Privacy Policy

Last updated July 2, 2026.

Overview

HeadQrtr is a time-tracking and client relationship management (CRM) tool built by HeadQrtr LLC. This policy explains what data we collect, why, and how you can control it. We are committed to protecting your privacy and only collect data necessary to provide the service.

This policy covers both the application at app.headqrtr.com and the marketing site at headqrtr.com. The two run on separate infrastructure and collect different categories of data, noted where relevant below.

Data we collect

We collect and process the following categories of personal data:

  • Account data — email address and hashed password for authentication
  • Contact/client data — names, email addresses, phone numbers, company names, addresses, and notes you enter about your clients
  • Financial data — invoices, expenses, billing rates, and payment records you create
  • Time tracking data — time entries, task descriptions, and project details
  • Content — pages, boards, proposals, and email templates you create
  • Lead form submissions — responses submitted through your published forms, including respondent IP address, browser info, and referral source
  • Social media data — posts, profiles, and publishing data from connected social accounts (LinkedIn, Meta, TikTok, YouTube) that you explicitly authorize
  • Usage data — audit logs of security-relevant actions (login, logout, password changes) including IP address and timestamp
  • Pilot signup data — email address, browser info, referrer, and timestamp collected when you submit the pilot signup form on headqrtr.com

How we use your data

  • Service delivery — to provide time tracking, invoicing, CRM, and project management features
  • Authentication and security — to verify your identity, manage sessions, and protect against unauthorized access
  • Payment processing — to create checkout sessions and verify payments via Stripe (we never store card numbers)
  • Client portals — to share deliverables, documents, and reports with your clients when you choose to
  • Pilot communications — to contact you about the pilot program and product updates (marketing site)

Lawful basis for processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance — processing necessary to provide the service you signed up for
  • Legitimate interest — security logging, fraud prevention, and service improvement
  • Consent — optional integrations (Google Calendar, Gmail, YouTube, LinkedIn, Meta, TikTok) that you explicitly authorize via OAuth; analytics cookies that require opt-in

Third-party services

We use the following third-party services that may process your data:

ServicePurposeData shared
SupabaseDatabase and authenticationAll app data (encrypted in transit and at rest)
StripePayment processingInvoice amount, client email (card data handled entirely by Stripe)
NetlifyHosting and serverless functionsServer logs, IP addresses
Google APIsCalendar, Gmail, and YouTube (optional, user-authorized)Only what you authorize via OAuth consent, accessed on your behalf
LinkedIn APISocial publishing (optional, user-authorized)Profile info and posts you create, accessed on your behalf via OAuth
Meta (Facebook/Instagram) APISocial publishing (optional, user-authorized)Pages, profiles, and posts you create, accessed on your behalf via OAuth
TikTok APISocial publishing (optional, user-authorized)Profile and posts you create, accessed on your behalf via OAuth
Google reCAPTCHA v3Spam prevention on public forms and bookingsBrowser interaction signals (no personal data sent)
Cloudflare TurnstileSpam prevention on pilot signup (marketing site)Browser interaction signals (no personal data sent)
DropboxFile uploads (optional, for client portals)Files you choose to upload
AnthropicAI command assistant (optional)Command text and context you provide
SentryError monitoringError details, browser info, and stack traces (no personal content)
PostHogProduct analytics on app.headqrtr.com (consent-based)Anonymous usage events and feature interactions
Google Analytics 4Marketing site traffic on headqrtr.com only (consent-based)Anonymized page views, referrer, browser info; anonymize_ip enabled; not loaded until consent
ResendTransactional email deliveryRecipient email address, message content, and delivery metadata needed to send app emails
MailerSendFallback transactional email delivery when configuredRecipient email address, message content, and delivery metadata needed to send app emails
MailerLiteLimited mailing-list or admin notification workflowsSubscriber/contact details and message content when those workflows are used

Social media integrations (LinkedIn, Meta, TikTok, YouTube) are entirely optional. We only access these accounts when you explicitly connect them via OAuth, and we only act on your behalf — publishing content you create, reading profile data you authorize, and managing posts you initiate. We don't access your social accounts without your authorization, and you can disconnect any integration at any time from Settings.

We don't sell your data to any third party. We don't use advertising trackers inside the app.

Google API Services and Limited Use disclosure

HeadQrtr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to that policy.

When you connect your Google account, HeadQrtr requests access only to the data needed for features you initiate — for example, Google Calendar events and free/busy information to show your calendar inside the app, create and update events for your bookings and time blocks, and check availability for scheduling. In line with the Limited Use requirements:

  • We do not transfer Google user data to third parties except as necessary to provide these features, to comply with applicable law, or as part of a merger or acquisition with notice to you
  • We do not use Google user data for advertising, and we do not sell it
  • We do not use Google user data to train generalized AI or machine-learning models
  • No humans read this data unless you give explicit permission, it is required for security or legal reasons, or it has been aggregated and anonymized
  • You can disconnect your Google account at any time from Settings, which revokes HeadQrtr's access

Data storage and security

  • Data is stored in Supabase (PostgreSQL) with row-level security policies
  • Passwords are hashed using scrypt with random salts
  • Session tokens are stored as SHA-256 hashes
  • All data in transit is encrypted via HTTPS/TLS
  • Optional AES-256-GCM encryption is available for local data
  • Multi-factor authentication (TOTP) is available
  • All security-relevant actions are logged with IP address and timestamp

Data retention

  • Account data — retained while your account is active
  • Business records — retained while your account is active unless a verified deletion request, legal hold, or security requirement changes that schedule
  • Deletion requests — submitted through Settings or support are manually reviewed before irreversible deletion. Once approved, records may be soft-deleted for a recovery and safety window before final purge according to our retention schedule
  • Audit logs — retained for 90 days for security investigation purposes
  • Session data — expires after 72 hours of inactivity and is purged on a scheduled cleanup cycle
  • Pilot signup data — retained while the pilot program is active. You can request deletion at any time by emailing us

Your rights

You have the following rights under CCPA, GDPR, and other applicable privacy laws:

  • Right to access — export all your data as a JSON file from Settings in the app
  • Right to deletion — submit a verified deletion request from Settings or by contacting support (CCPA Section 1798.105). Requests are manually reviewed before irreversible deletion
  • Right to portability — your data export is in machine-readable JSON format
  • Right to rectification — edit any of your data directly in the app
  • Right to restrict processing — contact us to request processing restrictions
  • Right to opt out — we do not sell data; client portal activity tracking can be disabled in portal settings

To exercise these rights, use the Data Privacy controls in your account Settings, or contact us at the address below.

Cookies and local storage

On app.headqrtr.com (the application) we use the following cookies and browser storage:

  • tt_session (cookie) — authentication session token (strictly necessary, HttpOnly)
  • tt_device (cookie) — companion session verification token (strictly necessary, HttpOnly)
  • tt_csrf (cookie) — CSRF protection token (strictly necessary)
  • localStorage — app preferences, offline data cache, and theme settings (functional)
  • PostHog cookies — product analytics, only set when you consent via the cookie banner (analytics)

On headqrtr.com (the marketing site) we use:

  • headqrtr_cookie_consent (localStorage) — records your analytics consent choice (strictly necessary)
  • Google Analytics cookies (_ga, _ga_*) — only set when you accept analytics in the cookie banner. The Google Analytics script is not loaded at all until you consent. anonymize_ip is enabled. No advertising or remarketing features are used.

We do not use advertising cookies on either property. Analytics cookies (PostHog on the app, Google Analytics on the marketing site) are only set with your explicit consent and can be revoked at any time using the cookie settings link in the relevant footer.

Children's privacy

HeadQrtr is not directed at children under 16. We do not knowingly collect data from children.

Changes to this policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance.

Contact

For privacy inquiries or to exercise your data rights, contact:

HeadQrtr LLC
support@headqrtr.com