Privacy Policy

1. Introduction

RealHourly ("we", "us", "our") operates the real-hourly.com website and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.

We comply with the South Korean Personal Information Protection Act (PIPA) and the European Union General Data Protection Regulation (GDPR), and are committed to protecting your personal information.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, password, display name
• Profile Information: Default currency, hourly rate goal, timezone, language preferences
• Project Data: Project names, client information, expected hours and fees, platform fee rates, tax rates
• Time Log Data: Task descriptions, dates, time (minutes), categories, natural language input text
• Cost Data: Cost amounts, types, notes
• Payment Information: Processed via Polar (Stripe-based); we do not directly store payment card information

2.2 Automatically Collected Information

• Usage Data: IP address, browser type, device information, operating system, page views, click data
• Cookies and Tracking Technologies: Session cookies (authentication), analytics cookies (Google Analytics), local storage (user preferences)
• Log Data: Access times, referral URLs, error logs

2.3 Information from Third Parties

• Social Login: When you log in via Google OAuth, we receive your email, profile picture, and name from Google

3. How We Use Your Information

We use the collected information for the following purposes:

• Provide and operate the Service (time tracking, profitability analysis, real hourly rate calculation)
• Provide AI-powered features (natural language time log parsing, chatbot assistance, insight generation)
• Authenticate accounts and maintain security
• Provide customer support and respond to inquiries
• Improve the Service and develop new features
• Analyze usage patterns and generate statistics
• Comply with legal obligations and prevent fraud
• Marketing and promotions (with user consent)

4. Third-Party Service Providers

We use the following third-party services:

4.1 Supabase (Database and Authentication)

• Purpose: PostgreSQL database hosting, user authentication, session management
• Data Location: AWS (US or selected region)
• Security: Row-level security (RLS) policies enforced, encrypted connections

4.2 OpenAI (AI Processing)

• Purpose: Natural language time log parsing, AI chatbot, weekly insight generation, invoice item generation
• Data Processed: Time log text, project context, user questions
• Important: OpenAI uses data for processing only and does not use it for model training. Data is deleted within 30 days after processing (per OpenAI's data usage policies)

4.3 Google Analytics

• Purpose: Website usage statistics and analysis
• Tracking ID: G-YQ6MKBLBKY
• Data Collected: Page views, session duration, user demographics (anonymized)
• Opt-out: Google Analytics Opt-out Browser Add-on

4.4 Polar (Payment Processing)

• Purpose: Subscription payment processing
• Based On: Stripe (PCI-DSS compliant)
• Data Processed: Payment card information, billing address, transaction history
• Important: We do not directly store payment card numbers

4.5 Vercel (Hosting)

• Purpose: Web application hosting and deployment
• Data Location: Global CDN (US default)
• Data Processed: Logs, performance metrics

5. Data Retention

• Account Data: Until account deletion request or automatic deletion after 2 years of inactivity
• Time Log and Project Data: Retained until user deletion (soft delete, permanent deletion within 30 days)
• Log Data: Retained for 90 days
• Payment History: Retained for minimum 7 years per legal requirements
• Marketing Data: Deleted immediately upon consent withdrawal

6. Data Security

We implement the following security measures:

• TLS/SSL encryption for all data transmission
• Data-at-rest encryption (AES-256)
• Row-level security (RLS) policies for data isolation
• Regular security audits and vulnerability scans
• Employee access restrictions and role-based permission management
• API request rate limiting and DDoS protection

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

7. Your Rights (GDPR/PIPA)

You have the following rights:

• Right of Access: Request a copy of your personal information we hold
• Right to Rectification: Request correction of inaccurate or incomplete information
• Right to Erasure (Right to be Forgotten): Request deletion of your personal information
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Restriction of Processing: Request restriction of processing in certain circumstances
• Right to Object: Object to certain processing, such as direct marketing
• Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of processing before withdrawal)

To exercise these rights, please contact us at support@real-hourly.com. We will respond within 30 days.

You also have the right to lodge a complaint with your supervisory data protection authority.

8. Children's Privacy

Our Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@real-hourly.com.

9. International Data Transfers

Your information may be transferred to and processed on servers outside your country of residence. Specifically:

• Supabase (AWS): US or selected region
• OpenAI: US
• Vercel: Global CDN

We ensure your data is protected in accordance with this Privacy Policy and applicable law through EU Standard Contractual Clauses (SCCs) and appropriate safeguards.

10. Cookie Policy

10.1 Cookies We Use

Essential Cookies

• Supabase Session Cookies: Maintain login state (expires: 7 days)
• CSRF Token: Prevent security attacks

Analytics Cookies

• Google Analytics (_ga, _gid): Collect usage statistics (expires: 2 years / 24 hours)

Functional Cookies

• Local Storage: Language settings, theme preferences, dashboard layout

10.2 Managing Cookies

You can manage cookies through:

• Browser settings to block or delete cookies
• Google Analytics opt-out add-on
• Note: Blocking essential cookies may prevent the Service from functioning properly

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will post the new Privacy Policy on this page and update the "Last Updated" date.

For significant changes, we will notify you via email or by posting a prominent notice on our Service. We encourage you to review this Privacy Policy periodically before the changes take effect.

12. Contact Us

If you have questions, concerns, or wish to exercise your rights regarding this Privacy Policy, please contact us at: