THETA Privacy Policy

Effective Date: February 26, 2026

Introduction and Scope

This Privacy Policy describes how TIME ENTRY ASSISTANT L.L.C. ("THETA," "Company," "we," or "us") collects, uses, stores, and discloses information in connection with the THETA website, onboarding flow, and web application (the "Service"). It is intended to help you understand what data we collect, how we use it, and the choices and rights you have regarding your personal information.

If you use THETA through a law firm or other organization, we process Customer Data on behalf of that organization. In those cases, the organization is the controller and we are a service provider/processor; their instructions and agreements govern our processing of Customer Data. This Privacy Policy is incorporated into our Terms of Service, and any capitalized terms not defined here have the meanings given in the Terms.

Note: THETA is based in the United States. We strive to comply with U.S. data privacy laws applicable to our operations, including the California Consumer Privacy Act (CCPA) for California residents. We do not currently market or provide services to the European Economic Area, and thus we are not presently configured for compliance with the EU General Data Protection Regulation (GDPR); however, if you are an international user, please see International Data Transfers below.

1. Information We Collect

We collect two main types of information: (A) information you provide to us directly, and (B) information collected automatically or from connected services you authorize. In this section, we outline the categories of data under each type.

A. Information You Provide Directly
When you use THETA, you may directly provide certain personal or organizational information, including:

Account and Onboarding Data: When your organization registers or submits an onboarding request, we collect basic profile information such as your name, work email, firm name, and role. We may also store identifiers needed to associate you with your firm (for example, a tenant or user ID). THETA does not receive or store your password.
Authorization and Integration Setup: If you authorize integrations, we store authorization tokens, permissions, and configuration details needed to access connected services on your behalf. You can revoke access at any time through the connected service or by contacting us.
Time Entry and Matter Data: Users can create, edit, and approve time entries within the app, including dates, durations, descriptions, task codes, matter identifiers, client names, tags, and related context. This also includes any edits or notes you add to entries that THETA drafts for you.
Firm Configuration Data: Firm administrators may provide matter lists, billing rules, and other firm-specific settings needed to run the Service.
Billing and Subscription Details: If you complete checkout, we collect billing contact information and subscription status. Payment details are processed by our payment processor and we receive limited billing metadata (for example, payment status and invoice identifiers).
Communications and Support: If you contact us through our website contact form, we collect the information you provide in order to respond and improve the Service.
Other Provided Data: Any other data that you intentionally provide through the Service, such as feedback, survey responses, or beta test notes.

B. Information Collected Automatically and From Connected Services
When you interact with THETA or authorize connected services, we collect certain information about your device, usage, and authorized metadata, including:

Usage Data: We track user interactions within the application for troubleshooting and service improvement, such as logins, entry creation or editing, and feature usage timestamps.
Browser Storage Data: THETA uses browser storage for session management and user preferences so you remain logged in and the Service performs efficiently.
Device and Log Information: Our servers log technical data such as IP address, browser type, access times, and error events.
Connected Services Metadata: If you authorize connected services, we process metadata such as participants, timestamps, and activity summaries as needed for time entry generation.
Practice Management Metadata: If you connect practice management systems, we process matter information and time entry metadata as needed to provide the Service.
Analytics: We use internal analytics for performance monitoring and product improvement. These tools are focused on internal usage and do not involve third-party advertising.

Data Not Collected: The Service is limited to metadata needed for time tracking functionality. We do not access or store the content of your communications or documents.

We do not intentionally collect sensitive categories of personal information such as social security numbers, financial account numbers, or biometric data. The personal data we handle is mainly business contact information and professional timekeeping records. If any time entry content you provide contains sensitive personal data (for example, health information or personal identifiers about a client), it is incidental and at your discretion; you should avoid including highly sensitive personal details unless necessary.

2. How We Use Your Information

We use the collected information for various purposes related to providing and improving the Service. The primary uses include:

Providing the Core Service: We authenticate users, ingest authorized metadata, generate and store time entries, and provide related workflows. All of these actions are necessary to perform the services you request.
AI-Assisted Features: We use artificial intelligence and machine learning services to generate draft time entry descriptions and to assist with categorization based on patterns in your data. AI-generated content should be reviewed before use.
Account Management and Onboarding: We process onboarding requests, provision accounts, manage firm administration, and maintain subscriptions and billing status.
Service Improvement: We analyze usage data and feedback, debug issues, and improve reliability and performance.
Service Personalization: Some data is used to personalize your experience, such as remembering recent selections or interface preferences.
Security and Fraud Detection: We monitor logs and audit trails to detect and prevent unauthorized access, account sharing, or other violations.
Communications: We send service updates, billing notices, and support responses. You can opt out of non-essential messages.
Compliance and Legal Obligations: We comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.
Aggregate Analytics: We generate aggregated, de-identified metrics to understand service usage. We do not sell personal data.
Future Processing (with notice): If we introduce new features that involve using your data in additional ways, we will update this Privacy Policy and seek additional consent where required.

We base these processing activities on various legal grounds: primarily, the necessity to perform the contract (Terms of Service) we have with you, our legitimate interests in running and improving a safe and effective service, and, where applicable, your consent (for example, where required for sending marketing communications or for using certain cookies). For California residents, these purposes correspond to the "business purposes" under CCPA for which personal information may be used, such as providing services, internal research, maintaining quality and safety of the service, etc. We do not use your personal information for any purposes incompatible with those described above without obtaining your permission.

3. How We Share and Disclose Information

THETA is used within a professional context, and we understand the importance of keeping your data confidential. We are not in the business of selling your personal information to third parties. We only share information in the following circumstances:

With Service Providers ("Processors"): We share information with third-party service providers that perform services on our behalf to operate THETA. These providers are contractually bound to protect your data and use it only for the purposes of providing their services to us. Key service providers include:

Cloud Hosting: We host the Service and databases on secure cloud infrastructure. These providers process data only to host and operate the Service.
Authentication and Connected Services: We use established identity providers and authorized APIs to authenticate users and retrieve authorized metadata.
Practice Management Integrations: When authorized, we connect to practice management systems to provide related functionality.
Payment Processing: Subscription payments are processed by a third-party payment processor. We receive payment status and invoice metadata but not full payment card details.

In all cases, our service providers are given only the information necessary to perform their specific function, and we require them to keep your information secure and confidential. We do not permit them to use it for their own marketing or other purposes.

Data Protection: For subscribed organizations, the Service provides additional layers of data protection and access control.

Legal Compliance and Protection: We may disclose your information if required to do so by law or in a good-faith belief that such action is necessary to: (i) comply with a legal obligation (such as a subpoena or court order); (ii) protect and defend the rights or property of THETA; (iii) act in urgent circumstances to protect the personal safety of users or the public; or (iv) protect THETA against legal liability. For example, if we receive a legitimate request from law enforcement related to a user's use of the Service, we may be compelled to provide the relevant data. We will notify you (e.g., via the email on file) of any such legal requests before disclosing your data, unless legally prohibited from doing so.
Business Transfers: If THETA is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction. We would ensure the acquiring entity is bound by terms similar to this Privacy Policy regarding your personal information. In the event of an acquisition or merger, we will notify users of the change in ownership and any new significant uses of personal data, as well as any choices you may have.
With Your Consent: Apart from the cases above, we will share personal information with companies, organizations or individuals outside of THETA only when we have your explicit consent to do so. For example, if in the future we offer an integration that sends your data to another app (beyond what's listed), we would do so only if you opt-in to that connection. Also, if you ask us to share data with a third party (for instance, if you were to request we collaborate with another software vendor to import/export data), we would do so at your direction.
Anonymized or Aggregated Data: We may share aggregated information that does not identify you personally with third parties, such as general usage statistics or industry trends. This data will contain no personally identifiable information and no client-sensitive information.

No Selling of Personal Data: We want to reiterate that we do not sell your personal information to data brokers or third parties for monetary or other valuable consideration. Under the CCPA's broad definitions, "sell" could include some kinds of sharing; however, our practice is that we do not share personal info except as described above (which are primarily "service provider" disclosures and legal exceptions, not sales). If this ever changes, we will update this policy and provide required opt-outs.

No Third-Party Advertising Sharing: We do not share your data with third-party advertisers or ad networks. We also do not currently use any third-party tracking for advertising purposes on our site. You will not see third-party ads on THETA, and we're not giving your info to advertisers.

4. Cookies and Browser Storage

THETA uses standard web technologies to store information in your browser. Here's how we use these technologies:

Authentication and Session Management: When you log in, we use your browser's local storage to save your authentication information. This allows you to stay logged in without having to re-authenticate for a certain period. It also helps us maintain your session securely as you navigate through the app. We may also set a session identifier so that our server knows you have an active session. These are strictly necessary for the Service to function; without them, you would be asked to log in for every action, which is impractical.
User Preferences: We may use browser storage to remember user interface preferences and cached data. For example, your preference for light mode or dark mode could be saved. Or recently accessed time entries might be cached so that if you refresh the page or go offline briefly, you still see your recent data (read-only) without needing to fetch from the server. This improves speed and user experience.
Data Caching: Some of your data (like a list of matters or entries for the current week) might be stored temporarily in your browser. This is to reduce server calls and provide quicker access. All such data stays on your device unless you are online and choose to sync it.
No Third-Party Marketing Cookies: THETA does not use third-party advertising or tracking cookies. We do not load any cookies for analytic platforms that track you across different sites. The only cookies in use are for our own service functioning (session cookies) and possibly some from the authentication system.
Browser Storage Controls: You can control browser storage through your browser settings. Most browsers allow you to clear stored data. However, please note: if you clear your browser's storage, it will log you out of THETA (since the auth token is stored there) and you will have to log in again. Similarly, if you block storage entirely, some parts of the Service (like login) may not function properly. We do not currently have a separate cookie consent banner because we only use essential storage features and do not do cross-site tracking. If this changes, we will implement appropriate consent mechanisms.
Do Not Track: "Do Not Track" is a browser setting that requests that a web application disable its tracking of an individual user. Given that THETA does not engage in cross-site tracking or advertising, and only uses necessary tracking for internal usage analytics, we do not respond differently to Do Not Track signals at this time (there is no third-party tracking to disable). We treat all users' data with the same high level of privacy. If in the future we integrate analytics that could be considered tracking, we will revisit honoring DNT signals or provide a manual opt-out.

In summary, our use of browser storage is minimal and primarily geared towards making sure you have a seamless and secure experience using THETA. You have the ability to clear these at any time via your browser, though doing so might affect Service functionality (requiring you to log in again, etc.).

5. Data Security

We understand that the confidentiality and security of your data (which may include sensitive client-related information) is paramount. We take several measures to protect personal information from loss, misuse, unauthorized access or disclosure, alteration, and destruction:

Secure Infrastructure: We operate the Service on secure cloud infrastructure with appropriate controls and monitoring.
Encryption: Data in transit between your device and our servers is encrypted using HTTPS/TLS. We encrypt data at rest using industry-standard methods.
Access Controls: We restrict access to personal data to authorized personnel who need it to operate or support the Service.
Secure Authentication: We rely on established identity providers for login and do not store your password.
Monitoring and Incident Response: We monitor for suspicious activity and maintain procedures to respond to incidents and notify users as required by law.
Security Reviews: We regularly review and patch systems and may perform third-party assessments to evaluate our defenses.

Confidentiality: We consider the data you store in THETA to be confidential. We do not access or disclose it except as outlined in this Policy. All staff and any contractors with potential access to data are under strict confidentiality agreements.

6. Data Retention

We retain personal data for only as long as necessary to fulfill the purposes for which it was collected (as described in this Policy), or as required by law or legitimate business needs. Below are our specific retention schedules for different categories of data:

Retention Practices:

Account Data: Retained while your account is active. If you delete your account or your subscription ends, personal data is purged from production systems after a short grace period, except for minimal information required for compliance or billing records.
Time Entry and Operational Data: Retained for a limited period with automatic lifecycle management. You may export your data before deletion. Once deleted, data cannot be recovered.
Logs and Audit Trails: Retained for operational and compliance purposes as required.
Billing Records: Transactional records may be retained as required by financial and tax laws.
Anonymized Data: We may retain aggregated, de-identified data for service analysis. This data is not traceable back to an individual.

If you are a user and wish to request deletion of your personal data sooner than our standard retention, you have the right to do so (see User Rights below). We will honor such requests unless it conflicts with legal obligations. Deletion will be done in a reasonably prompt timeframe, and we will confirm once your request is completed.

In summary, we do not keep your personal information longer than necessary. We aim to give you control (exporting or deleting data) and to implement retention schedules that balance user convenience (like reactivating an account quickly) with privacy (not holding data indefinitely).

7. Your Rights and Choices

We believe in user rights when it comes to personal data. Depending on your jurisdiction, you may have certain legal rights regarding your information. Regardless, we extend many of these rights to all our users. These rights include:

Access and Portability: You have the right to request a copy of the personal information we hold about you and to obtain information about how we process it. This is sometimes called a "data subject access request." Through the THETA app, you can view and export your data. If you need a more comprehensive export, you can contact us and we will provide you with the requested information to the extent required by law.
Correction (Rectification): If any of your personal information is inaccurate or outdated, you have the right to request a correction. In many cases, you can correct your data yourself: for instance, you can edit your profile (if we have a profile page) to change your display name, or edit any time entry if it's recorded incorrectly. If you need assistance (like changing the email address associated with your account or correcting organization info), contact us and we will help update our records.
Deletion (Erasure): You have the right to request deletion of your personal data. This is sometimes called the "right to be forgotten." You can delete your account through our website contact form (or through the app if that option is available), which will queue your data for deletion in our systems. We will delete your personal data (and confirm to you once done) except for information we are required or permitted to retain by law. Deletion is irreversible – once done, you will lose access to the Service unless you register again and data cannot be recovered. If you only want to delete certain data (like a specific time entry or a certain category of info), you can often do that directly in the app or by asking us.
Opt-Out of Communications: If we send any non-essential email communications (like newsletters or feature updates), you will be able to opt-out by following the unsubscribe instructions in those emails. However, note that we will still send important administrative or transactional emails (e.g., password resets, billing issues, Terms or Privacy Policy updates, security alerts) as those are pertinent to your use of THETA.
California Privacy Rights: If you are a resident of California, you have specific rights under the CCPA (and its amendment CPRA) regarding your personal information. These include the right to know what personal information we collect, use, disclose, and sell (we've outlined this throughout the Policy), the right to request deletion of your personal information, the right to correct inaccurate personal information, the right to opt-out of the sale or sharing of your personal information (again, we do not sell data, but you have the right to direct us not to should that ever change), and the right not to receive discriminatory treatment for exercising your privacy rights. We affirm that we will not discriminate against you (e.g., denying service or charging different prices) for exercising any of these rights. California residents can exercise their rights through the same methods described (using our website contact form for requests). We may need to verify your identity (for example, by confirming information we have on file) when processing large-scale data requests to ensure we are providing data to the correct person. You may also designate an authorized agent to make requests on your behalf; we will require proof of the agent's authority and your verification of the request. Additionally, under California's "Shine the Light" law (Civil Code § 1798.83), California users may request once a year, free of charge, information about our sharing of certain categories of personal information (if any) with third parties for their direct marketing purposes in the previous calendar year. However, THETA does not share personal information with third parties for direct marketing purposes without consent, so there is nothing to disclose in that regard.
Other U.S. State Laws: If you are in a state with new privacy laws (such as Virginia, Colorado, Connecticut, or Utah starting in 2023), you may have similar rights (access, correction, deletion, opt-out of certain processing). We intend to honor those rights similarly. For example, if you're a Virginia resident, you can request confirmation if we are processing your data, get a copy of it, correct it, delete it, or opt out of any targeted advertising or sale (neither of which we do). If we ever engage in profiling that produces legal effects, we would provide an opt-out for that as well. You also have the right to appeal if we decline to fulfill a request; we would inform you of how to appeal in such case (by contacting us again indicating it's an appeal).
International Users: While we do not actively serve EU/EEA users now, if you nonetheless use our Service and believe the GDPR applies, you would have rights such as the right to object to processing, and the right to lodge a complaint with a supervisory authority, among others, in addition to the core rights we listed (access, rectification, deletion, etc.). Please contact us with any such requests and we will do our best to honor them in spirit, even though we may not be legally required to under GDPR if we have no established presence or targeting in the EU. We repeat that our Service is not intended for EU use at this time, but we respect user privacy universally.

To exercise any of your rights or make any requests regarding your data, please reach out to us through our website contact form. We will respond to your request within a reasonable timeframe, typically within 30 days as required by many laws. For complex requests or multiple requests, we may extend this period and will inform you of the extension and reason. There is no fee for making a request, though if a request is excessive or unfounded, applicable law might allow us to charge a reasonable fee or refuse, but we presently have no intention to charge for verifiable requests.

We may need to verify your identity to process certain requests (to ensure that, for example, someone else isn't trying to delete your data). Verification might involve confirming a code sent to your email, or asking for information that matches our records. Any information gathered in verification will be used only for that purpose.

Finally, if you have any privacy-related questions or concerns that are not addressed here, feel free to contact us. We're here to help and take privacy seriously.

8. International Data Transfers

THETA is based in the United States and our Service is hosted in the U.S. If you are using the Service from outside the United States, be aware that your information will be transferred to, stored, and processed in the United States or other locations where our service providers are located. The data protection laws of the U.S. (or other countries where we operate) may differ from those in your country.

By using THETA, you acknowledge this transfer and processing of your personal information in the United States.

If we eventually cater to users in the European Economic Area (EEA) or other regions with cross-border data transfer restrictions, we will implement appropriate safeguards in accordance with applicable law. Such measures might include entering into Standard Contractual Clauses (SCCs) as approved by the European Commission, relying on an adequacy decision (if one applies), or obtaining your explicit consent for certain transfers.

If you are outside the U.S. and provide us with personal information, you do so on your own initiative and consent to the processing and transfer of your personal information in the U.S. as explained. We will treat your information no differently than we treat U.S. users' information, as described in this Policy. However, if you are in a jurisdiction (like the EU) where certain privacy laws apply, we will abide by those as far as they apply to us. As mentioned, currently we do not knowingly have customers in the EU, and we might restrict access if needed to avoid violating laws we cannot comply with.

For international offices of U.S. law firms (like if a U.S. firm's London office uses THETA), the same transfer to U.S. servers applies. Those users should ensure this is acceptable under their local rules (for instance, attorney-client data being stored in U.S. cloud – many firms do this with suitable client consent or internal policy).

In summary, by using THETA, you understand your data will be processed in the U.S. under U.S. law. If you are from a region with data localization or transfer requirements that we don't meet, you should not use the Service until we announce compliance with those regimes. We will update this section if we expand internationally or change our data hosting approach.

9. Children's Privacy

THETA is not directed to children under the age of 18, and we do not knowingly collect personal information from individuals under 18 years old. Our Service is intended for use by adult professionals (or at minimum, those who are of legal working age and engaged in a professional capacity). If you are under 18, you should not use or attempt to register for THETA. We do not use the Service to knowingly solicit data from or market to children under 18.

In particular, for children under 13 years of age, we adhere to the U.S. Children's Online Privacy Protection Act (COPPA) which prohibits the collection of personal data online from children without parental consent. We do not knowingly collect any personal information from children under 13. Our registration process (using work accounts) inherently means users are employees or professionals, not young children. We also do not design any portion of our site to attract minors.

If we become aware that we have inadvertently collected personal information from someone under 18 (for instance, if a user lied about their age or an account was created for a minor intern without our knowledge), we will take steps to delete such information promptly. If you believe that a child under 18 may have provided us personal information, please contact us immediately so we can investigate and remove the data.

Parents or legal guardians: if for some reason a minor (say, a teenager intern at a law office) is using this Service against our policy, please inform us. We will disable the account and ensure data is deleted. By using THETA, you affirm that you are at least 18 (or the age of majority in your jurisdiction, if higher). We rely on this representation, and we do not verify age but will act if we discover evidence of underage use.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we update the Policy, we will change the "Effective Date" at the top of the policy to the date of the latest revision.

Notification of Changes: If we make any material changes to how we handle your personal information, we will take reasonable steps to notify you in advance. We may notify you by email (sent to the address associated with your account) or by prominent notice on our website or within the application. For example, if we were to start using data in a significantly new way not disclosed here, or if we were to start collecting additional categories of personal information, we would inform you and, if required, obtain your consent. Minor updates that do not substantially affect your rights (such as clarifications or typographical corrections) may be posted without specific notice, but they will still be indicated by the updated effective date.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of THETA after any changes to this Policy constitutes acceptance of the updated terms, to the extent permitted by law. If you do not agree with a change, you should discontinue use of the Service and can request the deletion of your data. For significant changes, we may re-request consent or provide an opt-out if required (for example, if in the future a change required consent under CCPA or other law, we'd handle that accordingly).

If you have questions about any changes or need more clarification, feel free to reach out to us. We will also maintain an archive or log of past privacy policies if needed for reference.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at privacy@timeentryassistant.com or through the contact form on our website.

We will do our best to respond promptly to any inquiry. If you are contacting us to exercise a privacy right, please indicate the specific right you wish to exercise and any details that will help us fulfill your request. For example, "I am a California resident requesting a copy of my personal information" or "I would like to delete my account and all data associated with it." We may need to verify your identity for such requests as described in Section 7.

If you feel we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with a supervisory authority (if applicable in your jurisdiction, e.g., a Data Protection Authority in the EU, or a state Attorney General's office in the U.S.). We would, however, appreciate the chance to address your concerns directly first. Your trust is extremely important to us, and we are always looking for ways to improve our practices and communication.

Summary: We are committed to safeguarding your data and privacy. This Policy outlined in detail what we collect and how we use and protect it. Please use the contact above for any clarifications. Thank you for entrusting THETA with your time tracking needs – we will continue to prioritize your privacy and security as we develop and grow.