TimeFillo Privacy Policy

Last updated: June 2026

What TimeFillo is

TimeFillo is a time-tracking platform for accountancy practices and other professional-services firms. It helps your staff build accurate daily timesheets by observing which client they are working on across the browser and desktop, then files the reviewed time into your practice-management system (such as FYI Docs).

TimeFillo is offered as a SaaS product. Each customer firm has its own workspace; staff members ("Co-Pilots") of that firm sign in with their own credentials. This policy covers the web app at timefillo.com, the TimeFillo Tracker Chrome extension, and the TimeFillo Desktop app for macOS and Windows.

What we collect

To build a draft timesheet we collect a minimal set of work context signals from the staff member's browser and computer:

Web history — the URL and page title of the currently focused browser tab.
Active window metadata — the name of the currently focused desktop application and its window title.
Focused file metadata — when a tracked folder is being watched, the file path of the document currently in focus and its file type (e.g. .docx, .pdf).
Match decisions — which of your firm's clients our local matcher believes a piece of work belongs to, plus a confidence score.
Throttled activity signals — click, scroll, and keystroke counters (never the keys themselves), used only to detect when the user is idle.
Account info — the email address, first name, and last name of each staff member, supplied by the firm administrator when they invite the user.

What we do NOT collect

TimeFillo is designed to minimise what leaves your device. We do not collect:

Page contents, DOM text, form field values, or anything you type into a web page.
The contents of files on your computer (we read file names and a small amount of text only for local client matching — the text never leaves your device).
Passwords, security tokens, or authentication credentials from any third-party site.
Screenshots, screen recordings, or any media.
The contents of emails, chat messages, or other personal communications.
Precise location, IP geolocation, or device tracking identifiers.
Financial transaction details, credit ratings, or payment information.
Health information.
Browsing activity for the purpose of advertising, profiling, or model training.

Query strings are stripped by default. Before any URL is sent to your workspace, the query string and URL fragment are removed unless the domain is on a small allow-list (e.g. Google Search). This prevents OAuth codes, password-reset links, session tokens, and other secrets from being transmitted.

The Chrome extension specifically

The TimeFillo Tracker Chrome extension:

Runs a content script on pages so it can read the URL, title, and visible text of the focused tab in order to match against your firm's client aliases. This matching runs entirely in your browser. Only the resulting match decision (client name + confidence) plus the URL and title leave the browser.
Requires the <all_urls> host permission because clients can appear on any web property your staff visits (Gmail, Outlook, Xero, FYI, client portals, banking, CRMs, document storage, etc.) and the extension cannot know in advance which subset will be relevant.
Uses the storage permission to persist your session, the firm's client catalog cache, and the upload queue. Uses tabs to read the focused tab's URL/title. Uses alarms to schedule background uploads and catalog refreshes. Uses webNavigation to notice single-page-app URL changes. Uses idle to pause tracking when the user is away from their computer.
Does not contain any remote code. All JavaScript is bundled inside the extension package.
Provides a pause toggle, per-page hide, per-tab manual override, and an excluded-domain list so users can stop tracking instantly at any time.

The desktop app specifically

The TimeFillo Desktop app:

Reads the title and owning application of the currently focused window on macOS (requires the Accessibility permission) and Windows.
Watches the folders the user has explicitly added to "Tracked directories" and notes when files in those folders are opened or modified.
For supported file types (.docx, .xlsx, .pptx, .pdf), runs a Python worker locally that reads a small amount of text from the file purely to match against your firm's client aliases. The extracted text never leaves the device — only the match decision and the file path are sent to your workspace.
Does not use Screen Recording, capture screenshots, or transmit file contents.
Provides a pause toggle that stops capture instantly.

How we use your data

The data described above is used solely to:

Build your draft daily timesheet so you can review and edit it.
Attribute time entries to the correct client.
File approved time into your firm's practice-management system (e.g. FYI Docs) when you press "File".
Operate the product: authenticate, send transactional emails (verification, password reset, invites), and maintain audit logs of administrative actions.

We do not use your data for advertising, analytics resale, behavioural profiling, credit decisions, model training, or any other purpose unrelated to building and filing your timesheet.

Your captured work-context data is sent only to your firm's TimeFillo workspace. Within that workspace your firm's administrators can see your timesheet data as required to run the firm. Beyond that, we share data only with:

Your firm's nominated practice-management integration (for example FYI Docs, and onward to Xero Practice Manager) — when you press "File" we send the time entry to that system using credentials the firm has supplied. This step is initiated by your action, never automatically.
Subprocessors that we use to operate the service, limited to: a cloud hosting provider for the backend (currently Render), a database provider (PostgreSQL on Render), and a transactional email provider (Resend). Subprocessors process data on our behalf only and are contractually prohibited from using it for any other purpose.

We do not sell user data, do not transfer it to advertisers or data brokers, and do not use or transfer user data to determine creditworthiness or for lending purposes.

Retention & deletion

Captured segments and timesheet rows are retained for as long as your firm chooses to keep them. When the firm administrator deactivates a user, that user's outstanding session tokens are revoked immediately. When the firm cancels their TimeFillo subscription, all firm data is deleted from production systems within 30 days.

You can request deletion of your personal account data at any time by emailing the address in the Contact section. Where local law gives you a right of erasure (GDPR Article 17, etc.) we will action it within 30 days.

Your controls

Pause tracking on the Chrome extension or desktop app at any time with one click. No segments are captured while paused.
Hide on this page stops tracking on the current site for 30 minutes.
Manual client pick lets you override the matcher's decision for the current tab.
Excluded-domain list (configured by your Pilot / firm admin) skips tracking on entire domains.
Sign out from any device immediately invalidates every outstanding session token via a server-side revocation.

Security

All data in transit is encrypted using TLS.
Passwords are stored hashed with Argon2.
Third-party integration credentials (e.g. FYI access secrets) are encrypted at rest using a per-deployment Fernet key.
Session tokens are short-lived and revocable; refresh tokens are rotated on use.
Rate limiting protects login, password-reset, and other sensitive endpoints from automated abuse.

Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated to firm administrators by email and surfaced in-app. The "Last updated" date at the top of this page indicates the version currently in force.

Contact

Privacy and data-protection questions: privacy@timefillo.com

General support: timefillo.com/support