Privacy Policy

1. Introduction

Context AI Technologies Pte. Ltd. ("Context AI", "we", "us", or "our") provides HourSense, an AI-powered time tracking and billing solution specifically designed for legal professional services firms ("Service" or "HourSense").

This Privacy Policy explains how we collect, use, disclose, and protect information when you use HourSense. We understand the sensitive and confidential nature of data in legal environments and are committed to maintaining the highest standards of data protection and security.

IMPORTANT: HourSense is a B2B enterprise solution available only through direct engagement with your organization. We do not offer consumer sign-ups or downloads. All deployments are personally onboarded by Context AI.

2. Key Terms and Definitions

• Customer: The law firm, legal department, or professional services organization that engages Context AI to deploy HourSense.

• End User / Attorney / Lawyer: An individual employee (typically an attorney, paralegal, or legal professional) of the Customer who uses HourSense.

• Service Data: Data collected through HourSense including activity monitoring data, timesheet entries, and system usage information.

• Client Data: Information about the Customer's clients, matters, and legal work, which may include attorney-client privileged information.

• F&O System: Finance and Operations system (such as Intapp, Elite 3E, or similar legal billing platforms) containing client matter information.

• Personal Data: Information that directly or indirectly identifies an individual End User.

3. Data Controller and Processor Relationship

For Service Data collected through HourSense:

• Customer is the Data Controller: Your organization determines what data is collected, how it is used, and the legal basis for processing.

• Context AI is the Data Processor: We process data solely on Customer's behalf and in accordance with Customer's documented instructions and our Data Processing Agreement (DPA).

This Privacy Policy describes Context AI's practices as a Data Processor. Customers are responsible for providing privacy notices to their End Users and ensuring lawful processing of Personal Data under applicable laws.

4. Information We Collect

4.1 Desktop Activity Monitoring Data

HourSense desktop agent collects the following activity data from End User workstations (only when authorized by Customer):

• Application Usage: Names and window titles of applications used, duration of use, focus time, and application switching patterns.

• Document and File Information: Names and paths of files accessed, document titles, time spent editing or reviewing documents.

• Email Activity: Email subjects, sender/recipient information, email thread titles, time spent reading or composing emails.

• Calendar Information: Meeting titles, attendees, duration, calendar event descriptions.

• Browser Activity: URLs visited, page titles, time spent on web pages, browser tab information.

• System Activity: Time since last keyboard/mouse activity, idle time, lock/unlock events, application foreground/background status.

• Timestamps: Precise timestamps for all activities to enable time tracking and billable hour calculation.

IMPORTANT: We do NOT capture screenshots, record keystrokes, or access the actual content of documents or emails unless explicitly configured by the Customer. All monitoring is activity-based (metadata) rather than content-based.

4.2 Finance & Operations (F&O) System Integration

When Customer grants HourSense access to their F&O system (such as Intapp, Elite 3E, Aderant, or similar platforms), we collect:

• Client and Matter Information: Client names, matter codes, matter descriptions, responsible attorneys, billing arrangements, hourly rates.

• Historical Timesheet Data: Past time entries, billing codes, work descriptions, dates, durations, and approval status.

• Attorney Information: Attorney names, billing rates, practice areas, office locations, administrative permissions.

• Organizational Structure: Department hierarchies, practice groups, reporting relationships, approval workflows.

This data enables HourSense to automatically match activities to the correct client matters and generate accurate timesheet entries.

4.3 Corporate Infrastructure Access

Based on Customer's deployment configuration, HourSense may have access to:

• Microsoft 365 / Email Systems: Email metadata, calendar events, contact information, shared documents via SharePoint/OneDrive.

• Document Management Systems: Document metadata from systems like iManage, NetDocuments, or SharePoint (file names, authors, dates, version history).

• Active Directory / LDAP: User identities, organizational units, group memberships for authentication and authorization.

• Calendar Systems: Meeting schedules, attendees, locations, event descriptions from Outlook or Google Calendar.

Access to these systems is granted by Customer through OAuth, API keys, or service accounts with read-only permissions where possible. We collect only metadata necessary for time tracking purposes.

4.4 Account and Usage Information

• Account Information: Names, email addresses, usernames, roles (attorney, EA, partner, admin), department, office location.

• System Logs: Login/logout events, IP addresses, device identifiers, operating system versions, HourSense version numbers.

• Usage Analytics: Feature usage, timesheet approval patterns, correction frequencies, AI suggestion acceptance rates.

• Support Data: Support tickets, error reports, diagnostic logs, feedback submissions.

5. How We Use Collected Information

5.1 Primary Service Delivery

• Automated Timesheet Generation: Analyze activity patterns to automatically generate time entries with matter codes, task descriptions, and durations.

• AI-Powered Classification: Use machine learning models to match activities to correct client matters, billing codes, and task types.

• Work Pattern Analysis: Identify patterns to improve time capture accuracy and reduce missing billable time.

• F&O System Integration: Sync time entries to Customer's billing system, update matter information, retrieve client data.

• Approval Workflows: Route time entries through attorney, EA, partner, and admin approval chains.

5.2 Service Improvement and Analytics

• AI Model Training: Train and improve machine learning models for better activity classification and time entry suggestions.

• Performance Analytics: Provide Customer with insights into time utilization, billing efficiency, and productivity patterns (aggregated at Customer level).

• System Optimization: Monitor system performance, identify bugs, improve accuracy and reliability.

• Feature Development: Understand usage patterns to prioritize new features and improvements.

5.3 Security and Compliance

• Security Monitoring: Detect unauthorized access, suspicious activity, or security threats.

• Audit Logging: Maintain audit trails for data access, modifications, and system changes.

• Compliance Reporting: Support Customer's SOC 2, ISO 27001, or other compliance requirements.

• Incident Response: Investigate and respond to security incidents or data breaches.

6. How We Share Information

We do NOT sell Personal Data or Service Data to third parties. We share data only in the following limited circumstances:

6.1 Within Customer Organization

Service Data is shared with authorized personnel within Customer's organization based on Customer-defined roles and permissions (attorneys, EAs, partners, admins, billing staff).

6.2 Subprocessors and Service Providers

We engage trusted third-party service providers who assist in delivering HourSense:

• Anthropic (Claude AI): AI model provider for natural language processing and timesheet generation. Data sent: activity descriptions, work patterns, client matter context. Anthropic does not use Customer data for training their models.

• Google Cloud Platform: Cloud infrastructure hosting (compute, storage, databases). Data is encrypted at rest and in transit.

• Authentication Providers: Microsoft Azure AD, Google Workspace, or Customer's SSO provider for identity verification.

• Monitoring and Analytics: Error tracking, performance monitoring, and infrastructure management tools.

A complete list of subprocessors is available at https://hoursense.com/subprocessors. We notify Customer at least 30 days before adding new subprocessors. All subprocessors are bound by data processing agreements with security and confidentiality obligations.

6.3 Legal Requirements

We may disclose data if required by law, court order, or government request; to protect Context AI's legal rights; to prevent fraud or security threats; or in connection with a merger, acquisition, or sale of assets (with notice to Customer).

7. Data Security

We implement industry-leading security measures to protect Service Data:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest, encrypted backups.

• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege.

• Infrastructure Security: Google Cloud Platform with SOC 2 Type II and ISO 27001 certified data centers, network segregation, intrusion detection.

• Application Security: Regular security testing, vulnerability scanning, penetration testing, secure development practices.

• Monitoring: 24/7 security monitoring, audit logging, anomaly detection, incident response procedures.

• Compliance: SOC 2 Type II and ISO 27001 certification (in progress), GDPR and Singapore PDPA compliance.

• Employee Training: Annual security awareness training, background checks, confidentiality agreements.

Despite these measures, no system is completely secure. Customer is responsible for maintaining security of their own networks, devices, and credentials.

8. Data Retention

• Active Service Data: Retained for the duration of Customer's subscription plus 60 days for transition purposes.

• Historical Timesheet Data: Retained as specified in Customer agreement (typically aligned with legal billing record retention requirements).

• Activity Monitoring Data: Typically retained for 90 days unless Customer requests longer retention for analytics purposes.

• Backups: Encrypted backups retained for 90 days for disaster recovery purposes.

• Audit Logs: Security and access logs retained for 1 year for compliance and security incident investigation.

• Aggregated Analytics: De-identified, aggregated usage data may be retained indefinitely for product improvement.

Upon subscription termination or at Customer's request, we will delete or return all Service Data within 60 days unless longer retention is required by law.

9. Data Subject Rights

As a Data Processor, we support Customer in fulfilling End User rights under GDPR, PDPA, and other privacy laws:

• Right to Access: End Users can request copies of their Personal Data through Customer's admin portal.

• Right to Rectification: End Users can correct inaccurate Personal Data through their HourSense profile settings.

• Right to Erasure: Customer can request deletion of End User data subject to legal retention requirements.

• Right to Restrict Processing: Customer can temporarily disable monitoring for specific End Users.

• Right to Data Portability: Export functionality available for timesheet data and activity logs in CSV/JSON format.

• Right to Object: End Users can opt out of certain data processing activities where legally permissible.

End Users should submit data subject requests to their organization (Customer). We will assist Customer in fulfilling these requests within legally required timeframes (typically 30 days).

10. International Data Transfers

Context AI Technologies is headquartered in Singapore. Service Data may be stored and processed in Singapore, United States (via Google Cloud Platform), or other locations where our service providers operate.

For transfers from the European Economic Area (EEA), UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms included in our Data Processing Agreement.

• Adequacy Decisions: Where applicable (Singapore has received adequacy recognition from EU for certain transfers).

• Additional Safeguards: Encryption, access controls, contractual protections with subprocessors.

11. Contact Information

For privacy questions, data subject requests, or security concerns:

Context AI Technologies Pte. Ltd.

Data Protection Officer: Shrivardhan Goenka

59 Ubi Avenue 1, #03-11

Singapore 408938

Email: privacy@hoursense.com

Phone: +65 8656 9413

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Customer with at least 30 days' notice via email to the primary account contact. Continued use of HourSense after changes become effective constitutes acceptance of the updated policy.

13. Complaints and Regulatory Authority

If you have concerns about our data practices that we have not addressed to your satisfaction, you have the right to lodge a complaint with your local data protection authority:

• Singapore: Personal Data Protection Commission (www.pdpc.gov.sg)

• European Union: Your national data protection authority or the European Data Protection Supervisor

• United Kingdom: Information Commissioner's Office (ICO) (www.ico.org.uk)