Privacy Policy

Last updated: April 15, 2026 · Effective date: Upon app launch

Wendigo ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Wendigo mobile application (the "App").

Our core principle: your data belongs to you. Wendigo is designed local-first. All your work data stays on your device unless you explicitly choose to share it.

Multi-Region Notice: This policy is designed to comply with applicable privacy laws worldwide, including the GDPR (European Union), UK GDPR and Data Protection Act 2018 (United Kingdom), CCPA/CPRA (California, USA), PIPEDA (Canada), the Privacy Act 1988 (Australia), and the APPI (Japan). If you are located outside Canada, please see the "Your Regional Rights" section below.

1. Information We Collect

1.1 Information You Provide Directly

  • Client Information: Names, email addresses, rates, and tax jurisdictions you enter for the clients you work with. This data is stored locally on your device only.
  • Time Sessions: Records of work sessions you track, including duration, notes, and billing status. Stored locally on your device only.
  • Invoices & Estimates: Invoice records, amounts, and statuses you create. Stored locally on your device only.
  • Support Communications: If you contact us for support, we retain the content of your message and your contact details solely to respond to your inquiry.

1.2 Information Accessed via Device Permissions

  • Calendar Data: With your permission, Wendigo reads your device calendar to detect work sessions and suggest time entries. Calendar data is processed on-device only and is never transmitted to our servers or any third party.

1.3 Information We Do NOT Collect

  • We do not collect personal data about you on our servers.
  • We do not require account creation, login, or registration.
  • We do not use tracking cookies or analytics that identify you personally.
  • We do not sell, rent, or trade your personal information to any third party.
  • We do not use your data for advertising or profiling purposes.

2. How We Use Your Information

Your information is used exclusively on your device to provide the App's core functionality:

  • Track and manage your work time sessions
  • Generate invoices from tracked time
  • Manage client profiles, rates, and tax settings
  • Provide calendar-based auto-detection of work sessions
  • Support Siri voice commands for timer and invoice operations
  • Display widgets and Live Activities with your timer and income data

3. How We Share Your Information

We do not share your personal information with third parties. The only data that leaves your device is data you explicitly choose to share through the App's features:

  • Invoices you send: When you share an invoice as a PDF, the invoice data (client name, amount, line items) is shared with the recipient you designate through the iOS share sheet.
  • Client Portal: If you generate a client portal link, invoice data is accessible only to the specific client via the unique link you share. You control when and if to generate such links.
  • Exports: If you choose to export your data (e.g., CSV, JSON), the exported file is under your sole control.

4. Third-Party Services

The App interacts with the following third-party services, all governed by their respective privacy policies:

  • Apple iOS / Calendar: Calendar data is accessed on-device through Apple's EventKit framework. Apple's privacy policy applies: https://www.apple.com/privacy/
  • Apple Siri / App Intents: Siri integrations are processed on-device through Apple's App Intents framework. No voice data is sent to our servers.
  • Exchange Rate API: If the App fetches currency exchange rates, this is done on-demand using a third-party API. No personal data is transmitted with these requests.
  • Google Analytics (Website only): Our landing page and help documentation use Google Analytics (GA4) to understand aggregate website usage. This is separate from the App and does not collect personally identifiable information. You can opt out via Google's opt-out page.

5. Data Retention

All your data is stored locally on your device in a SQLite database. Data persists for as long as the App is installed. Uninstalling the App permanently deletes all data, including clients, time sessions, invoices, and settings. We retain no copies.

6. Data Security

Because all data is stored locally on your device, it benefits from the security protections built into iOS, including:

  • Hardware-level encryption on iOS devices
  • App sandboxing (no other app can access Wendigo's data)
  • iOS keychain for any stored credentials or tokens

We follow secure development practices and conduct internal reviews of our code. No data is transmitted over the internet except when you explicitly share an invoice or export data.

7. Children's Privacy

The App is not directed to individuals under the age of 16 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have collected personal information from a child without verified parental consent, we will delete that information promptly.

8. Your Regional Rights

Depending on your location, you may have the following rights. Because Wendigo stores all data locally, you exercise these rights directly on your device.

Right GDPR (EU/UK) CCPA/CPRA (California) PIPEDA (Canada) Privacy Act (Australia)
Access your data Yes (Art. 15) Yes Yes Yes
Correct your data Yes (Art. 16) Yes Yes Yes
Delete your data Yes (Art. 17) Yes Yes Yes
Port your data Yes (Art. 20) Yes Yes Yes
Object to processing Yes (Art. 21) Yes (opt-out of sale) Yes Yes
Restrict processing Yes (Art. 18) Yes Yes Yes
Non-discrimination Yes
Lodge a complaint Yes (Supervisory Authority) Yes (AG) Yes (OPC) Yes (OAIC)

How to exercise these rights: Since all data is local, you can access, correct, export, and delete your data directly within the App. To delete all data, uninstall the App. For any questions or concerns, contact us.

8.1 GDPR-Specific (EU/UK)

Legal basis for processing: Because Wendigo processes all data locally on your device and we do not transmit personal data to our servers, we act as a tool provider rather than a data controller for your work data. For any data we do process (e.g., support emails), the legal basis is our legitimate interest in providing support and fulfilling our contractual obligations.

Data transfers: We do not transfer your personal data outside the European Economic Area (EEA) or the United Kingdom.

Representative: If you are in the EU or UK and have questions about this policy, you may contact us directly.

8.2 CCPA/CPRA-Specific (California)

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use or disclose sensitive personal information except for the core functionality described in this policy.

In the preceding 12 months, we have not sold any personal information and have not shared personal information for cross-context behavioral advertising.

8.3 PIPEDA-Specific (Canada)

We adhere to the 10 fair information principles of PIPEDA, including accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. You may contact us with any questions or complaints.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. We encourage you to review this policy periodically.

10. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us.

Wendigo
Designed in Canada
All data processed locally on your device.