Legal

Privacy Policy

How we collect, use, and protect your information.

Last updated: March 1, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (hashed). If you sign in with Google or GitHub, we receive your name, email, and profile picture from the OAuth provider.

Usage Data

We collect data about how you use TRCR, including time entries, projects, tasks, invoices, and chat messages you create. This data is necessary to provide the service and is stored securely.

Technical Data

We automatically collect IP addresses, browser type, operating system, and device information when you access TRCR. This is used for security (audit logs), analytics, and troubleshooting.

2. How We Use Your Information

  • To provide and maintain the TRCR service
  • To authenticate your identity and secure your account
  • To send transactional emails (password resets, invoice notifications, etc.)
  • To maintain an audit trail of actions for security purposes
  • To improve the service based on usage patterns
  • To respond to support requests

3. Data Storage & Security

Your data is stored in PostgreSQL databases with encryption at rest. All connections are encrypted in transit via TLS. File attachments are stored in AWS S3 with server-side encryption.

We maintain an immutable audit log of all significant actions in your organization, including the acting user and their IP address.

4. Data Sharing

We do not sell your data. We do not share your data with third parties for advertising purposes. We may share data with:

  • Infrastructure providers (AWS, database hosting) that process data on our behalf under strict data processing agreements
  • Email delivery services to send transactional notifications
  • Law enforcement when required by law or to protect our legal rights

5. Your Rights

You have the right to:

  • Access all data we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data in standard formats via our API
  • Object to processing of your data

6. Cookies

TRCR uses essential cookies for authentication (JWT tokens stored in httpOnly cookies) and session management. We do not use third-party tracking cookies or advertising cookies.

7. Data Retention

Your data is retained as long as your account is active. When you delete your account, we soft-delete your user record and permanently remove all associated data within 30 days. Audit logs are retained for 12 months after account deletion for security purposes.

8. Children's Privacy

TRCR is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or an in-app notification.

10. Contact Us

For privacy-related questions or data requests, contact us at privacy@trcr.pro.