changes
We may update this policy to reflect legal, operational, or product changes. Material updates will be posted with an updated effective date.
Contact
Privacy contact: support@timenbill.com.Related documents: Data Processing Addendum, Client Cookie Policy, US State and California Privacy Notice.