Privacy Policy

Effective: February 6, 2026

Knuckle is built by Paul Mignard as a personal project. This policy explains what data the app accesses, how it's used, and where it goes. The short version: your data stays on your device and in your Harvest account. I don't collect, store, or sell any of it.

What Knuckle Accesses

Location (Always). Knuckle uses iOS's built-in geofencing to detect when you enter or leave a workplace. Your location is processed entirely on your device by Apple's CoreLocation framework. Knuckle receives a simple enter/exit event — it does not continuously track your GPS coordinates, and your location is never sent to any server, including mine.

Harvest Account. When you connect your Harvest account, Knuckle accesses your project list and active timer status via the Harvest API. This is the minimum needed to start and stop timers on your behalf. Knuckle does not read your time entries, invoices, reports, or any other Harvest data beyond what's required for timer operations.

Notifications. Knuckle sends local notifications to let you know when a timer starts or stops due to a geofence event. These notifications are generated on your device — no push notification server is involved.

What's Stored on Your Device

• OAuth tokens — stored in the iOS Keychain (Apple's encrypted credential storage). These authenticate you with Harvest. They never leave your device except when sent to Harvest's API.
• Geofence definitions — the locations, radii, and associated Harvest projects you configure. Stored locally in CoreData.
• Your name and email — from your Harvest account, stored in shared app storage so the widget can display them. Not sent anywhere else.
• Timer state — whether a timer is running, which project it's for, and daily/weekly hour totals. Shared between the app and the home screen widget.

All of this data is deleted when you uninstall the app.

What's Sent Over the Network

• Harvest API (api.harvestapp.com) — timer start/stop commands, project list requests. Authenticated with your OAuth token over HTTPS.
• Auth proxy (auth.knuckletime.com) — handles the OAuth token exchange securely so the client secret never exists on your device. This server only processes authentication requests and does not store your data.

That's it. No analytics. No crash reporting services. No advertising SDKs. No third-party trackers of any kind.

What I Don't Do

• I don't track your location. iOS monitors geofence boundaries — Knuckle just gets a yes/no signal.
• I don't store your location history anywhere.
• I don't collect analytics or usage data.
• I don't use advertising identifiers or tracking frameworks.
• I don't sell, share, or transfer your data to anyone.
• I don't have a database of users. I literally don't know who uses this app.

Third-Party Services

Knuckle connects to Harvest (getharvest.com) using their official API. When you use Knuckle, you're also subject to Harvest's privacy policy. Knuckle does not integrate with any other third-party services.

Children's Privacy

Knuckle is designed for professionals who use Harvest for time tracking. It is not directed at children under 13, and I do not knowingly collect data from children.

Data Retention

All app data lives on your device. Uninstall the app and it's gone. To disconnect your Harvest account, use the sign-out option in the app's settings — this clears all stored tokens and account data from your device.

Changes to This Policy

If this policy changes, I'll update this page with a new effective date. For anything significant, I'll note the changes in the app's update notes.

Contact

Questions about this policy or about your data? Email me at paul@knuckletime.com.