Privacy Policy

Account and manager data. We store manager email addresses, names if provided, family membership, sign-in sessions, password hashes if you set a password, two-factor authentication state, and backup-code hashes. We use this to identify manager accounts, allow multiple managers for one family, and protect sensitive actions.

Device data. When you enroll a Mac, the device registers a name (e.g. "Alex's MacBook"), a timezone, agent version/build metadata, last-seen timestamps, and an Ed25519 public key. The corresponding private key never leaves the device.

Usage data. The TempoMinder Mac app records which apps were in the foreground on the managed Mac, for how long, and under which local user account. Each upload is signed by the device's private key and sent over HTTPS to our server.

Policy and overrides. Daily limits, warning durations, temporary extra-time grants, and emergency-code wallet records are stored so the Mac app can enforce them. Plaintext emergency codes are shown only in the parent dashboard; enrolled Macs receive code hashes in signed policy data.

Billing data. If you subscribe, Lemon Squeezy processes checkout and payments. We store the Lemon Squeezy customer ID, subscription ID, subscription status, renewal/access dates, and related webhook metadata so we can manage access and cancellation.

Support and waitlist data. If you contact us or join the waitlist, we store the email address and message you provide. Contact messages may include attachment metadata and uploaded attachment files.

Operational logs and metrics. We collect limited request logs, error logs, and API metrics such as route name, method, status code, duration, request ID, and deployment environment. We do not log request bodies, cookies, authorization headers, raw query strings, signatures, or other secret values.

We do not use third-party analytics, advertising trackers, or social-media pixels. We do not record keystrokes, screenshots, window titles, document contents, website visits, full URL paths, search queries, DNS lookups, or any HTTPS request payloads. We do not sell or rent any data to third parties.

Account and device data is used to identify you, authenticate uploads from enrolled Macs, and route policy updates to the right device. Usage data is used to render the dashboard for the parent managers in your family and to enforce the limits those managers set. Confirmation flows use TOTP or backup codes when enabled, password re-authentication when a password is set, or email confirmation otherwise. Logs and metrics are used to operate, secure, debug, and improve the service.

TempoMinder runs on Cloudflare Workers with a Cloudflare D1 (SQLite) database for storage and Cloudflare R2 for contact attachments. Traffic between the Mac app, your browser, and our servers is encrypted in transit (HTTPS). Activity uploads from the Mac app are additionally signed with the device's private key so the server can verify the device identity for each upload.

Pending activity uploads on the Mac itself are discarded after 24 hours so a long offline period doesn't snowball into a stale backlog. Activity events stored server-side are retained while your device is enrolled so the dashboard can render history, and older operational rows may be pruned on a schedule. Account data is retained while your account exists. Unenrolling a device removes its policy, usage, emergency-code records, and enrollment state from our servers.

You can delete a family account from Settings. Deletion removes the family for all managers, cancels an active Lemon Squeezy subscription first when applicable, deletes manager accounts and sessions, enrolled devices, limits, usage data, emergency codes, support/waitlist records tied to those managers, and contact attachments. For fraud prevention, billing proof, and abuse prevention, we retain a limited deleted-family audit record with the deleted family's billing/subscription identifiers, family metadata, manager email addresses, and deletion timestamp.

TempoMinder is intended to be operated by a parent or legal guardian managing their own family's Macs. Usage data is recorded at the parent's direction so the parent can review and enforce time limits. We do not market the service to children and we do not knowingly create separate accounts for minors.

We use Cloudflare to host the service and store the database. We use an SMTP provider to deliver magic-link sign-in emails and confirmation emails. We use Lemon Squeezy for checkout, subscriptions, and billing webhooks. We use Grafana Cloud and Cloudflare Workers observability features for logs, traces, and metrics. These providers process limited data on our behalf and do not use it for their own marketing.

You can unenroll any device from the parent dashboard (Settings → Devices), which removes that device's policy, usage, and enrollment state from our servers. You can cancel a subscription and delete the family account from Settings. You can also contact us at the address below with questions or requests about your data.

If we make material changes to how we handle data we'll update this page and adjust the "Last updated" date at the top. If the change is significant, we'll also notify account holders by email.

Questions about this policy or your data: email us at privacy@tempominder.com.