Privacy Policy
Overview
HeadQrtr is a time-tracking and client relationship management (CRM) tool built by HeadQrtr LLC. This policy explains what data we collect, why, and how you can control it. We are committed to protecting your privacy and only collect data necessary to provide the service.
This policy covers both the application at app.headqrtr.com and the marketing site at headqrtr.com. The two run on separate infrastructure and collect different categories of data, noted where relevant below.
Data we collect
We collect and process the following categories of personal data:
- Account data — email address and hashed password for authentication
- Contact/client data — names, email addresses, phone numbers, company names, addresses, and notes you enter about your clients
- Financial data — invoices, expenses, billing rates, and payment records you create
- Time tracking data — time entries, task descriptions, and project details
- Content — pages, boards, proposals, and email templates you create
- Lead form submissions — responses submitted through your published forms, including respondent IP address, browser info, and referral source
- Social media data — posts, profiles, and publishing data from connected social accounts (LinkedIn, Meta, TikTok, YouTube) that you explicitly authorize
- Usage data — audit logs of security-relevant actions (login, logout, password changes) including IP address and timestamp
- Pilot signup data — email address, browser info, referrer, and timestamp collected when you submit the pilot signup form on headqrtr.com
How we use your data
- Service delivery — to provide time tracking, invoicing, CRM, and project management features
- Authentication and security — to verify your identity, manage sessions, and protect against unauthorized access
- Payment processing — to create checkout sessions and verify payments via Stripe (we never store card numbers)
- Client portals — to share deliverables, documents, and reports with your clients when you choose to
- Pilot communications — to contact you about the pilot program and product updates (marketing site)
Lawful basis for processing
We process your data under the following legal bases (GDPR Article 6):
- Contract performance — processing necessary to provide the service you signed up for
- Legitimate interest — security logging, fraud prevention, and service improvement
- Consent — optional integrations (Google Calendar, Gmail, YouTube, LinkedIn, Meta, TikTok) that you explicitly authorize via OAuth; analytics cookies that require opt-in
Third-party services
We use the following third-party services that may process your data:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database and authentication | All app data (encrypted in transit and at rest) |
| Stripe | Payment processing | Invoice amount, client email (card data handled entirely by Stripe) |
| Netlify | Hosting and serverless functions | Server logs, IP addresses |
| Google APIs | Calendar, Gmail, and YouTube (optional, user-authorized) | Only what you authorize via OAuth consent, accessed on your behalf |
| LinkedIn API | Social publishing (optional, user-authorized) | Profile info and posts you create, accessed on your behalf via OAuth |
| Meta (Facebook/Instagram) API | Social publishing (optional, user-authorized) | Pages, profiles, and posts you create, accessed on your behalf via OAuth |
| TikTok API | Social publishing (optional, user-authorized) | Profile and posts you create, accessed on your behalf via OAuth |
| Google reCAPTCHA v3 | Spam prevention on public forms and bookings | Browser interaction signals (no personal data sent) |
| Cloudflare Turnstile | Spam prevention on pilot signup (marketing site) | Browser interaction signals (no personal data sent) |
| Dropbox | File uploads (optional, for client portals) | Files you choose to upload |
| Anthropic | AI command assistant (optional) | Command text and context you provide |
| Sentry | Error monitoring | Error details, browser info, and stack traces (no personal content) |
| PostHog | Product analytics on app.headqrtr.com (consent-based) | Anonymous usage events and feature interactions |
| Google Analytics 4 | Marketing site traffic on headqrtr.com only (consent-based) | Anonymized page views, referrer, browser info; anonymize_ip enabled; not loaded until consent |
| Resend | Transactional email delivery | Recipient email address, message content, and delivery metadata needed to send app emails |
| MailerSend | Fallback transactional email delivery when configured | Recipient email address, message content, and delivery metadata needed to send app emails |
| MailerLite | Limited mailing-list or admin notification workflows | Subscriber/contact details and message content when those workflows are used |
Social media integrations (LinkedIn, Meta, TikTok, YouTube) are entirely optional. We only access these accounts when you explicitly connect them via OAuth, and we only act on your behalf — publishing content you create, reading profile data you authorize, and managing posts you initiate. We don't access your social accounts without your authorization, and you can disconnect any integration at any time from Settings.
We don't sell your data to any third party. We don't use advertising trackers inside the app.
Google API Services and Limited Use disclosure
HeadQrtr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to that policy.
When you connect your Google account, HeadQrtr requests access only to the data needed for features you initiate — for example, Google Calendar events and free/busy information to show your calendar inside the app, create and update events for your bookings and time blocks, and check availability for scheduling. In line with the Limited Use requirements:
- We do not transfer Google user data to third parties except as necessary to provide these features, to comply with applicable law, or as part of a merger or acquisition with notice to you
- We do not use Google user data for advertising, and we do not sell it
- We do not use Google user data to train generalized AI or machine-learning models
- No humans read this data unless you give explicit permission, it is required for security or legal reasons, or it has been aggregated and anonymized
- You can disconnect your Google account at any time from Settings, which revokes HeadQrtr's access
Data storage and security
- Data is stored in Supabase (PostgreSQL) with row-level security policies
- Passwords are hashed using scrypt with random salts
- Session tokens are stored as SHA-256 hashes
- All data in transit is encrypted via HTTPS/TLS
- Optional AES-256-GCM encryption is available for local data
- Multi-factor authentication (TOTP) is available
- All security-relevant actions are logged with IP address and timestamp
Data retention
- Account data — retained while your account is active
- Business records — retained while your account is active unless a verified deletion request, legal hold, or security requirement changes that schedule
- Deletion requests — submitted through Settings or support are manually reviewed before irreversible deletion. Once approved, records may be soft-deleted for a recovery and safety window before final purge according to our retention schedule
- Audit logs — retained for 90 days for security investigation purposes
- Session data — expires after 72 hours of inactivity and is purged on a scheduled cleanup cycle
- Pilot signup data — retained while the pilot program is active. You can request deletion at any time by emailing us
Your rights
You have the following rights under CCPA, GDPR, and other applicable privacy laws:
- Right to access — export all your data as a JSON file from Settings in the app
- Right to deletion — submit a verified deletion request from Settings or by contacting support (CCPA Section 1798.105). Requests are manually reviewed before irreversible deletion
- Right to portability — your data export is in machine-readable JSON format
- Right to rectification — edit any of your data directly in the app
- Right to restrict processing — contact us to request processing restrictions
- Right to opt out — we do not sell data; client portal activity tracking can be disabled in portal settings
To exercise these rights, use the Data Privacy controls in your account Settings, or contact us at the address below.
Cookies and local storage
On app.headqrtr.com (the application) we use the following cookies and browser storage:
- tt_session (cookie) — authentication session token (strictly necessary, HttpOnly)
- tt_device (cookie) — companion session verification token (strictly necessary, HttpOnly)
- tt_csrf (cookie) — CSRF protection token (strictly necessary)
- localStorage — app preferences, offline data cache, and theme settings (functional)
- PostHog cookies — product analytics, only set when you consent via the cookie banner (analytics)
On headqrtr.com (the marketing site) we use:
- headqrtr_cookie_consent (localStorage) — records your analytics consent choice (strictly necessary)
- Google Analytics cookies (
_ga,_ga_*) — only set when you accept analytics in the cookie banner. The Google Analytics script is not loaded at all until you consent.anonymize_ipis enabled. No advertising or remarketing features are used.
We do not use advertising cookies on either property. Analytics cookies (PostHog on the app, Google Analytics on the marketing site) are only set with your explicit consent and can be revoked at any time using the cookie settings link in the relevant footer.
Children's privacy
HeadQrtr is not directed at children under 16. We do not knowingly collect data from children.
Changes to this policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance.
Contact
For privacy inquiries or to exercise your data rights, contact:
HeadQrtr LLC
support@headqrtr.com