Privacy Policy
Effective date: June 4, 2026 · Last updated: June 4, 2026
TimeFlow Legal Inc. (“TimeFlow,” “we,” “us,” or “our”) provides TimeFlow, a legal timekeeping product for law firms that passively records work activity on a user’s computer and, where connected, gathers limited metadata from a firm’s email, calendar, and document services to help attorneys capture and bill their time (the “Service”).
This Privacy Policy explains what personal information we collect, how we use and share it, how we protect it, and the choices and rights available to you. We designed the Service to be privacy-protective by default. Most importantly, we collect activity and integration metadata, not the contents of your emails, documents, or screen (see Section 3).
If you are an individual whose information is processed because your firm uses TimeFlow, please also review your firm’s own privacy notice; for much of that data, your firm, not TimeFlow, is the party that decides how it is used (see Section 2).
1. Who this policy applies to
- Law firms and other organizations that subscribe to TimeFlow (“Customers”).
- Individual users at those firms (attorneys, timekeepers, and staff) who use the desktop application or web application.
- Website visitors at https://www.timeflow.legal.
It does not apply to third-party services you choose to connect (such as Microsoft 365 or Google Workspace), which are governed by their own privacy policies.
2. Our role: controller vs. processor (service provider)
TimeFlow plays two different roles depending on the data:
- As a processor / “service provider”: When the Service captures activity, email/calendar/document metadata, matters, clients, and time entries on behalf of a Customer firm, the firm is the “controller” / “business” that determines the purposes of that processing, and TimeFlow acts on the firm’s documented instructions under our customer agreement and Data Processing Agreement (“DPA”). Individuals whose data is processed in this capacity (including the firm’s personnel and the firm’s clients/contacts) should direct privacy requests to the firm in the first instance; we will assist the firm in responding.
- As a controller / “business”: When we process information to operate our own business (for example, account administration, billing, security, support, and website analytics), TimeFlow is the controller.
Customers are responsible for providing any required notices to, and obtaining any required consents from, their personnel and clients regarding the use of TimeFlow.
3. Information we collect
3.1 Account and identity information
Name, work email address, firm name, job title, role/permission level, billing rate (if entered), and authentication credentials (managed through our authentication provider). For Customer billing, subscription and payment information is handled by our payment processor (see Section 6).
3.2 Activity metadata (desktop application)
When the desktop application is running and the user has granted the necessary operating-system permissions, we collect metadata about the active window, such as:
- the name of the active application (e.g., “Microsoft Word”);
- the window or document title (e.g., “Smith_Motion.docx - Word”);
- active vs. idle status and the associated timestamps and durations;
- limited device information (operating system and application version).
We use this to estimate how long was spent on a task and to suggest the matter it relates to.
3.3 Integration metadata (email, calendar, documents)
If a Customer connects a third-party service (such as Microsoft 365 / Outlook / Teams or Google Workspace / Gmail / Calendar / Drive), we collect metadata about relevant items, such as:
- Email: sender and recipient addresses and domains, subject lines, timestamps, and message identifiers;
- Calendar: event titles, participants, and start/end times;
- Documents: file names, last-modified timestamps, and revision metadata.
We access this through the provider’s API using OAuth authorization granted by the Customer, and only for the scopes the Customer approves.
3.4 Derived data
Suggested time entries, inferred matter/client associations, and computed billable durations generated from the metadata above.
3.5 Customer-entered data
Matters, clients, companies, contacts, categories, users, time entries, invoices, and firm settings that Customers create in the Service.
3.6 Technical and support data
Log data, app version, error and diagnostic information, and the contents of communications you send to our support team.
4. What we do NOT collect
To protect attorney-client confidentiality and privilege, the Service is designed not to collect or store:
- the body or attachments of emails or messages;
- the contents of documents or files;
- screenshots or screen recordings;
- keystrokes or keylogging data;
- passwords to your third-party accounts (we use OAuth authorization tokens, which are stored encrypted, see Section 7).
We collect only the metadata necessary to attribute and quantify billable time.
5. How and why we use information
We use personal information to:
- provide, operate, and maintain the Service (capture activity, generate suggested entries, support review, billing, and invoicing);
- attribute time to the correct matter/client;
- where directed by the Customer, synchronize time entries to a connected practice-management system;
- authenticate users and administer accounts;
- secure the Service and prevent fraud and abuse;
- provide customer support and respond to requests;
- comply with legal obligations; and
- improve and develop the Service, using aggregated or de-identified data wherever practicable.
Legal bases / consent. In Canada, we rely on consent (express or implied, as appropriate) and other bases permitted under applicable law; Customers are responsible for obtaining consent from their personnel and clients where required. In the United States, we process information to provide the Service requested and for the other purposes described above, consistent with applicable state privacy laws.
We do not use the contents of customer data to train artificial-intelligence models, and we do not sell personal information (see Section 12).
6. How we share information
We share personal information only as described here:
- Service providers / sub-processors that help us run the Service under contractual confidentiality and data-protection obligations, including:
- Supabase: application hosting, database, authentication, and storage (currently hosted in the United States, Northern California);
- Stripe: subscription billing and payment processing (when paid billing is enabled).
- Third-party services the Customer connects: to the extent a Customer authorizes an integration (Microsoft, Google) or a practice-management system, data flows to/from those services as directed by the Customer and is governed by their terms.
- Legal and safety: when required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of TimeFlow, our Customers, or others.
- Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
A current list of sub-processors is available on request at support@timeflow.legal.
7. Security
We use technical and organizational safeguards designed to protect personal information, including:
- Encryption in transit (TLS) and encryption at rest;
- OAuth authorization tokens stored encrypted in a secrets vault, server-side, never on an end-user device;
- Row-level access controls so that one firm’s data is not accessible to another;
- Least-privilege integration scopes (we request the narrowest access that works);
- a code-signed, notarized desktop application; and
- not storing email/message bodies, document contents, or screenshots (Section 4).
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
8. Data retention
We retain personal information for as long as needed to provide the Service and for the purposes described in this policy, and thereafter as required to comply with our legal obligations, resolve disputes, and enforce our agreements. Customers may request export or deletion of their data; upon termination of an account, we will delete or de-identify Customer personal data within 90 days of account closure, except where retention is required by law.
9. International data transfers and data residency
The Service is operated using infrastructure located in the United States (Northern California). If you are located in Canada, your information is stored and processed outside Canada, in the United States, and may be subject to the laws of the United States, including lawful access requests by U.S. courts and government authorities. Where we transfer personal information across borders, we use appropriate contractual and organizational safeguards.
10. Your privacy rights and choices
Subject to applicable law, you may have the right to:
- access the personal information we hold about you;
- correct inaccurate information;
- delete your information;
- withdraw consent or disconnect an integration at any time;
- object to or restrict certain processing; and
- request portability of your information.
In the Service, users can review, edit, and delete suggested and recorded time entries, and Customers can disconnect any integration at any time. To exercise rights, contact us at support@timeflow.legal. Because much firm data is controlled by the Customer, we may direct or forward certain requests to the relevant firm. We will not discriminate against you for exercising your rights.
11. Canada-specific disclosures (PIPEDA and provincial laws)
We handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec’s Law 25, and British Columbia’s and Alberta’s Personal Information Protection Acts).
- Accountability. We have designated a privacy officer responsible for our compliance (see Section 15).
- Consent. We collect, use, and disclose personal information with consent, except where otherwise permitted or required by law.
- Access and correction. You may request access to and correction of your personal information as described in Section 10.
- Cross-border processing. See Section 9 regarding processing outside Canada.
- Complaints. You may contact us at support@timeflow.legal, and you have the right to complain to the Office of the Privacy Commissioner of Canada (or your provincial regulator, such as the Commission d’accès à l’information in Quebec).
12. United States-specific disclosures (California and other states)
Depending on your state of residence (for example, California under the CCPA/CPRA, and Virginia, Colorado, Connecticut, and Utah under their respective laws), you may have rights to:
- know/access the categories and specific pieces of personal information we collect;
- delete and correct personal information;
- opt out of the “sale” or “sharing” of personal information and of certain targeted advertising; and
- be free from discrimination for exercising your rights.
We do not “sell” personal information, and we do not “share” it for cross-context behavioral advertising, as those terms are defined under California law. Where we process sensitive personal information, we use it only to provide the Service and for other permitted purposes. You may submit a request via support@timeflow.legal; you may use an authorized agent, and we will verify requests as required by law.
13. Children’s privacy
The Service is intended for use by businesses and their personnel and is not directed to children. We do not knowingly collect personal information from children under 16.
14. Changes to this policy
We may update this policy from time to time. We will post the updated version with a new “Last updated” date and, where required, provide additional notice. Material changes will be communicated as required by law.
15. Contact us
If you have questions or requests regarding this policy or your personal information, contact our privacy officer:
- Privacy Officer: Chief Executive Officer, TimeFlow Legal Inc.
- Email: support@timeflow.legal