Privacy Policy

Effective date: April 21, 2026

TimeHarbor (“we”, “our”, or “the app”) is an open-source, offline-first time tracking application developed by MIEWeb. This policy describes exactly what data the app stores, where it is stored, and how it is used. We only describe what the app actually does — nothing more.

1. No Account Required

TimeHarbor does not require you to create an account, provide an email address, or set a password. Your identity is a randomly generated UUID created on your device the first time you open the app. This UUID is stored only in your browser’s local storage and is never linked to your real name or contact information by the server.

2. Data You Create — Stored Locally

All time entries, work sessions, tickets, projects, and notes you create are stored locally on your device using IndexedDB (via Dexie.js). This data never leaves your device unless you explicitly enable sync (see Section 3). You can clear all local data at any time from Settings → Clear Local Data.

The following preferences are stored in your browser’s local storage:

  • Theme preference (light / dark / system)
  • Walkthrough completion flag
  • App lock preference and hashed PIN (if set)
  • Biometric credential identifier (if biometric lock is enabled)
  • Your encryption passphrase (used to derive your sync key on this device)

None of this data is transmitted to our servers.

3. Encrypted Sync (Optional)

If you choose to enable sync, your data is serialised, encrypted on-device using AES-256-GCM, and then transmitted to our relay server. The server stores only opaque encrypted blobs. It cannot read, search, or modify the content of your data.

The server stores the following metadata alongside each encrypted batch:

  • Your identity UUID (not linked to your name or email)
  • A device identifier (randomly generated per device)
  • A logical clock value (used for ordering batches)
  • A count of entries in the batch
  • The date the batch was uploaded

Your encryption key is derived from your passphrase and never leaves your device. Losing your passphrase and recovery key means permanent, unrecoverable data loss — we have no ability to decrypt or restore your data.

4. Profile Information (Optional)

If you choose to set up a public profile, the following information is stored on our server and may be visible to others you share your profile link with:

  • Display name (chosen by you)
  • Profile photo / avatar (uploaded by you)
  • Optional public URLs you provide: GitHub, LinkedIn, Redmine
  • Online/offline status and last-seen timestamp

All profile fields are optional and can be left blank or removed at any time.

5. Push Notifications (Optional, Native App Only)

On the iOS and Android apps, if you grant notification permission, the app registers a device push token (FCM on Android, APNs on iOS) with our server. This token is stored in your profile record and used solely to deliver notifications triggered by your own app activity. You can revoke permission at any time in your device’s system settings.

Push notifications are not available on the web version of the app.

6. Session Metadata

When your device communicates with our server, standard HTTP metadata is recorded in server sessions: your IP address and user-agent string. This information is used solely to maintain your session and is not shared with third parties or used for tracking.

7. No Analytics or Advertising

We do not use any third-party analytics, crash-reporting, advertising, or tracking SDKs. No behavioral data, advertising identifiers, or fingerprinting is collected or shared.

8. Data Retention & Deletion

You can purge all encrypted sync data from our server at any time from Settings → Encryption → Regenerate Key, which wipes all server-side batches. Local data can be cleared from Settings → Clear Local Data.

We do not currently apply an automatic expiry to encrypted batches on the server. No data is sold or transferred to third parties under any circumstances.

9. Open Source

TimeHarbor is fully open source. You can inspect the exact code that runs in this app, including all data handling, on our GitHub repository. You can also self-host the backend server so that no data ever leaves your own infrastructure.

10. Children’s Privacy

TimeHarbor is not directed at children under 13. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this policy from time to time. The effective date at the top of this page will reflect the most recent revision. Continued use of the app after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this policy, please open an issue on our GitHub repository or contact us at support@mieweb.com or dharamkarpoonam9@gmail.com.