Privacy policy

Draft — pending legal review. The text below is the operator's best-effort first draft. Section §15 (governing law) in the companion Terms of Service has bracketed placeholders that must be filled in before this is relied on as a paying-customer compliance document.

Effective 2026-04-26. Last updated 2026-05-28. OtiumWork is a service brand operated by Mashpee Advisors LLC (Massachusetts, USA), DBA "OtiumWork" ("we", "us"). Contact: info@otiumwork.com.

This policy explains what data we collect, why, and your rights over it. Plain English; if anything is unclear, email us.

Data we collect

Account data (from admins / managers on signup)

• Company name, your name, email address, password (stored as a salted hash — we never see the plaintext).
• Optional UTM tags + referrer captured from your signup link, used to understand where customers come from.

Workforce data (entered by you and your team)

• Project, task, client, employee, hourly rate, time entry, expense, contract, and similar records you create.
• Department, role, manager assignments, and any module-access flags an admin grants.

Activity data (from the desktop client, opt-in)

• Active application name (e.g. "outlook.exe"), window title bar text, event timestamp, duration in minutes, idle state.
• Nothing else. No screenshots. No keystrokes. No file contents. No clipboard. No camera. No microphone. No network traffic.
• Employees can review and correct any captured event before timesheets are submitted.

Site analytics (from your browser)

• Page URL, referrer, user agent, timestamp, anonymised IP (SHA-256 hashed before storage), session cookie ID, scroll depth, time on page.
• UTM parameters (source, medium, campaign, content, term) on incoming links.
• If Google Analytics is enabled by us as the operator, GA4 also runs with IP anonymisation enabled.

Cookies

• session — signed, HttpOnly, SameSite=Lax. Used for login state.
• csrf_token — protects form submissions.
• _pv_sid — anonymous session ID for first-party analytics (random hash, not tied to identity).
• otiumwork_theme — your light/dark/auto preference.

How we use it

Only to operate OtiumWork's features for you and your company. Specifically:

• Provide the product (timesheets, planning, finance reports, HR docs, etc.) to your team.
• Send transactional email (invites, password resets, weekly digests, billing notifications, module-access change notices).
• Operate billing via Stripe.
• Diagnose bugs and security issues, with access strictly limited to support cases you raise.
• Aggregate (de-identified) product analytics so we can improve OtiumWork.

We do not sell, rent, or trade your data. We do not use your data to train AI models. We do not use your data for behavioural advertising.

Sub-processors

Other companies that process data on our behalf so OtiumWork can function:

• IONOS SE (Germany) — VPS hosting. Stores the database file and application files. EU-located.
• Stripe, Inc. (USA) — billing. Receives company name, billing email, payment instrument; never sees workforce data.
• Anthropic PBC (USA) — AI features (timesheet draft, R&D classification, finance inbox extraction, weekly digest, ask-anything). Sends event metadata + prompts when you use these features. Anthropic does not train on API data per their commercial terms.
• Google LLC (USA) — Google Analytics 4 (page-level visitor analytics, IP-anonymised); Google Search Console (organic search performance). Only when enabled by the OtiumWork operator.
• Microsoft Corporation (USA) — when your admin connects Microsoft 365, OtiumWork uses Microsoft Graph to read calendar events and (optionally) shared mailboxes. Tokens are stored encrypted at rest.
• Intuit Inc. (USA) — when your admin connects QuickBooks Online, OtiumWork uses the QBO API to read invoices, bills, and payments and to push closed sales as invoices.
• Your configured SMTP provider — receives the emails OtiumWork sends on your behalf. By default this is IONOS Mail.

Adding a new sub-processor is announced to active admins by email at least 14 days before it goes live.

Data location + transfers

Primary storage is in the EU (IONOS, Germany). Some sub-processors (Stripe, Anthropic, Google, Microsoft, Intuit) operate in the USA. Transfers to the USA rely on the EU-US Data Privacy Framework or equivalent Standard Contractual Clauses where applicable.

How long we keep it

• Account data + workforce data: retained for the lifetime of your subscription, plus 30 days after cancellation (so you can re-activate without data loss). After 30 days, deleted.
• Activity events from the desktop client: retained for 18 months, then auto-purged unless your admin extends the retention.
• Audit log: retained for 24 months for security + compliance evidence.
• Pageview analytics: retained for 13 months (matching GA4 default).
• Backups: off-site backups retained for 30 days then rotated.

You can request earlier deletion at any time via the channels under "Your rights" below.

Your rights (GDPR / UK GDPR / CCPA / CPRA)

You have the right to:

• Access — see what data we hold about you.
• Portability — get a machine-readable export. Use /api/me/export while logged in.
• Correction — fix inaccurate data. Most fields you can edit yourself; for the rest, email us.
• Deletion ("right to be forgotten") — request erasure. Email info@otiumwork.com; we respond within 30 days.
• Object to processing for legitimate-interests purposes (e.g. analytics).
• Restrict processing while a dispute is resolved.
• Withdraw consent at any time (where processing is based on consent).
• Lodge a complaint with your local data protection authority.

Data subject requests (GDPR DSRs)

For DSRs from your end users (e.g. an employee in your company asking what's stored about them), the legal responder is your company as the data controller. OtiumWork acts as data processor and will support your response within 7 business days. The Legal module includes a DSR tracker — see Legal docs.

Security

• TLS in transit (HTTPS only).
• Per-tenant data isolation enforced at the database query layer.
• Passwords stored as salted, computationally-hard hashes (Werkzeug PBKDF2).
• Session cookies signed + HttpOnly + SameSite=Lax.
• OAuth tokens (Microsoft, QuickBooks) stored encrypted at rest.
• API keys and secrets accessible only to the OtiumWork operator.
• Audit log captures every privileged action (employee changes, integration connects, billing events).

Children

OtiumWork is not intended for children under 16 and we do not knowingly collect data from them.

Changes

If this policy materially changes, active admins receive an email 14 days before the change takes effect. Non-material changes (typos, clarifications) take effect immediately and are visible at this URL with the "Last updated" date above.

Contact

Mashpee Advisors LLC, DBA OtiumWork · info@otiumwork.com

For data-protection requests, write "DSAR" in the subject line so it's routed to the privacy queue.

Disclaimer: This policy is launch-grade boilerplate prepared by the OtiumWork team based on common GDPR + CCPA practice. It is not legal advice. Before relying on it as your sole compliance document — particularly if you process data for EU residents at scale or for vulnerable groups — have a qualified privacy lawyer review the specific risks for your operation.