Legal

Privacy Policy

Last updated: June 10, 2026

This Privacy Policy explains how 0x234 Pty Ltd handles personal information when you access or use DoubleTime, including our website, application, support channels, billing systems, hosted invoice links, payment features, import tools, API functionality, OAuth authorisation features, MCP server access and related services.

By using the service, you acknowledge that we will handle personal information as described in this Privacy Policy. Where we rely on your consent for a particular activity, we will ask for that consent separately where required by law.

Table of Contents

1. Overview

This Privacy Policy describes the personal information we collect, how we use it, when we disclose it, how we protect it, how long we keep it, and how you can contact us about privacy requests or complaints.

DoubleTime is intended for freelancers, contractors and other business professionals who use the service to manage tasks, time, clients, invoices, billing workflows and related business records.

2. Who We Are and Scope of this Policy

DoubleTime is operated by 0x234 Pty Ltd, an Australian proprietary limited company.

This Privacy Policy applies to personal information handled through our website, application, account systems, support channels, billing systems, hosted invoice links, import and migration tools, API functionality, OAuth authorisation features, connected-app functionality, MCP server access, invoice communications and related services.

This Privacy Policy does not apply to third-party websites, applications or services that we do not operate, including third-party applications, MCP clients or AI tools you authorise, even if they are linked from the service or integrated with the service.

3. Key Terms

For the purposes of this Privacy Policy:

  • "We", "our" or "us" means 0x234 Pty Ltd.
  • "You" or "your" means the person accessing or using the service.
  • "Service" means DoubleTime, including our website, application, account systems, API, OAuth authorisation features, MCP server access, hosted invoice links, payment features, import tools, infrastructure, support channels and related services.
  • "Account" means a unique account created for a freelancer, contractor or business professional to access the service and manage their business profile within the service.
  • "Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable. In some jurisdictions, this may be referred to as "personal data".
  • "Client, customer, recipient or third-party information" means information you provide about another person or organisation, such as a client, customer, invoice recipient, business contact or representative of a client or customer.
  • "Usage data" means information collected automatically when the service is accessed or used, including technical, log, diagnostic, security and interaction data.
  • "Service API token" means a credential issued from your account that allows programmatic access to the service on your behalf without requiring your login credentials.
  • "OAuth application" means an application, integration or MCP-compatible client that uses DoubleTime's OAuth authorisation features to request scoped access to the service.
  • "Connected app" means an OAuth application or integration that you authorise to access your account, account data or service features.
  • "OAuth grant" means your approval for a connected app to access selected service resources and scopes.
  • "MCP client" or "AI tool" means an application, assistant, agent or other tool that connects to the DoubleTime MCP server or uses MCP-compatible access to work with DoubleTime data or actions.
  • "Scope" means a permission category that limits the account data, service resources or actions an OAuth application, connected app, MCP client or AI tool may request.
  • "Third-party API token" means a credential issued by a third-party provider that you supply to the service so that we can access an external account or service in connection with an import or migration.
  • "Hosted invoice link" means a URL-based method of invoice delivery where an invoice is made available through a web page served by the service, rather than only as a file attachment.
  • "Protected access flow" means a method of invoice delivery through a hosted invoice link that requires a recipient to verify their email address before the invoice can be viewed.
  • "Standard link-based access" means a method of invoice delivery through a hosted invoice link that does not require recipient verification, meaning anyone in possession of the link may view the invoice.
  • "Payment instructions" means details you choose to display on invoices so that your clients or customers can pay you directly, such as bank account details or PayID information.

4. Children and Minimum Age

DoubleTime is intended for freelancers, contractors and other business professionals. You must be at least 18 years old, and legally able to enter into a binding agreement, to create an account or use the service.

The service is not directed to, and must not be used by, anyone under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe that someone under 18 has provided personal information to us, please contact us so that we can take appropriate steps, which may include deactivating the account and deleting the information where required.

5. Our Role in Handling Personal Information

For account registration, subscription billing, support, security, analytics, service administration and legal compliance, we generally decide how and why personal information is handled.

For client, customer, recipient, invoice, task, project, payment instruction, attachment, import data and authorised app access that you provide, configure or approve for your own business purposes, we handle that information to provide, secure and support the service at your direction.

You are responsible for ensuring that you have the right to provide client, customer, recipient and third-party information to us, to use it through the service, to authorise connected apps, MCP clients or AI tools to access it, and to send invoices, receipts, hosted links, attachments and related communications to recipients.

6. Personal Information We Collect

The types of personal information we collect depend on how you use the service and which features you choose to use.

6.1 Account and Contact Information

When you create or use an account, we may collect and handle account and contact information, including:

  • Email address.
  • First name and/or last name.
  • Country of residence.
  • Notification and communication preferences.
  • Account activity timestamps, such as login and last-active events.
  • Social login profile information, such as name and email address, if you sign in through GitHub, GitLab, Google or LinkedIn.

6.2 Business and Invoice Information

We collect business and invoice information that you provide or create in the service. Business information may include personal information where it identifies an individual, such as a sole trader, contractor or primary contact.

This information may include:

  • Business or entity name.
  • Entity identification number, such as an ABN.
  • Primary contact name.
  • Business or primary contact email address.
  • Phone number.
  • Address.
  • Business logo, where applicable.
  • Payment instructions displayed on invoices, such as bank account details or PayID.
  • Billing preferences, including currency, tax settings, invoice schedules, due date terms and invoice grouping preferences.
  • Services provided and cost of services.
  • Invoice data, invoice status, billing periods, payment records, payment attempts and receipt details.

6.3 Client, Customer, Recipient and Third-Party Information

You may choose to provide client, customer, recipient and third-party information so that you can manage tasks, time entries, projects, invoices, billing records and related communications through the service.

This information may include:

  • Client, customer or entity name.
  • Entity identification number, such as an ABN.
  • Primary contact name.
  • Email address.
  • Phone number.
  • Address.
  • Invoice recipient names and email addresses.
  • Invoice message content.
  • Payment receipt details sent through the service.
  • Services provided and cost of services.
  • Project, task, time-entry and billing metadata associated with a client or customer.

You decide what client, customer and recipient information you provide, and you are responsible for ensuring that the information is accurate and that you are authorised to provide and use it through the service.

6.4 Usage, Security and Log Data

We may automatically collect usage, security and log data when you access or use the service. This may include:

  • Device IP address.
  • Browser type and version.
  • Pages or features visited.
  • Time and date of visit.
  • Time spent on pages.
  • Diagnostic and server-log data.
  • Account activity timestamps.
  • Feature milestone events, such as onboarding completion, viewing unbilled work, creating draft invoices, or finalising or sending invoices.
  • OAuth authorisation, connected-app, scope, resource, token-use, MCP/API request, revocation and security-audit events.

We use privacy-focused analytics and product telemetry to understand service usage and improve the service. Where practicable, analytics are aggregated or de-identified. Some operational events may be associated with an account where necessary to provide features, support users, protect the service, manage notifications, or understand feature adoption.

6.5 API, OAuth, MCP and Import Credentials

If you create a service API token, we store limited token metadata, including the token name, expiry date, last-used timestamp and IP addresses from which the token has been used. This information is used to authenticate API requests, protect accounts, maintain service integrity, and manage token expiry and inactivity. Expired tokens may be retained for a short grace period before deletion.

If you register an OAuth application, authorise a connected app, or connect through an MCP client or AI tool, we may store related metadata. This may include application names, client identifiers, redirect URIs, application type, selected scopes, access targets, grant status, revocation status, token expiry, last-used timestamps, IP addresses, security events and token verification data.

We use this information to authenticate requests, enforce scopes and access targets, show connected-app status, support revocation, protect accounts and investigate misuse or security issues.

OAuth access tokens, refresh tokens and OAuth grants may allow connected apps, MCP clients or AI tools to access account data or perform actions according to the scopes you approve. Depending on the scopes granted, this may include business-sensitive data such as client or customer names, contact details, task names, time entries, invoice contents, line items, payment records, billing summaries, report output, settings, attachments and invoice recipient details.

You can revoke connected-app access where the service provides that control. Revocation stops future access by that connected app, but it does not delete or retrieve information the app, MCP client or AI tool already received before revocation.

If you use an import or migration feature, we may process third-party API tokens or other credentials supplied by you, connected account or workspace identifiers, selected filters such as date ranges, previewed or imported data, provider mapping records, import run summaries, warnings and error details.

Unless we explicitly describe an ongoing sync, import and migration tools are intended for one-off migration only. Unless otherwise stated in-product, third-party API tokens and other import credentials are used only for the relevant import session and are not currently stored after the session, so they must be entered again for a later import.

6.6 Cookies and Browser Storage

Cookies are small files or pieces of information stored by your browser. Browser storage includes other storage mechanisms, such as local storage, that allow the service to store information on your device.

We use first-party cookies and browser storage that are necessary to operate the service, maintain sessions, authorise account access, improve performance and remember service settings. We do not use third-party analytics cookies.

The following cookie is currently used by the service:

NamePurposeDomainMax. Retention
dtidUsed for session identification and account access.DoubleTime30 days

Browser storage may store service data on your device, such as settings for your personalised experience, tasks and task-related content, tags, and associations between tags and tasks.

If you use the service on a device that you do not own or control, such as a public or employer-managed device, you should ensure you are authorised to use that device and should log out and clear browser data when finished where appropriate.

6.7 Payment and Subscription Information

We use Stripe for subscription checkout, billing management and payment processing. We may provide Stripe with information needed to create and manage a customer or subscription record, such as your email address, name, country of residence, subscription status and related billing metadata.

For payment or subscription checkout, you may be redirected to a Stripe-hosted payment page. For subscription and billing management, you may be redirected to Stripe's customer portal. Payment card details are entered directly into Stripe's systems, and we do not store full card details on our own servers.

Stripe is responsible for the personal information it processes through its payment and billing services in accordance with Stripe's own privacy policy, terms and applicable law.

If you enable invoice card payments or an invoice recipient pays through a Stripe-hosted checkout flow, Stripe and any connected Stripe account may process information needed to provide that payment flow, such as recipient email address, invoice identifiers, invoice amount, currency, checkout session details, payment status and payment transaction metadata. We may store payment attempt and reconciliation records, but sensitive payment card details are handled by Stripe.

7. How We Use Personal Information

We use personal information for the purposes described in this Privacy Policy and as otherwise permitted or required by law. These purposes include:

  • Creating, maintaining, securing and personalising your account.
  • Providing, operating, supporting and improving the service.
  • Authenticating users, authorising account access and managing service API tokens.
  • Managing OAuth applications, connected apps, MCP server access, token issuance, scope and resource enforcement, revocation and security auditing.
  • Providing account data and service actions to connected apps, MCP clients and AI tools according to the scopes and access targets you approve.
  • Generating invoices, hosted invoice links, payment receipts and related records.
  • Supporting Stripe Connect invoice card payments, payment attempts, payment status updates and payment reconciliation.
  • Supporting invoice attachments, payment instructions, dispatch history and recipient interactions.
  • Providing Billing Hub and billing recovery features, including billing summaries, unbilled or blocked work, invoice readiness checks, suggested billing periods, scheduled draft metadata, reminders and weekly billing digests.
  • Processing task, activity, client, customer, project, invoice, payment, tax, currency, schedule and notification data for service functionality.
  • Previewing, mapping, importing, deduplicating, supporting and maintaining third-party imports and migration history.
  • Sending authentication, security, account, billing, legal, support and service-critical notices.
  • Sending optional product notifications or marketing communications where permitted by law and your preferences.
  • Responding to support requests, bug reports, feature requests and privacy inquiries.
  • Understanding feature adoption, diagnosing issues and improving product workflows.
  • Complying with legal, tax, accounting and regulatory obligations.
  • Preventing fraud, abuse, misuse and security incidents, and enforcing our rights.

7.1 No Sale of Data, Public Display or Client/Customer Marketing

We do not sell, rent, trade, or otherwise monetise personal information, business information, client, customer or recipient information, Billing Hub data, invoice data, payment records, task data, activity data, import data or support data.

We do not use information supplied through the service for public display, advertising, promotional showcase, benchmark reports, public directories or similar publication by us. This does not limit user-directed functionality, such as invoices, payment receipts, hosted invoice links, attachments, business logos, or other information you choose to create, send, publish or make available through the service.

We do not use client, customer or recipient information supplied by users to market or promote DoubleTime or any third-party product or service to those clients, customers or recipients. We only contact clients, customers or recipients where needed to provide user-directed service functionality, respond to recipient-initiated support or privacy requests, comply with law, protect security, or enforce our rights.

We do not use information supplied through the service to train our own AI models. If you authorise a third-party AI tool, MCP client or other connected app, that third party's own privacy policy and terms may apply to the information it receives.

8. User-Directed Sharing, Hosted Invoice Links and Attachments

The service allows you to create, send, publish and share invoices, hosted invoice links, payment receipts, attachments, payment instructions and related business records. These disclosures are user-directed and depend on the information you choose to enter and the sharing options you choose to use.

A protected access flow requires a recipient to verify their email address before viewing the invoice. It is designed to reduce unintended access, but it is not a guarantee that every recipient device, email account or downstream copy is secure. A standard link-based access flow does not require recipient verification, meaning anyone with the link may be able to view the invoice. Where the service supports public invoice links, it is designed to omit structured client, customer and sender contact details such as contact names, street addresses, phone numbers and email addresses from unrestricted public views.

If you choose to add payment instructions to your invoices, we may store those details and display them to recipients through hosted invoice links so that payment can be made directly to you. Payment instructions are not frozen into historical invoices at the time of issue. They reflect your current account settings whenever an invoice is subsequently viewed, printed or downloaded.

If you upload files or supporting documents to an invoice, those files may be stored in our infrastructure or with third-party storage providers and made available for download to authorised recipients, or to anyone with valid invoice or download access consistent with the invoice's sharing configuration.

Users and recipients may print invoices, download attachments, forward communications, take screenshots, or otherwise capture information outside the service. Once this occurs, handling of that information may depend on the actions of the user or recipient and may be outside our control.

You are responsible for ensuring you have the right to upload, store, send, publish and share any attachment, payment instruction, client or customer data, recipient data or other information you provide through the service.

If you are a client or customer of one of our users and have concerns about how your information is used in that user's invoices, billing records or communications, you should contact the relevant user first. You may also contact us about privacy-related inquiries using the details below.

9. Notifications, Service Emails and Marketing

We may contact you by email or other electronic communication channels to provide service communications, including authentication messages, support responses, billing notices, legal notices, security alerts, invoice-related emails, payment receipts and account-critical notices.

Some communications are optional product notifications, such as reminders, milestone messages, onboarding prompts, re-engagement emails and weekly billing digests. Where the service provides settings to disable non-mandatory notifications, we will use those settings to manage optional product communications.

Weekly billing digests may include summary information about your account activity and billing state, such as total hours tracked, task count, activity count, top client or customer name where available, invoice totals, payment totals, unbilled work, ready-to-invoice work, blocked work and ageing unbilled work. Weekly billing digests do not include task titles or notes.

With your consent, or where otherwise permitted by applicable law, we may send you marketing communications about DoubleTime features or services. You may opt out of marketing communications at any time. Security, authentication, billing, legal and other account-critical notices remain mandatory while relevant to your account or use of the service.

We do not contact your clients, customers or recipients for DoubleTime marketing or promotional purposes.

10. How We Disclose Personal Information

We may disclose personal information where needed to provide, operate, secure and support the service, or where permitted or required by law. This may include disclosure to:

  • Service providers who host, store, transmit, monitor, analyse, support, bill for, or otherwise help operate the service.
  • Recipients or other third parties where you direct us to send invoices, hosted invoice links, payment receipts, attachments or related communications.
  • Connected apps, OAuth applications, MCP clients, AI tools or other external services where you authorise or direct access to account data or service actions.
  • Third-party import providers where you direct us to connect to, preview or import information from an external service.
  • Stripe and other payment-related providers for subscription checkout, billing management, invoice card payments and payment processing.
  • Support and issue-tracking providers where you submit support requests, bug reports or other inquiries.
  • Professional advisers, insurers, auditors or similar advisers where reasonably necessary for business, legal or compliance purposes.
  • Government authorities, regulators, courts or law enforcement where required or permitted by law.
  • Parties involved in preventing or investigating fraud, abuse, misuse, security incidents or possible wrongdoing in connection with the service.
  • Parties involved in protecting our rights, property, legal interests, users, recipients or the public.

11. Third-Party Services

We use third-party services to host, operate, secure, support, monitor, improve and provide parts of the service. These providers may process personal information on our behalf or, where you choose to use an integration or external service, in accordance with their own privacy policies and terms.

Third-party OAuth applications, MCP clients, AI tools and other connected apps that you authorise are not operated by us unless we expressly identify them as a DoubleTime-operated service. You should review their privacy policies and terms before granting access, because we do not control how they handle information after they receive it.

The providers we use may change from time to time as our infrastructure and service needs evolve. Where a provider is specifically named below, more information is available through the linked provider resources.

11.1 Operational Service Providers

Cloud and Storage Infrastructure

  • Purpose: We use cloud, hosting, storage, backup and infrastructure providers to host the service, store service data, serve static assets, maintain backups and support service availability.
  • Information involved: Account information, business information, client, customer and recipient information, invoice data, task data, uploaded files, attachments, logs, technical data and backup data, depending on the feature used.
  • External resources: Provider details may vary as our infrastructure evolves.

Email Delivery Providers

  • Purpose: We use email delivery providers to send authentication emails, support replies, billing notices, invoice-related emails, payment receipts, reminders, milestone notifications, weekly billing digests and other service communications.
  • Information involved: Names, email addresses, message content, delivery metadata, timestamps and related communication records.
  • External resources: Provider details may vary as our email infrastructure evolves.

11.2 Named Third-Party Services

Google Fonts

  • Purpose: We use Google Fonts in parts of our website and application, including interface typography, icons and invoice design features.
  • Information involved: When your browser requests font resources from Google, Google may receive technical data such as your IP address, browser or device information, referrer information and requested font families.
  • External resources: Website, Privacy Policy and Terms.

Jira Cloud

  • Purpose: We use Atlassian Jira Cloud and related support tools to manage customer support requests, contact form submissions, issue tracking and service-related support workflows.
  • Information involved: Names, email addresses, support request content, attachments you provide, technical context and support history.
  • External resources: Website, Privacy Policy and Terms.

Sentry

  • Purpose: We use Sentry to monitor errors, diagnose issues, improve reliability and understand technical failures in the service.
  • Information involved: IP address, browser and device information, error details, diagnostic information and application state at the time an error occurs. We use this information to debug, secure and improve the service. Where replay diagnostics are enabled, text capture is configured to be masked where supported.
  • External resources: Website, Privacy Policy and Terms.

Toggl Track

  • Purpose: If you use the Toggl Track import feature, we send import requests to Toggl Track so we can discover accessible workspaces, preview importable work and complete the migration.
  • Information involved: Toggl Track API token, selected import range, workspace identifiers, project information, client or customer information, time entries and other data returned from your Toggl Track account for preview or import.
  • External resources: Website, Privacy Policy and Terms.

Stripe

  • Purpose: We use Stripe to process payments, manage subscriptions, provide payment checkout, support billing management and support invoice card payments where enabled.
  • Information involved: Account identity, billing email address, billing country, subscription status, invoices, invoice recipient email address, checkout session details, payment attempt records, payment method details and payment transaction information. Sensitive payment card details are handled by Stripe and are not stored directly by us.
  • External resources: Website, Privacy Policy and Terms.

12. Data Storage and International Transfers

We primarily store and process service data on infrastructure located in Singapore. Encrypted backups may be stored in Australia for disaster recovery. Certain public static assets, such as brand logos, may be stored in Australia and cached or served from globally distributed edge locations to improve performance.

Uploaded files, invoice attachments, email delivery metadata, support records, payment records, error logs and import-related data may also be processed by service providers in other countries, depending on the provider and feature used.

Where we disclose personal information to overseas service providers, we take reasonable steps designed to ensure that those providers handle personal information consistently with this Privacy Policy and applicable privacy laws.

If you are located in the EEA or UK, we rely on appropriate safeguards for international transfers where required, such as standard contractual clauses, the UK International Data Transfer Addendum or Agreement, or another lawful transfer mechanism.

13. Security

We take reasonable steps appropriate to the nature of the information we hold to protect personal information against misuse, interference, loss, unauthorised access, modification and disclosure.

No method of transmission over the Internet or method of electronic storage is completely secure, so we cannot guarantee absolute security. The privacy and security of information shared through hosted invoice links, downloaded attachments, printed invoices, screenshots, forwarded communications or recipient-managed systems may also depend on the actions of users and recipients outside our control.

OAuth and MCP access is controlled through scopes, access targets, token expiry, revocation controls and security monitoring. These controls reduce risk, but they do not control the security practices of third-party applications, MCP clients or AI tools after you authorise them to receive information.

14. Retention, Account Deletion and Backups

We keep personal information for as long as reasonably necessary to provide the service, maintain your account, comply with legal, tax, accounting and regulatory obligations, resolve disputes, enforce our agreements, maintain security, prevent fraud or abuse, and support legitimate business operations.

Data categoryRetention approach
Account and profile informationKept while the account exists, unless deletion is requested or retention is required or permitted by law.
Tasks, time entries, client or customer records, invoices, attachments and business recordsKept while the account exists or until deleted through the service, subject to backups, logs and legal exceptions.
Security logs, server logs and IP logsKept for a limited operational and security period.
Service API token, OAuth application, MCP connection and connected-app metadataKept while the token, OAuth application, OAuth grant, MCP connection or connected-app record exists, with limited operational retention after expiry, revocation or deletion.
Third-party import credentialsUsed for the relevant import session unless otherwise stated in-product.
Import history, mapping records and import runsKept as needed to support repeat imports, prevent duplicates, troubleshoot issues and maintain account history.
Subscription, billing and invoice payment recordsKept as required for tax, accounting, payment, dispute, reconciliation and legal purposes.
Support recordsKept as needed to provide support, maintain business records and resolve issues.

If you request account deletion, your account will be deactivated and access to the account will be restricted. We currently provide a 7-day grace period during which you may contact us to reactivate the account.

After the 7-day grace period, we delete the account and associated user-generated data from active systems. This may include your account, profile and settings, tasks and time entries, invoices, invoice attachments, invoice dispatch history, payment records, client or customer records, tags, automation rules, notification preferences, custom tax rates, external import connections, OAuth applications, MCP connection metadata, connected-app grants, token metadata, Stripe connection records, provider mapping records and import run history.

Residual copies may remain in encrypted backups, security logs or operational records for a limited period until those backups, logs or records expire in accordance with our retention practices, unless we are required or permitted by law to retain specific information for longer.

We may retain limited information where necessary for legal, tax, accounting, fraud-prevention, security, dispute-resolution or enforcement purposes.

15. Access, Correction, Privacy Rights and Complaints

You may request access to, or correction of, personal information we hold about you by contacting us using the details below. You may also update certain account information directly through your account settings.

We may need to verify your identity before responding to certain privacy requests. We may refuse, limit or defer a request where permitted or required by applicable law.

Depending on where you are located, you may have additional rights, including the right to request deletion, restriction of processing, objection to certain processing, portability of your personal information, or withdrawal of consent where processing is based on consent.

If you have a privacy complaint, please contact us first and include enough information for us to understand and investigate your concern. We will review your complaint and respond within a reasonable period.

If you are not satisfied with our response, you may be able to contact your local privacy regulator, including the Office of the Australian Information Commissioner if Australian privacy law applies.

16. Additional Information for EEA and UK Users

If you are located in the European Economic Area or the United Kingdom, additional privacy rights and protections may apply to our handling of your personal information.

Where we determine the purposes and means of processing personal information, we process that information only where we have a lawful basis to do so. Depending on the context, we rely on the following lawful bases:

PurposeLawful basis
Creating and managing your accountPerformance of a contract
Providing, securing and supporting the servicePerformance of a contract and legitimate interests
Processing subscription, billing, tax and accounting recordsPerformance of a contract and compliance with legal obligations
Sending authentication, security, billing and service-critical noticesPerformance of a contract, legitimate interests and compliance with legal obligations
Providing user-directed invoice sharing and authorised app, MCP or AI tool accessPerformance of a contract, legitimate interests and consent where required by law
Responding to support requestsPerformance of a contract and legitimate interests
Preventing fraud, abuse, misuse and security incidentsLegitimate interests and compliance with legal obligations
Improving the service, diagnostics and product analyticsLegitimate interests
Sending marketing communications, where applicableConsent or another lawful basis permitted by applicable law

For client, customer, recipient, invoice, task, project, payment instruction, attachment and import data that you provide to the service for your own business purposes, you are responsible for ensuring that you have an appropriate basis to provide that information to us and to use it through the service. We handle that information to provide, secure and support the service at your direction.

If applicable law gives you privacy rights, you may request access to, correction of, deletion of, restriction of processing of, objection to processing of, or portability of your personal information. You may also withdraw consent where processing is based on consent. These rights may be subject to conditions and exceptions under applicable law.

You may also have the right to lodge a complaint with your local data protection authority.

17. Data Breaches

If a data breach occurs, we will assess the incident and, where required by applicable law, notify affected individuals and relevant regulators.

We may also take steps to contain, investigate and remediate the incident, and to reduce the risk of similar incidents occurring again.

18. Links to Other Websites

The service may contain links to websites, applications or services that we do not operate, including connected apps, MCP clients or AI tools you authorise. We are not responsible for the privacy practices, content, products or services of third parties. You should review the privacy policy and terms of any third-party service you access.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, providers, features or services.

If we make material changes, we will provide notice by posting a prominent notice on the service, updating the "Last updated" date, sending a notification, or using another method required by applicable law.

The updated Privacy Policy will apply from the effective date stated in the updated policy or, if no separate effective date is stated, from the date it is posted.

20. Contact Us

If you have questions about this Privacy Policy, or wish to make a privacy request or complaint, please contact us by email at [email protected].