Privacy Policy

1. Introduction

PermitZip (“we”, “us”, or “our”) operates the PermitZIP Hours application (“App”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

Note: This App is for internal use by PermitZip employees only. It is not a public service.

2. Information We Collect

2.1 Information from Google OAuth

• Email address
• Full name
• Google profile ID
• Profile picture

2.2 Information from Hubstaff

• Time tracking data (hours worked, projects, tasks, descriptions)
• User ID and organization membership
• Project information and client names
• Billing and pay rates

2.3 Information from QuickBooks

• Customer names and contact information
• Service items and pricing
• Invoice data (numbers, amounts, dates)
• Company information

2.4 Information You Provide

• Billable status selections
• Notes and descriptions
• Notification preferences
• Project-to-customer mappings

3. How We Use Your Information

We use the collected information to:

• Provide the Service: Sync time entries, manage billing, generate invoices
• Authentication: Verify your identity via Google OAuth
• Authorization: Determine your role and permissions (Team Member, Manager, Admin)
• Analytics: Track billable hours, costs, revenue, and profit margins
• Reporting: Generate invoices and export data to QuickBooks
• Communications: Send monthly reminder emails (if opted in)
• Compliance: Maintain audit logs for security and compliance purposes

4. How We Share Your Information

4.1 Within PermitZip

Your information is shared within PermitZip as follows:

• Team Members: Can view their own time entries and associated data
• Managers: Can view all team members' time entries for approval and billing purposes
• Admins: Have full access to all data for system administration

4.2 Third-Party Services

• Supabase: Database hosting and authentication (encrypted at rest)
• Vercel: Application hosting
• Upstash Redis: Caching service (temporary data only, with TTL)
• Resend: Email delivery service

Important: We do NOT share your data with any parties outside of PermitZip except the service providers listed above, who are bound by data processing agreements.

4.3 QuickBooks Data

When you connect QuickBooks, we access your QuickBooks company data to:

• Retrieve customer information for invoice generation
• Create invoices in your QuickBooks company
• Link time entries to QuickBooks projects

This data is only accessible to PermitZip managers and admins and is never shared externally.

5. Data Security

We protect your information using:

• Encryption: All sensitive credentials encrypted with AES-256-GCM
• HTTPS: All data transmitted over encrypted connections
• Authentication: Google OAuth 2.0 for secure login
• Authorization: Role-based access control with Row Level Security (RLS)
• Audit Logging: All sensitive operations logged for security review
• Secure Tokens: OAuth tokens encrypted at rest, auto-refresh, proper revocation

6. Data Retention

We retain your information as follows:

• Time Entries: Retained indefinitely for billing and tax purposes
• Invoices: Retained for 7 years per accounting standards
• Audit Logs: Retained for 2 years
• OAuth Tokens: Deleted immediately upon disconnection
• Cache Data: Automatically expires per TTL (5 minutes to 24 hours)

7. Your Rights

As a PermitZip employee, you have the right to:

• Access: View your personal time entry data at any time
• Correction: Request corrections to your time entries
• Notification Preferences: Opt out of email reminders via Settings
• Disconnect: Disconnect Hubstaff and QuickBooks integrations at any time

To exercise these rights, contact your manager or email info@permitzip.com.

8. QuickBooks-Specific Data Practices

When you authorize our App to access your QuickBooks company:

• We request minimal scopes: accounting and payment
• OAuth tokens are encrypted using AES-256 and stored securely
• Tokens are automatically refreshed before expiry
• You can revoke access anytime by disconnecting in Settings
• When disconnected, tokens are revoked with QuickBooks and deleted from our database
• QuickBooks data synced to our app (customers, items) is deleted upon disconnection

9. Cookies and Tracking

We use cookies for:

• Authentication: Supabase session cookies (httpOnly, secure)
• OAuth State: Temporary cookies for CSRF protection (deleted after use)
• Theme Preference: Dark/light mode selection

We do NOT use tracking cookies, analytics cookies, or advertising cookies.

10. Data Processing Location

Your data is processed and stored in the United States using:

• Supabase (US region)
• Vercel (US region)
• Upstash Redis (US region)

11. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you via email within 72 hours of discovering the breach. We will also notify relevant authorities as required by law.

12. Children's Privacy

The App is intended for use by PermitZip employees who are 18 years or older. We do not knowingly collect information from individuals under 18.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the “Last Updated” date
• Sending an email notification to all users

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

15. Consent

By using the App, you consent to this Privacy Policy and agree to its terms.