Trust Center
How we protect your data, what we build on, and what you control.
Overview
Gigtime is a time tracking and invoicing app operated by Websites Matter, LLC, a company based in Florida, USA. Freelancers keep their clients, hours, and invoices in Gigtime. This page explains how that data is protected, what infrastructure we run on, and what control you keep over your information.
One thing up front: Gigtime itself holds no security certifications. Where this page mentions certifications such as SOC 2, they belong to the providers we build on — and we name them as such.
Infrastructure & hosting
Backend
Gigtime's database, authentication, file storage, and server functions run on Supabase, hosted on Amazon Web Services (AWS). Supabase is SOC 2 Type 2 compliant and ISO 27001 certified, and encrypts data at rest with AES-256 and in transit with TLS.
These certifications apply to Supabase as our backend provider. Gigtime has not been separately audited.
Website and web app
This website (gigtime.app) and the web app (app.gigtime.app) are hosted and managed by Websites Matter, LLC. All traffic is served over HTTPS.
Mobile apps
The iOS and Android apps are distributed through the Apple App Store and Google Play and are subject to each store's review process.
Data protection
What protects your data in Gigtime, concretely:
- Account isolation: Every table in the database enforces PostgreSQL row-level security. Your account can only read and write its own rows — the restriction is applied by the database itself, not just by app code.
- Encryption in transit: All traffic between the apps and the backend uses TLS.
- Encryption at rest: Stored data is encrypted with AES-256 on Supabase's AWS infrastructure.
- Private file storage: Storage buckets are private. Uploaded files, such as invoice logos, are never publicly accessible.
- Daily encrypted backups: The database is backed up every day, and backups are encrypted.
- Two-factor authentication: TOTP-based 2FA is available to every account, on the free plan and on Pro.
- Passwords: Sign-in is handled by Supabase Auth. Passwords are hashed with bcrypt and never stored in plain text.
Payments
Card payments are processed by Stripe, a certified PCI Service Provider Level 1. Card details go directly to Stripe — they never pass through Gigtime's servers and we never store them.
Subscriptions bought in the mobile apps are billed by Apple or Google through their in-app purchase systems. We only receive confirmation of the transaction, never payment details.
Your data, your control
You can export your time entries to CSV from within the app (a Pro feature). If you're on the free plan and want a copy of your data, email us and we'll provide one.
You can delete your account from within the app. Deletion starts a 30-day grace period during which you can change your mind and cancel; after that, your data is permanently deleted.
Subprocessors
These are the third-party services that process data on our behalf:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, file storage, and server functions (runs on AWS) |
| Stripe | Card payment processing |
| Google Firebase | Push notifications, crash reporting, and analytics |
| Resend | Transactional email delivery |
| Apple | iOS app distribution and in-app billing |
| Android app distribution and in-app billing | |
| Websites Matter, LLC | Website and web app hosting |
A complete list of third parties and the data they receive is in our Privacy Policy.
Availability
We publish live uptime for Gigtime on our status page. If something is down or degraded, that's where we post updates.
Reporting a security issue
If you find a vulnerability in Gigtime, email us at support@gigtime.app. Include what you found and the steps to reproduce it — we read every report and will respond.
Please give us reasonable time to fix an issue before disclosing it publicly, and don't access data that isn't yours while testing. We don't currently offer a paid bug bounty.
Related documents
What data we collect and how we use it is covered in our Privacy Policy.
Use of Gigtime is governed by our Terms of Service.