Theta Privacy Policy

Effective Date: April 2, 2026

1. Introduction

This Privacy Policy describes how Time Entry Assistant L.L.C. ("Theta," "we," or "us") collects, uses, stores, and discloses information in connection with the Theta platform and related services (the "Service"). This Privacy Policy is incorporated into and subject to our Terms of Service. Capitalized terms not defined herein have the meanings given in the Terms of Service.

Where Customer accesses the Service through an organization, that organization is the data controller and Theta acts as a service provider and processor. The organization's instructions and agreements govern Theta's processing of Customer Data in that context.

Theta is based in the United States and primarily serves U.S.-based organizations. We comply with applicable U.S. data privacy laws, including the California Consumer Privacy Act ("CCPA") for California residents. Where Theta processes personal data on behalf of an organization subject to EEA, UK, or Swiss data protection laws, that processing will be governed by the applicable customer agreement. International users should review Section 9 below.

2. Information We Collect

2.1 Information Provided by Customer.

Account Data. Name, work email, organization name, role, and identifiers necessary to associate Customer with an organization. Theta does not receive or store passwords.
Authorization Data. Tokens, permissions, and configuration details needed to access third-party services authorized by Customer. Customer may revoke access at any time.
Customer Content. Data created, edited, or submitted within the Service, including dates, durations, descriptions, identifiers, and related information.
Organization Configuration. Settings, rules, and other organization-specific data provided by administrators.
Billing Information. Billing contact information and subscription status. Payment details are processed by our third-party payment processor; we receive only payment status and invoice metadata.
Communications. Information provided through support requests or other correspondence.
Feedback. Suggestions, survey responses, or other voluntary feedback.

2.2 Information Collected Automatically.

Service Activity Data. Interactions within the Service, including logins, feature usage, and timestamps, collected for troubleshooting and service operations. When aggregated and de-identified so that it does not identify any customer or individual, this data becomes "Usage Data" as defined in our Terms of Service.
Device and Log Data. IP address, browser type, access times, and error events recorded by our servers.
Browser Storage. Session management and preference data stored locally in Customer's browser.
Third-Party Service Data. Where Customer connects third-party services such as calendar, email, meeting, or file-storage systems, Theta collects only the metadata reasonably necessary to provide the enabled functionality. Depending on the features configured, this may include: calendar event titles, times, participants, and duration; email subject lines, sender and recipient addresses, and timestamps; file names, folder paths, and modification timestamps; and call or meeting participant names, duration, and timestamps.
Voice Input. If Customer uses voice features, audio is processed in memory to generate text. Audio is not stored; only the resulting text is retained as Customer Content.
Analytics. Internal performance and usage analytics. We do not use third-party advertising analytics.

2.3 Information Not Retained. The Service processes only the metadata categories described above. The following are not retained by the Service: email body content; document or file contents; meeting recordings, audio, or video; call audio (voice input is processed in memory and only the resulting text is stored); and attachment contents. We do not collect sensitive categories of personal information such as social security numbers, financial account numbers, or biometric data.

3. How We Use Information

We use collected information for the following purposes:

Service Delivery. Authenticating users, processing authorized data, generating and storing output, and providing related functionality.
Account Management. Provisioning accounts, managing administration, and maintaining subscriptions and billing.
Service Improvement. Analyzing usage data, debugging issues, and improving reliability and performance.
Security. Monitoring for unauthorized access, fraud, and other violations.
Communications. Sending service updates, billing notices, and support responses. Customer may opt out of non-essential communications.
Legal Compliance. Complying with applicable law, responding to lawful requests, and enforcing our Terms of Service.

AI and Product Improvement. Theta uses artificial intelligence to generate time entry records from metadata. Customer Data submitted to AI service providers is processed under contractual terms that prohibit the provider from retaining or training on that data. Theta's AI infrastructure is provided by Microsoft Azure. Theta does not use Customer Data or Customer Output to train, fine-tune, or improve any machine-learning model, whether first-party or third-party. We may use de-identified, aggregated Usage Data to operate, secure, and improve the Service. Usage Data never identifies Customer or any individual. Customer may opt out of product-improvement use of Usage Data at any time by contacting us at support@timeentryassistant.com. We do not use personal information for targeted advertising or cross-context behavioral advertising.

We base processing on the necessity to perform the contract (Terms of Service) with Customer, our legitimate interests in operating a secure and effective service, and, where applicable, Customer's consent. For California residents, these purposes constitute "business purposes" under the CCPA. We do not use personal information for purposes incompatible with those described above.

4. How We Share Information

We do not sell personal information. We share information only in the following circumstances:

Service Providers. We share information with third-party service providers that perform services on our behalf, including cloud hosting, authentication, payment processing, and AI infrastructure. These providers process Customer Data only as necessary to provide their services to Theta and are contractually bound to protect Customer Data and not to retain it beyond what is necessary for service delivery.
Legal Compliance. We may disclose information if required by law or in good-faith belief that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights or property of Theta; (c) protect the safety of users or the public; or (d) protect against legal liability. Where legally permitted, we will provide the affected Customer prompt notice before disclosure so Customer may seek protective treatment.
Business Transfers. In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, Customer information may be transferred to the acquiring entity, which will be bound by terms substantially similar to this Privacy Policy.
With Consent. We may share information with third parties when Customer provides explicit consent.

We do not share personal information with third-party advertisers or ad networks.

5. Cookies and Browser Storage

Theta uses browser storage technologies for session management, authentication, and user preferences. These are strictly necessary for the Service to function. We do not use third-party advertising or cross-site tracking cookies.

Customer may clear browser storage through browser settings. Doing so will require re-authentication. Blocking browser storage may impair Service functionality.

Do Not Track. Because we do not engage in cross-site tracking, we do not respond differently to Do Not Track browser signals.

6. Data Security

We implement security measures designed to protect personal information, including:

Data encryption in transit (HTTPS/TLS) and at rest, including per-organization encryption keys
Logical data isolation between organizations
Access controls restricting data access to authorized personnel
Secure authentication through established identity providers
Monitoring for suspicious activity and incident response procedures

All personnel and contractors with access to Customer data are bound by confidentiality obligations. Theta personnel access Customer Data only when necessary to provide requested support, investigate errors, prevent or respond to security incidents, or as required by law. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

In the event of a confirmed security incident involving unauthorized access to or acquisition of Customer Data, we will notify the affected Customer without unreasonable delay and provide information reasonably necessary to assess the impact.

7. Data Retention

We retain personal information only as long as reasonably necessary for the purposes described in this Policy, as required by law, or as needed to resolve disputes and enforce agreements.

Account Data. Retained while the account is active. Purged from production systems within thirty (30) days of account closure or subscription termination, except for information required for compliance or billing records.
Customer Data (including Customer Output). Retained during the subscription term. Following termination, Customer has a thirty (30) day post-termination window to export data, unless Theta terminates for Customer's material breach involving fraud, abuse, or security risk. After the export window, production data and backups are promptly deleted. Theta will confirm deletion upon request, unless retention is required by law, legal hold, or security.
Organization Encryption Keys. Disabled after the post-termination export window. Permanently destroyed promptly thereafter, unless retention is required to comply with a legal hold or applicable law.
Authorization Tokens. Revoked on disconnect or termination.
Logs and Diagnostic Data. Retained for up to ninety (90) days for operational and security purposes.
Billing and Tax Records. Retained as required by applicable financial and tax law.

Requests for early deletion will be honored unless prohibited by legal obligations. See Section 8 below.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access and Portability. Request a copy of the personal information we hold about you.
Correction. Request correction of inaccurate or outdated personal information.
Deletion. Request deletion of your personal data. Deletion is irreversible.
Opt-Out of Communications. Opt out of non-essential communications. Administrative and transactional communications are not subject to opt-out.

8.1 California Residents. Under the CCPA, California residents have the right to: (a) know what personal information is collected, used, and disclosed; (b) request deletion of personal information; (c) request correction of inaccurate personal information; (d) opt out of the sale or sharing of personal information (we do not sell personal information); and (e) not receive discriminatory treatment for exercising privacy rights. We will not discriminate against any user for exercising these rights. We may verify identity before processing requests. Authorized agents may submit requests with proof of authority. Under California Civil Code Section 1798.83, California residents may request information about disclosures to third parties for direct marketing purposes; we do not make such disclosures.

8.2 Other U.S. State Laws. Residents of states with applicable privacy legislation have similar rights, including access, correction, deletion, and opt-out of targeted advertising or sale of personal information. We do not engage in targeted advertising or sale of personal information.

8.3 Customer Data Processed on Behalf of Organizations. Where Theta processes Customer Data on behalf of an organization, that organization controls the data and directs Theta's processing. Individuals seeking to exercise data rights with respect to Customer Data should contact their organization directly. Theta will assist the organization in responding to such requests as required by applicable law and the terms of our agreement with the organization.

8.4 Appeals. If we decline or are unable to fulfill a rights request, we will inform you of the reason and provide instructions for appealing the decision. To appeal, contact us at support@timeentryassistant.com with the subject line "Privacy Rights Appeal." We will respond to appeals within thirty (30) days. If your appeal is denied, you may contact your state attorney general's office or applicable regulatory authority.

To exercise any right, contact us at support@timeentryassistant.com. We will respond within thirty (30) days. We may verify identity before processing requests.

9. International Data Transfers

Theta is based in the United States and the Service is hosted in the U.S. Customer information is transferred to, stored, and processed in the United States. Data protection laws in the U.S. may differ from those in Customer's country of residence.

Where Theta processes personal data subject to EEA, UK, or Swiss data protection laws, that processing will be governed by the applicable customer agreement and any required transfer mechanism. If we expand internationally, we will implement appropriate safeguards in accordance with applicable law.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe a minor has provided us personal information, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or notice within the Service at least thirty (30) days before they take effect. The updated effective date will be posted at the top of this page. No material change will apply during a then-current paid subscription term without Customer's affirmative consent, unless the change is required by law or necessary to address a security issue. Non-material changes (such as clarifications or formatting updates) may take effect upon posting. If Customer does not agree to a material change, Customer should discontinue use and may request deletion of personal data.

12. Contact

Questions, concerns, or requests regarding this Privacy Policy or personal data should be directed to support@timeentryassistant.com.