Privacy Policy

1.Who publishes iTimeSheet (data controller)

The iTimeSheet mobile application (the "App") and the website itimesheet.app (the "Site") are published by:

Publisher

Kiss My Apps, a French société par actions simplifiée (SAS) with share capital of €912,673

Registered office

17, chemin des Loriots, 93230 Romainville, France

Company registration

Registered with the Registre du Commerce et des Sociétés of Bobigny under no. 890 140 494 — French SIREN 890 140 494 — French SIRET (head office) 890 140 494 00018

President & publication director

Jean-François Grang

Contact

contact@itimesheet.app

Site host

OVH SAS — 2 rue Kellermann, 59100 Roubaix, France — share capital €50,000,000 — Lille Métropole commercial register no. 424 761 419 — APE 2620Z — VAT FR 22 424 761 419 — Phone: +33 (0)8 99 70 17 61

For any question relating to this policy or to your data, please write to contact@itimesheet.app.

2.Scope

This Privacy Policy describes how Kiss My Apps processes — or rather does not process — personal data of users of the App and visitors of the Site.

It does not apply to third-party services that you may use through your iPhone (notably Apple iCloud, the Apple App Store, Apple Calendar and iOS notifications), which are governed by their own privacy policies.

3.Data processed locally on your device

When you use iTimeSheet, you yourself enter a number of professional items: clients, projects, tasks, hourly rates, hours worked, expenses, receipt photos, currencies, notes. These items:

• are stored only in a local database encrypted by iOS (Apple's Data Protection API) inside the App sandbox on your iPhone;
• are never transmitted to Kiss My Apps, to any iTimeSheet server or to any third party;
• are accessible only to you, behind your iPhone passcode, Face ID or Touch ID.

From a GDPR standpoint, these items are your data, processed by you, on your own hardware. Kiss My Apps acts neither as data controller nor as data processor with respect to them.

4.Data that can leave your device

4.1 iCloud Drive backup (optional, at your initiative)

You may, at any time and entirely optionally, trigger a backup of your database to your own iCloud Drive. This operation:

• copies a single database file to the iCloud Drive folder tied to your Apple ID;
• uses Apple Inc.'s iCloud infrastructure — Kiss My Apps has no access, no visibility, no copy;
• is governed by Apple's iCloud privacy policy.

You can disable iCloud backup at any time in the App's Settings, and delete the backup file directly from the iOS Files app.

4.2 Apple Calendar sync (optional, at your initiative)

If you enable it, iTimeSheet exports your time entries as events to the Apple Calendar of your choice, via Apple's EventKit API. The events created stay within the Apple Calendar scope of your iCloud account. No information is transmitted to Kiss My Apps.

4.3 In-App Purchases & subscriptions (Apple-processed)

The App offers premium features unlocked through Apple In-App Purchases or auto-renewing subscriptions. All transactions are handled exclusively by Apple Inc. When a purchase is validated, the App receives from Apple, via StoreKit:

• a transaction identifier (opaque string);
• the identifier of the product purchased (e.g. com.grang.itimesheet.pro.monthly);
• purchase, renewal and expiry dates;
• an Apple-signed receipt allowing the purchase to be verified.

This information is stored locally and is used only to unlock paid features inside the App. Kiss My Apps does not receive your name, address, email address, Apple ID or payment details. Your card, billing address and identity are managed entirely under Apple's terms and privacy policy.

Apple may share with Kiss My Apps, in aggregated and anonymised form, commercial metrics (sales volumes, churn rate, country of purchase) via App Store Connect. Those metrics do not allow any user to be identified.

4.4 Subscription management and paywall personalisation (Purchasely SAS)

iTimeSheet uses the services of Purchasely SAS, a French company based in Paris, as a processor to:

• validate the purchase receipts issued by Apple and restore your subscriptions when you switch devices;
• present the paywall appropriate to your current state (first launch, active subscription, trial period, expired subscription, upgrade prompt) — this is the personalisation of offers;
• internally measure the effectiveness of different paywall variants to improve them (A/B testing).

The data transmitted to the Purchasely SDK is strictly limited to:

• an anonymous device identifier (UUID generated locally by the SDK at first launch): never linked to your Apple ID, email address, name or any personal profile;
• the purchase events (transaction identifier, product identifier, dates) as received from Apple;
• the paywall interaction events (display, tap, conversion).

This data is not used for:

• cross-app or cross-site tracking;
• advertising, ours or any third party's;
• external advertising attribution (Adjust, AppsFlyer, Branch, Meta Ads, Google Ads, etc.);
• sharing with any data broker.

Legal basis (GDPR Article 6): performance of the subscription contract (Article 6.1.b) when a subscription is taken out; legitimate interest (Article 6.1.f) in offering and improving the service for users on the free tier.

Processor: Purchasely SAS, a French company registered with the Paris commercial register. An Article 28 GDPR data processing agreement governs this relationship. Data is processed and hosted within the European Economic Area.

Retention: while your subscription is active, plus the statutory retention period for commercial receipts (10 years in France).

iOS consequence: no additional authorisation is requested from you. No "App Tracking Transparency" (ATT) prompt appears, because none of the data collected is used for tracking in Apple's sense.

For more information about Purchasely, see their privacy policy.

4.5 iOS notifications and reminders (optional, at your initiative)

If you allow notifications, iTimeSheet uses Apple's local notification API (UNUserNotificationCenter) to schedule reminders on your device. No remote push notification is used and no information is sent to a server — Kiss My Apps has no push notification service.

4.6 Apple diagnostics (optional, at your initiative, anonymised)

If you have enabled "Share iPhone Analytics" in iOS Settings, Apple may send anonymised crash reports to Kiss My Apps through Xcode Organizer. These reports contain neither your data, your Apple ID, nor any advertising identifier — only the stack trace at the moment of the crash. You can disable this sharing at any time in iOS Settings > Privacy & Security > Analytics & Improvements.

5.Cookies, general-purpose analytics, advertising trackers: none

The App includes no third-party general-purpose analytics SDK (no Firebase, no Google Analytics, no Meta SDK, no Mixpanel) and no advertising attribution SDK (no AppsFlyer, no Branch, no Adjust, no Singular, no Kochava). The App uses no advertising identifier (IDFA) and performs no device fingerprinting.

The only third-party SDK present in the App is Purchasely, used as a subscription management and paywall personalisation provider (see section 4.4). Purchasely does not perform tracking in Apple's sense, participates in no advertising campaign and receives no personally identifiable data.

The Site itimesheet.app is served as static HTML/CSS, with no cookie, no pixel, no audience measurement script. No consent banner is therefore required, given that there is nothing to consent to.

If audience measurement is ever added, it will be limited to a tool that is cookieless and does not transfer data outside the EU (e.g. self-hosted Plausible), and this policy will be updated accordingly.

6.Legal bases (GDPR Article 6)

Whenever a processing operation does fall within the scope of the GDPR (for example, processing an inbound email you send us at contact@itimesheet.app), it relies on one of the following legal bases:

• Performance of a contract (Article 6.1.b) — to respond to your support request, process a refund, or perform your subscription order via Apple;
• Legal obligation (Article 6.1.c) — to keep the invoices issued by Apple on your behalf for the statutory period (10 years under French law);
• Legitimate interest (Article 6.1.f) — to ensure the technical security of the App and the Site, and to defend our rights in case of dispute.

7.Retention periods

• Data entered in the App: retained on your device as long as you do not delete it. You can delete all data by uninstalling the App.
• iCloud backup: retained in your iCloud until you manually delete it.
• Support emails: retained for three (3) years from the last exchange, then deleted.
• Invoices and receipts related to Apple In-App Purchases: retained for ten (10) years, in accordance with French accounting and tax obligations.

8.Recipients and processors

No personal data is transmitted to any commercial third party, data broker or advertising partner. The only third parties that may process data in connection with the App or the Site are:

• Apple Inc. and its affiliates — for App distribution, In-App Purchases, iCloud hosting, local notifications and the calendar. Apple acts as an independent controller for those services. See apple.com/legal/privacy.
• Purchasely SAS (Paris, France) — processor under Article 28 GDPR, for validating subscription receipts, cross-device restore, presenting personalised paywalls and internally measuring conversions. Data processed: anonymous device identifier, purchase events, paywall interaction events. Data hosted within the European Economic Area. See section 4.4 for details.
• OVH SAS — for the hosting of the Site itimesheet.app. OVH is bound by an Article 28 GDPR data processing agreement; the data processed is limited to the technical logs (IP addresses, HTTP requests) needed to run the Site.

9.International transfers outside the EEA

The Site is hosted in France by OVH; no data leaves the EEA as part of the Site. The App, by default (with iCloud backup turned off), produces no transfer.

If you enable iCloud backup, Apple may process your backup in data centres located outside the EEA (notably in the United States). That transfer takes place under your direct relationship with Apple Inc., under the EU-US Data Privacy Framework and the standard contractual clauses adopted by Apple Inc. See Apple's iCloud policy.

10.Your GDPR rights

Under Regulation (EU) 2016/679 (GDPR) and French Act No. 78-17 of 6 January 1978 ("French Data Protection Act"), you have the following rights at any time:

• Right of access — confirm whether we process data relating to you and obtain a copy;
• Right to rectification — have inaccurate data corrected;
• Right to erasure ("right to be forgotten") — request the deletion of your data;
• Right to restriction of processing;
• Right to data portability — receive your data in a structured, commonly used and machine-readable format;
• Right to object to a processing based on legitimate interest;
• Right to give instructions regarding the fate of your data after your death (Article 85 of the French Data Protection Act).

To exercise a right, write to contact@itimesheet.app. We respond within one (1) month at the latest, extendable by two (2) months for complex requests (GDPR Article 12).

11.California residents (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you rights comparable to those under the GDPR: right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to opt out of sale or sharing.

Kiss My Apps expressly confirms: we do not sell and do not share any personal information, within the meaning of California law, in connection with the App or the Site. We have not sold or shared any such information in the past twelve (12) months and have no intention to do so.

To exercise your CCPA rights, write to contact@itimesheet.app with "CCPA request" in the subject line.

12.Children

iTimeSheet is intended for an adult professional audience. The App is neither designed nor intended for children under the age of sixteen (16) and does not knowingly solicit any child data. If you believe a minor has sent us data by mistake (for instance a support email from a parent's account), write to contact@itimesheet.app and we will delete it promptly.

13.Security

Data stored in the App benefits from iOS native protections:

• Hardware encryption of the iPhone (AES-256) at rest;
• Application sandbox isolation;
• NSFileProtectionComplete data protection, which renders the database unreadable while the device is locked;
• Passcode, Face ID or Touch ID required to unlock the iPhone.

The Site is served exclusively over HTTPS (TLS 1.3 or higher). Inbound emails are relayed by Kiss My Apps' mail servers; we apply SPF, DKIM and DMARC.

14.Changes to this policy

This policy may be amended to reflect a change to the App, a new legal requirement or user feedback. In the event of a material change, the publisher will:

• publish the new version at the same URL (itimesheet.app/en/privacy);
• update the effective date at the top of the document;
• indicate the nature of the changes in the App's release notes.

No future change will have retroactive effect on data collected under an earlier version.

15.Contact, complaint, supervisory authority

For any question, exercise of rights or complaint, write to: contact@itimesheet.app.

If, after contacting Kiss My Apps, you consider that your rights have not been respected, you may lodge a complaint with the French data protection authority (CNIL) or with the supervisory authority of your country of residence:

CNIL — French DPA

3 place de Fontenoy — TSA 80715 — 75334 PARIS CEDEX 07, France

Phone

+33 1 53 73 22 22

Online complaint form

www.cnil.fr/en/plaintes

You may also bring the matter before any court of competent jurisdiction.