Legal
Privacy Policy
Version 2026.05.2 · Last updated · Effective
Introduction
This Privacy Policy explains how LW Agency Limited ("ChronoLedger", "we", "us", "our") — a company incorporated in Hong Kong Special Administrative Region of the People's Republic of China and trading as ChronoLedger — collects, uses, shares, and protects personal information when you visit our marketing website, sign up for an account, or use the ChronoLedger time-tracking and profitability service (together, the "Service").
We act as a data controller for: (a) visitors to our marketing website, (b) prospects who interact with us, (c) the workspace owner who registers an account with us, and (d) recipients of our service communications. We act as a data processor for the data that workspace owners upload while using the Service ("Customer Data") — the workspace owner is the controller of that data and is responsible for the lawful basis on which it is collected from their employees, contractors, and clients. Our processor obligations are set out in our Data Processing Agreement.
We aim to keep this policy concise, specific, and aligned with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Hong Kong Personal Data (Privacy) Ordinance Cap. 486 ("PDPO"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other privacy laws of general application. Where local law gives you stronger rights, those rights apply.
This Privacy Policy is part of, and incorporated by reference into, our Terms of Use. Capitalised terms not defined here take the meaning given there.
EU and UK representatives
LW Agency Limited has no establishment in the European Union, the European Economic Area, or the United Kingdom. We have appointed representatives under Article 27 of the EU GDPR and Article 27 of the UK GDPR through whom data subjects in those territories may exercise their rights and through whom supervisory authorities may correspond with us:
European Union representative: appointment in progress; details will be published here as soon as the contract is activated. In the interim, EU/EEA data subjects may contact us directly at privacy@chrono-ledger.com.
United Kingdom representative: appointment in progress; details will be published here as soon as the contract is activated. In the interim, UK data subjects may contact us directly at privacy@chrono-ledger.com.
Designation of a representative does not affect our liability as controller or processor and is not in itself a determination that GDPR or UK GDPR applies to a particular processing activity.
What we collect
We collect three categories of personal information:
- Account data — name, work email address, organisation, job title or role, country of residence, authentication metadata, and any information you provide while corresponding with our team. Provided by you at sign-up, when invited to a workspace, or during support exchanges.
- Usage data — application logs, audit events, feature interactions, IP address, user-agent string, device fingerprint metadata (limited to fraud-prevention attributes), referrer, and locale. Collected automatically when you use the Service. We do not associate usage data with non-essential identifiers without your consent where consent is required.
- Customer Data — entries you record in the Service: time logs, project metadata, internal cost rates, external client rates, invoices, attachments, and any other data the workspace owner chooses to upload. We process Customer Data on instructions from the workspace owner, who is the controller of that data.
The marketing site additionally records aggregate, cookieless audience-measurement data on our self-hosted analytics — no persistent identifier is set in your browser and no data is transferred to a third party. See our Cookie Policy for full detail.
How we use your data
We process personal data only for the purposes described below. We do not sell personal data; we do not share it with advertisers; we do not use Customer Data to train general-purpose AI models; and we do not use Customer Data for any purpose other than providing the Service to you, securing it, billing for it, complying with our legal obligations, and exercising or defending legal claims.
Legal bases (per processing activity)
The table below maps each processing activity to its lawful basis under GDPR Article 6, the recipients of the personal data, and the retention period. The table is illustrative and may be supplemented by specific product-level disclosures.
| Activity | Lawful basis | Recipients | Retention |
|---|---|---|---|
| Account creation, authentication, and access management | GDPR Art. 6(1)(b) — contract performance | Cloud hosting, transactional email subprocessor | Life of account + 30 days |
| Service provision, including processing of Customer Data on the workspace owner's instructions | GDPR Art. 28 — processor on documented instructions; the workspace owner determines the lawful basis | Cloud hosting, error monitoring, transactional email subprocessor | Per the workspace owner's configuration; default 30-day grace after termination |
| Billing, invoicing, and tax compliance | GDPR Art. 6(1)(c) — legal obligation; Art. 6(1)(b) for the contract itself | Merchant of record (Paddle); Stripe Connect for marketplace settlements; tax authorities as required | Up to 7 years from the end of the relevant accounting period, as required by Hong Kong tax law and merchant-of-record obligations |
| Service security, abuse prevention, fraud screening, and audit logging | GDPR Art. 6(1)(f) — legitimate interests in the integrity of the Service and in protecting our customers, our company, and third parties | CDN / WAF (Cloudflare); error monitoring (Sentry) | Up to 12 months for general access logs; up to 7 years for administrative audit logs |
| Customer support and service communications (transactional email) | GDPR Art. 6(1)(b) — contract performance | Transactional email subprocessor | Life of account + 30 days; subprocessor archives per Subprocessors page |
| Service analytics and product improvement (server-side, aggregated) | GDPR Art. 6(1)(f) — legitimate interests in maintaining and improving the Service | Internal only; aggregated | Up to 12 months at user-level granularity, then aggregated |
| Marketing-website audience measurement (self-hosted Plausible — cookieless, aggregate, no persistent identifier) | GDPR Art. 6(1)(f) — legitimate interests in operating and improving the marketing site; consent-exempt under EDPB / CNIL audience-measurement guidance | Internal only (self-hosted on the same EU data centre as the rest of the Service) | Aggregated only; no individual identifier persists |
| Establishing, exercising, or defending legal claims; complying with regulatory or law-enforcement requests | GDPR Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests in the protection of our rights and property | Counsel, courts, regulators, law-enforcement agencies as required | Until the limitation period for the relevant claim expires; up to 7 years for tax-related disputes |
Where we rely on legitimate interests, we have considered the impact on you and concluded that our interests are not overridden by your fundamental rights and freedoms in the relevant context. You may object to processing based on legitimate interests as set out under Your rights.
Data sharing & subprocessors
We share personal data only with vetted service providers under written data-processing terms. The current list of subprocessors — including each provider's role, processing location, and the transfer mechanism we rely on — is maintained at /legal/subprocessors and is incorporated into this policy by reference.
We do not sell personal data within the meaning of CCPA/CPRA. We do not share personal data with advertisers, with data brokers, or for cross-context behavioural advertising. We may disclose personal data when required by law, when reasonably necessary to enforce our Terms of Use or Acceptable Use Policy, or to protect our rights, property, safety, or those of our customers or third parties — and only to the extent strictly necessary.
Where the workspace owner has connected a third-party AI or automated processing system to the Service via our agent API, the workspace owner is solely responsible for the lawful basis, transparency, and any data protection impact assessment relating to that integration. See Automated decision-making below.
International transfers
ChronoLedger is operated from Hong Kong Special Administrative Region of the People's Republic of China. Customer Data is stored in our primary production data centre. Where personal data is transferred outside its origin region — for example, to a subprocessor in the United States or in another country — we rely on Standard Contractual Clauses (the EU SCCs in their current form, with the UK International Data Transfer Addendum where the data subject is in the United Kingdom), adequacy decisions where one applies, or other legally recognised transfer mechanisms.
Standard Contractual Clauses are model contract clauses approved by the European Commission and the UK Information Commissioner's Office that allow personal data to be transferred lawfully to countries that do not have an EU adequacy decision. We have considered the legal environment of each destination country (a Transfer Impact Assessment) and applied supplementary measures, including encryption in transit, strict access controls, and contractual restrictions on government-access requests, where appropriate.
Retention
We retain personal data only for as long as is necessary for the purposes described in this policy or as required by law. As a guide:
- Account data — for the life of the account, plus 30 days after deletion.
- Usage logs — up to 12 months from collection, then aggregated or deleted.
- Audit logs — up to 7 years for administrative actions; up to 12 months for general access logs.
- Billing and tax records — up to 7 years from the end of the accounting period in which the record arose, as required by hong kong tax law and by the merchant of record's regulatory obligations.
- Customer Data — controlled by the workspace owner; 30-day grace period after account termination, after which it is deleted or anonymised, subject to the legal-obligation exceptions below.
- Encrypted backups — encrypted backups retained for up to 14 days after the source data is deleted; restored data is anonymised within 24 hours of restoration where the original deletion request remains in effect.
- Analytics data — marketing-site audience measurement runs on our self-hosted plausible instance; aggregated only, no persistent identifier, no individual record retained. cloudflare access logs retained for up to 30 days. subprocessor archives are subject to the schedules in each subprocessor's dpa, summarised on the subprocessors page..
Honest-deletion notice. When you exercise your right to erasure, we anonymise your personal data in our production systems within 30 days. Pseudonymised remnants may persist for limited periods in encrypted backups and in subprocessor archives until those archives cycle out under their own retention schedules. Records that we are required to retain for tax, accounting, anti-money-laundering, or other legal-obligation purposes (in particular, billing records held by our merchant of record and our connected-account payouts processor) survive erasure for up to seven years under GDPR Article 17(3)(b)(e). Records relevant to the establishment, exercise, or defence of legal claims are retained for the duration of the relevant limitation period under GDPR Article 17(3)(e).
Security
We protect personal data with administrative, technical, and physical safeguards proportionate to risk: encryption in transit (TLS 1.3), role-based access control with least-privilege defaults, multi-factor authentication on administrative accounts, hash-chained audit logging, secrets stored as Docker secrets (never in environment variables), regular dependency scanning, segregated production access, and documented incident-response procedures. At-rest encryption for high-PII tables is being rolled out per our security roadmap.
No system is perfectly secure. Where required by applicable law, we will notify you, your workspace owner, or the relevant supervisory authority of a personal-data breach in accordance with the timelines and criteria set out in GDPR Articles 33 and 34, the UK GDPR equivalent, and other applicable laws. We do not undertake to notify you in any case where the law does not require it.
Your rights
The Privacy panel in your account is the only routine channel
If you have a ChronoLedger account, you must exercise your rights through the Privacy panel in your workspace settings. From the Privacy panel you can: download a copy of your personal data (GDPR Article 15 access and Article 20 portability); delete your account and the personal data we hold about you in our controller capacity (Article 17 erasure); correct your account details (Article 16 rectification); and view our retention schedule and the audit log of access to your data. We do not accept routine rights-requests by any other channel from data subjects who could have used the Privacy panel — login is our identity-verification mechanism for account holders, and Article 12(6) GDPR permits us to require it.
Customer Data — Workspace Owner is the controller
If your personal data is in a ChronoLedger workspace because the Workspace Owner uploaded it (for example, time logs about you, an internal cost rate, or a project assignment), the Workspace Owner is the data controller for that data and we are merely the processor. We will not act on rights-requests about Customer Data submitted directly by the data subject — we are contractually prohibited from disclosing Customer Data to anyone other than the Workspace Owner, including its own data subjects. Direct your request to the Workspace Owner; they are obliged to fulfil it under Articles 12 to 22.
Edge cases — non-account, non-Customer-Data subjects
The Privacy panel is the only routine channel; the Workspace Owner is the only Customer Data channel. The narrow remaining categories — for example, a former account holder whose data we retain only under Article 6(1)(c) legal-obligation grounds, or a marketing- website visitor whose IP we logged before anonymisation — may submit a request through the channels below, accompanied by notarised proof of identity and proof of any relationship asserted with us, in order for us to verify the request under Article 12(6):
- EU/EEA and UK data subjects — submit through the EU or UK Article 27 representative's portal (see EU and UK representatives above);
- All other jurisdictions — email privacy@chrono-ledger.com with the notarised identity proof attached.
Requests that do not include the required identity proof will not be processed; we will request the missing information once and close the file if it is not received within 30 days.
Rights summary
Subject to applicable law and to identity verification, you may have the right to:
- Access the personal data we hold about you (GDPR Art. 15).
- Rectify inaccurate or incomplete personal data (Art. 16).
- Erase personal data we are no longer required to keep (Art. 17), subject to the legal-obligation exceptions in Retention.
- Restrict certain processing (Art. 18).
- Port your personal data in a structured, commonly used, and machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Lodge a complaint with a supervisory authority — any EU/EEA national authority for EU/EEA data subjects, the Information Commissioner's Office for UK data subjects.
We respond within the statutory timeframe applicable to the request — typically 30 days under GDPR Article 12(3), with up to 60 additional days for complex requests. We may charge a reasonable fee, or refuse to act on a request, where it is manifestly unfounded or excessive — in particular if it is repetitive — as permitted by GDPR Article 12(5). We are not required to retain personal data we would otherwise have deleted in order to comply with a future request.
Information for workspace members (employees and invited users)
If you have been invited to a ChronoLedger workspace by an employer, a contractor, or a service provider — for example, to log billable time — your data was uploaded by the Workspace Owner. The Workspace Owner is the data controller for your time logs, project assignments, internal cost rate, and any related Customer Data; ChronoLedger is the data processor, acting only on the Workspace Owner's documented instructions.
This means we cannot fulfil rights-requests about Customer Data on your behalf. The Workspace Owner — not ChronoLedger — is responsible for providing you with the GDPR Article 13 / 14 notice, for fulfilling your access, rectification, erasure, restriction, portability, and objection rights, and for handling any complaint or query about how your data is used in the workspace. Contact the Workspace Owner directly. We are contractually prohibited from disclosing Customer Data to anyone other than the Workspace Owner, and we will route any direct request from a workspace member to the Workspace Owner without action.
The narrow exception is where you have your own ChronoLedger account in addition to being a workspace member: in that case, the Privacy panel in your account covers your account data (which we control), and the Workspace Owner remains the controller for any workspace-uploaded Customer Data that concerns you.
The basic facts the Workspace Owner is required to communicate to you under Article 14, summarised so that you can verify what they have told you:
- Source of your data — the Workspace Owner you work for or with.
- Categories of your data — name, work email, role, time entries, project assignments, internal cost rate, billable rate, attachments uploaded by you or on your behalf.
- Recipients — ChronoLedger and the subprocessors listed at /legal/subprocessors.
- Retention — set by the Workspace Owner; we retain Customer Data for the life of the workspace plus a 30-day grace period after termination.
- Right to complain — to your local supervisory authority, in addition to (not in lieu of) contacting the Workspace Owner.
Automated decision-making and the agent API
ChronoLedger does not deploy in-product automated decision-making with legal or similarly significant effects on you within the meaning of GDPR Article 22. ChronoLedger does not generate time entries, work classifications, or pay-rate decisions algorithmically.
The Service offers an agent API through which a workspace owner may connect a third-party automated system — including a large language model or a workflow agent — to act on tasks, time entries, or storage on the workspace owner's behalf. Where a workspace owner enables the agent API:
- the workspace owner is the deployer of that automated system within the meaning of the EU AI Act and is responsible for any disclosure to data subjects, any human-in-the-loop requirement, any GDPR Article 22 safeguards, any Colorado AI Act notice, any NYC Local Law 144 bias audit, and any Illinois AI Video Interview Act notice that applies;
- the workspace owner agrees to indemnify and hold ChronoLedger harmless against any claim by an employee, client, or other data subject arising from the operation of the connected automated system, as set out more fully in our Terms of Use and our Acceptable Use Policy;
- ChronoLedger logs each call placed via an agent token and tags Service entries created through the agent API as agent-sourced, so that downstream review and reporting can distinguish human-entered from machine-entered records.
We do not use Customer Data to train general-purpose AI models. We do not provide third-party AI training data feeds. We do not share Customer Data with any AI subprocessor for purposes other than the operational provision of the Service.
Children's data
ChronoLedger is a business-to-business service intended for use by organisations and by individuals in their professional capacity. The Service is not directed at children, and we do not knowingly collect personal data from children under the age of 16 (or, in jurisdictions with a higher age of digital consent, the age stipulated by local law).
Where a workspace owner invites a person under the age of 16 to the Service in an employment or apprenticeship capacity, the workspace owner is responsible for obtaining any parental or legal-guardian consent required under applicable law. We may suspend any workspace that we learn is processing children's personal data without a lawful basis.
If you believe a child has provided us with personal data, contact privacy@chrono-ledger.com so we can investigate and, where appropriate, delete the data.
Changes to this policy
We may update this Privacy Policy from time to time. Updates take effect on publication. The version number and effective date in the header above reflect the current revision. Your continued use of the Service after publication constitutes acceptance of the updated policy.
Contact
For privacy questions and to exercise any of the rights described above, the fastest path is the Privacy panel in your workspace settings. For questions that cannot be resolved that way, contact our privacy team at privacy@chrono-ledger.com. Suspected security vulnerabilities should be sent to security@chrono-ledger.com and may also be reported via the file at /.well-known/security.txt.
Postal address: LW Agency Limited, Unit 2A, 17/F, Glenealy Tower, No. 1 Glenealy, Central, Hong Kong S.A.R..