Privacy Policy
Last updated: March 29, 2026
1. Who we are
Clocked is operated by Yarn Cloud, a company registered in the Kingdom of Saudi Arabia. In this policy, "we", "us", and "our" refer to Yarn Cloud. "Service" refers to the Clocked platform, including the website, web application, desktop application, and API.
For questions about this policy or your data, contact us at privacy@clocked.run.
2. Our role: data processor vs. data controller
When you create an account or organization, we act as the data controller for your account information (email, name, billing details).
When an organization tracks time, captures screenshots, or records activity data, we act as a data processor on behalf of the organization (the data controller). The organization determines what data is collected and who can access it through project settings.
If you are a worker whose employer uses Clocked, your employer is the data controller for your work data. Direct data access, correction, or deletion requests related to your work data to your employer first. We will assist as needed in our role as processor.
3. What we collect
| Data | Purpose | Retention |
|---|---|---|
| Account information (email, name, password hash) | Authentication, communication | Until account deletion + 30 days |
| Organization details (name, address, tax ID) | Invoicing, billing, legal compliance | Until org deletion + 30 days |
| Time entries (project, duration, timestamps, notes) | Core service functionality | Until org deletion + 30 days |
| Screenshots (captured at configurable intervals) | Work verification, as configured by org | Until entry or org deletion + 30 days |
| Activity metrics (mouse clicks, keyboard hits -- counts only, not content) | Productivity reporting, as configured by org | Until entry or org deletion + 30 days |
| Billing information (plan, payment status) | Subscription management | Active subscription + 7 years (tax law) |
| Audit logs (who changed what, when) | Security, accountability | 3 years from creation |
| Device and browser information (user agent, IP address) | Security, abuse prevention | 90 days |
4. What we do NOT collect
- Keystroke content (we count keyboard hits, we do not record what you type)
- Screen recordings or video (only periodic still screenshots, if enabled)
- GPS location or precise geolocation
- Contacts, files, or data from your device beyond screenshots
- Data from other applications on your device
5. How we use your data
- Provide the service -- time tracking, screenshots, invoicing, reporting
- Process payments -- via our payment processor (currently Stripe)
- Send transactional emails -- account verification, invitations, password resets, invoice notifications
- Maintain security -- fraud prevention, abuse detection, audit logging
- Improve the service -- aggregated, anonymized usage analytics (never individual work data)
We do not sell, rent, or trade your personal data. We do not use your work data (time entries, screenshots, activity) for advertising, profiling, or any purpose beyond providing the service to your organization.
6. Who can see your data
| Viewer | What they see |
|---|---|
| Organization Owner/Admin | All projects, all members' time entries, screenshots, activity, invoices within their organization |
| Project Supervisor | Time entries, screenshots, and activity for members of their assigned projects |
| Worker (you) | Your own time entries, screenshots, and activity only |
| Yarn Cloud staff | Access only for technical support, debugging, or legal compliance -- never browsed casually |
| Other organizations | Nothing. Data is strictly isolated between organizations. |
7. Third-party processors
We use the following sub-processors to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting and data storage | EU (Germany/Finland) |
| Stripe, Inc. | Payment processing | USA (PCI-DSS compliant) |
| Email delivery provider | Transactional emails | Varies (see current provider) |
We may update sub-processors as our infrastructure evolves. Material changes will be reflected in this policy. Third-party integrations (ClickUp, Linear, Asana, Jira) are optional and only activated by the organization. When enabled, task metadata (task IDs and titles) is synced -- no time or screenshot data is sent to these providers.
8. International data transfers
Your data is primarily stored on servers in the European Union (Hetzner, Germany/Finland). Some sub-processors (e.g., Stripe) operate in the United States. Where data is transferred outside the EU, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable law.
9. Data retention
| Event | Retention | Then |
|---|---|---|
| Active account | Indefinite | Data retained while account is active |
| Account deletion by user | 30 days recovery window | Permanently deleted |
| Organization deleted by owner | 30 days recovery window | All org data permanently deleted |
| Inactive free account (no login for 12 months) | Email warning + 30 days | Archived then deleted |
| Payment and billing records | 7 years from transaction | Required by tax law |
| Audit logs | 3 years from creation | Permanently deleted |
| Security logs (IP, user agent) | 90 days | Permanently deleted |
"Permanently deleted" means removed from active systems and backups within 30 days of the retention period ending. We may retain anonymized, aggregated statistics indefinitely.
10. Your rights
Depending on your jurisdiction, you may have the right to:
- Access -- request a copy of your personal data
- Correction -- update inaccurate data
- Deletion -- request deletion of your account and associated data
- Portability -- receive your data in a structured, machine-readable format
- Restriction -- limit how we process your data
- Objection -- object to processing based on legitimate interests
- Withdraw consent -- where processing is based on consent
To exercise any right, email privacy@clocked.run. We will respond within 30 days. We may ask you to verify your identity before processing your request.
For workers: if your employer uses Clocked, contact your employer first for work-related data requests. They are the data controller and can manage your data through their admin panel. We will support them in fulfilling your request.
11. Cookies and tracking
We use essential cookies for authentication (session token) and preferences (language, theme). These are strictly necessary and do not require consent.
We may use analytics cookies in the future to understand how the service is used. If we do, we will update this policy and provide a cookie consent mechanism before deploying them. We will never use advertising cookies or share cookie data with advertisers.
12. Security
We protect your data through:
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for stored data
- Password hashing (bcrypt)
- Role-based access controls with organization-level data isolation
- Audit logging for sensitive operations
- Regular security reviews
No system is 100% secure. If we discover a breach that affects your personal data, we will notify affected users and relevant authorities as required by law.
13. Children
Clocked is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
14. Changes to this policy
We may update this policy to reflect changes in our practices, legal requirements, or the service itself. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect. Continued use of the service after changes take effect constitutes acceptance.
15. Contact
Yarn Cloud
Kingdom of Saudi Arabia
privacy@clocked.run