Privacy Policy

Work Timer (“Work Timer”, “we”, “our”, or “us”) is a time-tracking tool that consists of two parts: a Chrome extension and a companion web app at w-timer.com. This Privacy Policy applies to both and describes how we handle your information when you use either part of the service.

You can use the Chrome extension entirely on its own, with no account and no internet connection required — all your data stays on your device in that case. Optionally, you can create a free account to unlock cloud sync, which lets your data follow you across multiple devices and browsers. This policy covers both usage modes.

By installing the extension or using the website you agree to the practices described below. If you do not agree, please uninstall the extension and stop using the website.

We collect only the minimum data needed to operate the service. The exact data collected depends on how you use Work Timer:

a) Local-only storage (no account required)

When you use the Chrome extension without signing in, all data is stored locally on your device using Chrome's chrome.storage.local API. This allows the extension to work fully offline and keeps every piece of your data on your own machine — nothing is transmitted to our servers. The data stored locally includes:

• Time entries (start time, end time, duration, description)
• Projects and tags you create
• Timer state (running/paused, elapsed time)
• App settings (theme, Pomodoro configuration, idle timeout, notifications)
• Sync queue (a temporary list of pending changes, only used locally unless sync is enabled)

chrome.storage.local is sandboxed to the Work Timer extension and cannot be read by websites you visit or by other browser extensions.

b) Account & cloud sync (optional)

If you create an account and enable cloud sync, the data listed above is uploaded to our servers so it can be accessed across devices. We additionally store:

• Your email address (used for authentication and account communications)
• Display name (optional; populated from OAuth providers like Google if you sign in that way)
• Subscription status and plan tier
• Sync cursor timestamps (to enable incremental sync and detect conflicts)

c) Usage analytics (premium)

We do not use any third-party analytics tools inside the Chrome extension. The extension itself generates no telemetry or usage statistics beyond the time entries you deliberately create. Premium subscribers can access aggregated personal analytics (weekly totals, daily averages, project breakdowns) on the web app — these are computed entirely from your own time entries and displayed only to you.

d) Payment information

If you subscribe to a paid plan, your payment is processed by a third-party payment provider (see “Third-party services” below). We receive only a subscription status token and a customer reference — we never see or store your full card number, CVV, or bank details.

e) Technical server logs

When you use the web app or the extension's cloud sync feature, our hosting infrastructure automatically records standard server logs. These may include your IP address, browser type and version, operating system, the pages or API endpoints requested, and error traces. We use this information solely to keep the service secure, diagnose technical problems, and measure overall availability. Logs are retained for up to 30 days and are not used for advertising or profiling.

We do not use third-party behavioral analytics services (such as Mixpanel, Amplitude, or Segment) on the web app. Where possible, log data is handled in an aggregated or pseudonymous form.

f) Content script behavior

The Work Timer Chrome extension injects a small content script into the pages you visit in order to display a floating timer widget. This script is limited in what it does:

• It does not read page content. The script never reads, copies, or transmits the text, form inputs, passwords, cookies, or any other content from the pages you visit.
• It only renders the timer UI. Its sole purpose is to inject and manage the floating timer overlay so you can start, pause, and stop timers without leaving the tab.
• It handles authentication messages securely. When you are on w-timer.com, the script relays sign-in status between the website and the extension. This communication is restricted to https://w-timer.com/* only and uses no third-party code.
• It does not inject third-party tracking scripts into the pages you visit. The extension enforces a strict Content Security Policy (script-src 'self'; object-src 'none') that prevents any external JavaScript from running inside extension contexts.

The extension declares content_scripts on <all_urls> but has no host_permissions, which means it cannot make privileged cross-origin requests on behalf of those pages.

Work Timer uses two distinct storage tiers:

• chrome.storage.local (local) — All time entries, projects, tags, settings, and timer state are stored inside Chrome on your own machine. This storage is sandboxed to the extension and inaccessible to websites or other extensions. No network request is made to store or retrieve this data.
• Supabase (cloud, optional) — When you sign in and cloud sync is enabled, your data is replicated to a PostgreSQL database hosted on Supabase (supabase.com). Supabase stores data in data centers operated by AWS or Google Cloud. All data is encrypted in transit (TLS) and at rest (AES-256). Supabase enforces row-level security so each user can only read their own records.

Premium users can selectively disable cloud sync for individual data categories (time entries, statistics, projects, and tags) from the extension's Settings > Account > Data Sync Controls. When a category is disabled, that data remains exclusively on your local device and is never transmitted to our servers.

Cloud data is logically associated with your account via your user ID. If you are in the European Economic Area (EEA), please note that our cloud infrastructure may process data outside the EEA; Supabase operates under Standard Contractual Clauses for such transfers.

We use the data we collect solely to deliver and improve Work Timer:

• Core time-tracking features — Recording, displaying, and exporting your time entries, projects, and tags.
• Cloud sync — Replicating your local data to the server (and vice versa) so you can use Work Timer on multiple devices. You can control exactly which categories of data are synced via the Data Sync Controls in Settings.
• Notifications & reminders — Using the Chrome notifications API and alarms API to deliver Pomodoro transition alerts, idle-time prompts, and optional weekly timesheet reminders. You can disable all notifications in Settings.
• Idle detection — Using Chrome's idle API to detect when you step away from your computer. If idle time is detected while a timer is running, Work Timer will ask whether to keep or discard the idle portion. No data about your idle activity is transmitted to our servers.
• Personal analytics (premium) — Computing your usage statistics (daily averages, project breakdowns, earnings estimates) from your own time entries. Results are displayed only to you.
• Account management — Sending transactional emails (password reset, email verification) when you request them.
• Subscription management — Tracking your plan tier and feature entitlements.

We believe in being explicit about what we will never do with your data:

• We do not sell your data. Your time entries, projects, tags, and usage patterns are never sold or rented to any third party.
• We do not read or modify web page content. The floating timer widget is injected as a content script so it can appear while you browse, but it renders only its own UI. It does not read page text, form inputs, passwords, cookies, or any other page data (see section 2f for full details).
• We do not inject advertising or tracking scripts. The extension enforces a strict Content Security Policy (script-src 'self'; object-src 'none') that prevents any third-party JavaScript from running inside extension pages.
• We do not track your browsing history. The extension does not record which URLs you visit.
• We do not share your data with advertisers or ad-tech platforms.
• We do not use your data to train AI or machine learning models.

Work Timer integrates with a small number of carefully chosen third-party services. Each of these has their own privacy policy that governs the data they receive:

• Supabase — Our database, authentication, and real-time sync provider. When you create an account or enable cloud sync, your account information and time tracking data are stored in Supabase. Supabase acts as a data processor on our behalf.
• Stripe — Our payment processor for premium subscriptions. When you enter payment details, they go directly to Stripe. We receive only a subscription status token from Stripe. Stripe is PCI DSS compliant.
• Vercel — Our web hosting provider for the companion website. Vercel may log request metadata (IP address, user-agent) for up to 30 days for security and reliability purposes.
• Google OAuth (optional) — If you choose to sign in with Google, Google will share your name and email address with us to create your account. We do not request any additional Google permissions.

We do not use any advertising networks, behavioral analytics platforms, or social media tracking pixels on our website or in our extension.

Local data (extension)

Data stored in chrome.storage.localis retained until you uninstall the extension, clear the extension's storage via Chrome settings, or use the “Clear all data” option inside Work Timer's Settings view.

Cloud data (account)

If you have an account, your cloud data is retained for as long as your account is active. You can delete your account at any time from the Account Settings page. Upon deletion:

• All your time entries, projects, tags, and settings are permanently deleted from our database.
• Your authentication record is removed.
• Any active subscription is cancelled immediately (you retain access until the end of the current billing period).
• Deletion is irreversible. We do not retain soft-deleted copies of your data beyond the backup window described below.

Backups

Supabase takes automated database backups. Deleted data may remain in encrypted backups for up to 30 days before being permanently overwritten. We will not restore your data from backup after you request deletion.

Data portability

You can export all your time entries at any time as CSV, Excel (.xlsx), or PDF from within the extension or website. You own your data and can take it with you at any time.

We take reasonable technical and organisational measures to protect your data:

• All data is transmitted over HTTPS/TLS.
• Cloud data is encrypted at rest using AES-256.
• Row-level security in the database ensures each user can only access their own records.
• The extension enforces a strict Content Security Policy that blocks third-party script injection.
• Extension-to-website messaging is restricted via externally_connectable to https://w-timer.com/*, preventing spoofing from other origins.
• All API routes validate inputs using strict Zod schemas.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to support@w-timer.com.

Work Timer is not directed at children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information without parental consent, please contact us at support@w-timer.com and we will delete the information promptly.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes — those that significantly affect how we process your data — we will notify you by email (if you have an account) or by displaying a notice in the extension or on the website at least 14 days before the change takes effect.

Continuing to use Work Timer after a policy update constitutes your acceptance of the revised policy. If you do not agree with the changes, you may delete your account and uninstall the extension before the effective date.

Depending on where you live, you may have certain rights over your personal data under applicable privacy law (including, where relevant, the GDPR and similar regulations). These rights may include:

• Right of access — You can request a copy of the personal data we hold about you.
• Right to rectification — You can ask us to correct inaccurate or incomplete data.
• Right to erasure — You can request deletion of your personal data, subject to any legal obligations we may have to retain it.
• Right to restriction — You can ask us to limit how we process your data in certain circumstances.
• Right to data portability — You can request your data in a structured, machine-readable format. Work Timer supports this directly via the CSV and Excel export features.
• Right to object — You can object to certain types of processing, such as direct marketing (we do not send marketing emails).

Most of these rights can be exercised directly within the app: you can export your data at any time, and you can delete your account (and all associated data) from the Account Settings page. To exercise any right that is not handled in-app, or if you have questions, please contact us using the details in the “Contact us” section below. We will respond within 30 days.

If you are in the EEA or UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please get in touch:

We aim to respond to all privacy-related enquiries within 5 business days.