Code TimeCode Time

[§/legal]

Privacy Policy

Last updated:

The English text below is the authoritative version of this policy. Localized translations are not yet available.

Code Time (codetime.dev) is an independent project run by an individual developer. This page describes, plainly, what data the Service collects, what we do with it, and how you can control or remove it. We process personal data in accordance with Japan's Act on the Protection of Personal Information (APPI), and — where they apply — the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the CPRA (CCPA). If anything below is unclear, email [email protected] and we will explain.

1. What we collect

Account. When you sign in with GitHub, Google, or Apple OAuth, we receive a provider account ID, your public username (where the provider supplies one), display name, avatar URL, and the email address linked to that provider. If you use Sign in with Apple and choose Hide My Email, we receive Apple's anonymised relay address instead of your real one and treat it the same as any other email on file. We never receive your password.

Coding activity (from the editor plugins). The VS Code and JetBrains plugins send: per-minute timestamps, the language of the active file, the file path (relative and absolute), the workspace name, the git origin URL, the git branch, the editor, and the platform. Source code is never sent. Note that file paths and git origin URLs may themselves contain identifying strings (your username, client names, private-repo names). If that's a concern, configure path redaction in the plugin before connecting.

AI-agent activity (from the agent CLI, optional). If you install the agent CLI, it sends session-level metadata: model name, token counts (input / output / cache), cache-hit rate, per-tool call and failure counts, estimated cost, session start / duration / turn count, project path, and the list of file paths touched. Prompt text, tool inputs/outputs, and file contents are not sent.

iOS app. The iOS app is a thin client over the same dashboards described above. When you open it, it sends the same kind of request metadata any HTTP client would (app version, iOS version, device model family, preferred language, and your sign-in token if you're signed in). The auth token is stored in the iOS Keychain on your device. The app does not request the App Tracking Transparency (ATT) prompt because we do not track you across other apps or websites and do not collect the IDFA. The app does not use push notifications, and so does not register a push token. The app does not access your contacts, photos, microphone, camera, calendar, health data, or precise location. Apple may share anonymous, aggregated App Analytics and crash reports with us if (and only if) you have opted in under iOS Settings → Privacy & Security → Analytics & Improvements; that data is not linked to your account.

Server logs. Like any web server, ours records request metadata for each request — timestamp, method, URL, your IP, user-agent, response status, request duration — to operate the service and detect abuse. Kept up to 90 days, then rotated out.

Cookies. First-party: auth_token and user_id (sign-in session) and locale (your language preference). Third-party: we use Google Analytics 4 (ID G-36N091FBKT), loaded lazily after your first interaction with the page, to measure aggregate site traffic. Google may set its own cookies (_ga, _ga_*). No advertising features are enabled and we do not run any cross-site tracking, retargeting, or fingerprinting. You can block Google Analytics in your browser without losing any Service feature.

2. How we use it

  • Render your dashboards, badges, widgets, and exports.
  • Compute leaderboards and public profile pages (see §3).
  • Bill Pro subscriptions through our payment processor.
  • Respond to support requests.
  • Keep the Service running, debugged, and reasonably secure.

We do not sell your data. We do not share it with advertisers. We do not use your coding activity, prompts, or source code to train machine-learning models.

3. What is public

Some of your data is visible without signing in. Please read this section:

  • Leaderboard. If your total coding minutes put you in the top ranks, your username, avatar, and total minutes appear on /dashboard/leaderboard. This is opt-out, not opt-in.
  • Profile page. Your profile at /user/<your-id> shows your username, avatar, coding totals, language breakdown, bio, and (if enabled) your GitHub link. Search engines may index it.

From Dashboard → Settings you can hide the current workspace name and language from your live status, hide your GitHub link, and edit your display name and bio. To remove yourself from the leaderboard and the public profile entirely, delete your account (§5) or email [email protected].

4. Who else processes the data

The data passes through these third parties as needed:

  • GitHub, Google, and Apple — OAuth sign-in. Apple is also the distribution channel for the iOS app (App Store and TestFlight) and may collect its own diagnostics under your iOS privacy settings (see §1 iOS app).
  • LemonSqueezy — payment processing for Pro subscriptions, sold on the website only (the iOS app does not offer in-app purchases). Card details go to LemonSqueezy directly; we receive only subscription status, customer ID, and transaction metadata.
  • Google Analytics 4 — aggregate traffic measurement on the website only; not loaded inside the iOS app (see §1 Cookies).
  • Our hosting provider — runs the servers and the database.

The Service runs on servers outside mainland China. Data may be processed in countries outside your country of residence. For EU/EEA/UK users, transfers to third countries are covered by an adequacy decision where one exists (e.g. the EU-Japan adequacy decision) or otherwise by Standard Contractual Clauses. Email us for the relevant documentation.

5. Your controls

  • Export. Dashboard → Settings → Export downloads your full raw coding-time history as a CSV file. For an export of other data we hold about you (account record, agent telemetry), email us.
  • Delete data or close your account. Available from Dashboard → Settings → Danger Zone on the web, and from Settings → Account → Delete Account inside the iOS app (per Apple's account-deletion requirement). Account closure cascades the deletion to your coding minutes, event logs, and workspace metadata, and removes you from the leaderboard. Encrypted backups may still contain the data for up to 30 days before rotation. Uninstalling the iOS app does not delete your account or your data on our servers — use the in-app or in-dashboard delete flow for that.
  • Access, correction, restriction, objection. Email us. EU/EEA/UK users have these rights under the GDPR; California residents have equivalent rights under the CCPA / CPRA. We aim to respond within 30 days.
  • Complaint to a regulator. EU/EEA/UK users may lodge a complaint with their local data protection authority.

Active coding-time records are kept for as long as your account exists, so you can review history. They are deleted when you delete them or close your account. Financial records (subscription invoices) are kept as long as required by tax and accounting law.

6. Legal bases for processing

If you are in the EU/EEA, UK, or Switzerland, we process your data on the following bases: performance of a contract (Art. 6(1)(b)) to deliver the Service you signed up for; legitimate interests (Art. 6(1)(f)) to keep the Service secure and to measure aggregate usage; consent (Art. 6(1)(a)) for non-essential analytics where required; and legal obligation (Art. 6(1)(c)) for tax and accounting records.

If you are in mainland China, the Service operates outside the mainland and using it requires your personal information to be transferred and processed overseas. By signing in you provide separate consent to that cross-border transfer for the purposes above. You can withdraw it by closing your account.

7. We don't sell your data

We do not "sell" or "share" personal information as those terms are defined under the CCPA / CPRA. We do not target ads, build profiles for ad networks, or use the data for any purpose other than the ones described above.

8. Children

Code Time is not directed at children. You may use the Service only if you are at least 13 years old, or 16 if your country applies that as the digital-consent age under the GDPR. If you think a child has provided us with personal information, email us and we will delete it.

9. Contact and operator

Code Time is operated as an independent personal project by an individual sole proprietor based in Tokyo, Japan. For any privacy question, request, or complaint:

  • Email: [email protected]
  • Operator: an individual sole proprietor in Tokyo, Japan (full legal name and registered contact address are provided on lawful request to satisfy statutory disclosure obligations under Japan's APPI, the GDPR, or equivalent regimes — email the address above).

We may update this policy as the Service evolves. Material changes will be flagged on the site; the "Last updated" date at the top always reflects the current version.