Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

Summary: We collect only what we need to run Hourglass. We never sell your data. Your organisation's data is isolated from all others. You can export or delete your data at any time.

1. Who We Are

Syncrasoft Ltd ("we", "us", "our") is the data controller responsible for personal data processed in connection with Hourglass. We are incorporated in England and Wales.

For any privacy-related enquiries, contact our privacy team at: privacy@syncrasoft.com.

This Privacy Policy applies to all users of Hourglass and explains how we collect, use, store, share, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

2.1 Account and Profile Data

  • Name and email address (required for authentication and account management)
  • Organisation name and details
  • Role within your organisation
  • Profile billing rate (used for internal cost calculations)

2.2 Usage Data

  • Time entries, project assignments, tasks, and notes you create within the Service
  • Scheduled work items and planned hours
  • Time-off records
  • Actions logged in the audit trail (e.g. project created, entry approved)

2.3 Technical Data

  • IP address, browser type, and device information collected automatically when you access the Service
  • Authentication tokens and session identifiers
  • Error logs and performance data used to maintain and improve the Service

2.4 Communications Data

  • Emails you send to us (e.g. support requests)
  • Notification preferences and in-app notification history

We do not collect sensitive personal data (such as health data, racial or ethnic origin, political opinions, or biometric data) through the Service.

3. How We Use Your Data

PurposeLegal Basis (UK GDPR)
Providing and operating the ServicePerformance of a contract (Art. 6(1)(b))
Creating and managing your accountPerformance of a contract (Art. 6(1)(b))
Sending transactional emails (e.g. password reset, approval notifications)Performance of a contract (Art. 6(1)(b))
Processing subscription paymentsPerformance of a contract (Art. 6(1)(b))
Improving, securing, and debugging the ServiceLegitimate interests (Art. 6(1)(f))
Maintaining audit logs for security purposesLegitimate interests (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Sending product updates and marketing (where you have opted in)Consent (Art. 6(1)(a))

4. Data Sharing

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

  • Service Providers: We use Supabase (database and authentication), Vercel (hosting), and payment processors to operate the Service. These sub-processors are contractually bound to process data only on our instructions and in accordance with UK GDPR.
  • Legal Requirements: We may disclose data if required to do so by law, court order, or competent authority.
  • Business Transfer: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction. We will notify you in advance of any such transfer.
  • Within Your Organisation: Administrators within your organisation can access data submitted by team members in accordance with the role-based permissions model described in the Service.

5. International Transfers

Your data may be stored and processed in data centres outside the UK. Where data is transferred to countries not deemed adequate by the UK Information Commissioner's Office (ICO), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA), in accordance with UK GDPR Article 46.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account and profile data is retained until you delete your account or request deletion.
  • On account deletion, we retain data for 30 days to allow recovery, after which it is permanently deleted.
  • Financial records (e.g. invoices) are retained for 7 years to comply with UK accounting and tax obligations.
  • Server logs and audit data are retained for up to 12 months.

7. Security

We implement and maintain technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

  • Encryption of data in transit (TLS) and at rest
  • Row-level security policies enforcing per-organisation data isolation at the database level
  • Role-based access control within the Service
  • Regular security reviews of our infrastructure and code

No method of transmission over the internet is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our obligations under UK GDPR.

8. Cookies

We use essential cookies and browser storage strictly necessary to operate the Service, including session management and authentication tokens. We do not use tracking cookies or third-party advertising cookies.

You may disable cookies in your browser settings, but this may prevent you from logging in or using the Service.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data in certain circumstances.
  • Right to Restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@syncrasoft.com. We will respond within one month. We may need to verify your identity before fulfilling a request.

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly.

11. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 14 days before changes take effect. The updated policy will indicate the revised effective date at the top of this page.

13. Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact:

Syncrasoft Ltd

Privacy enquiries: privacy@syncrasoft.com

Legal enquiries: legal@syncrasoft.com