Privacy Policy

Effective Date: May 23, 2026 Last Updated: May 23, 2026

This Privacy Policy describes how Tricon Infotech LLC ("Tricon," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the MTT timesheet management platform (the "Service"), available at https://www.getmtt.com and at tenant-specific subdomains.

This Policy is incorporated by reference into the MTT Terms of Service. Terms not defined here have the meaning given in the Terms of Service.

If you have questions about this Policy or about our handling of your information, please contact us at privacy@getmtt.com.

---

1. Scope of this Policy

This Policy applies to personal information that we collect:

  • When a Customer or its users access or use the Service
  • When prospective customers visit our website at https://www.getmtt.com
  • When individuals communicate with us by email or other means

This Policy does not apply to:

  • Information you provide to or that is collected by third-party services you choose to use, even if you reach them through links from the Service
  • Information you share with other users within your Tenant (which is governed by your relationship with your employer or Customer, not by us)

If you are an employee, contractor, or consultant of a Customer using the Service, your employer or contracting entity (not Tricon) is generally the controller of your personal information under applicable privacy laws. We process your information on their behalf as a service provider or processor. Please direct privacy requests about your personal information to your Customer in the first instance; we will assist your Customer in responding.

---

2. Information We Collect

We collect the following categories of personal information:

2.1 Account and Profile Information

When a user registers for or is added to the Service, we collect:

  • Full name (first and last)
  • Work email address
  • Password (stored in cryptographically hashed form only — we never store passwords in plaintext)
  • Role (administrator, approver, consultant)
  • Tenant affiliation (which company's workspace the user belongs to)
  • Phone number (optional or required by export format)
  • Legal name (for signature on attestations)
  • Signature (typed name in script font, or uploaded image, at the user's choice)
  • Work state (used for overtime calculation)
  • Worker classification (e.g., exempt or non-exempt, used for overtime calculation)

2.2 Timesheet and Work Data

When users use the Service to record and submit timesheets, we collect:

  • Daily hours worked (regular, overtime, sick, paid time off)
  • Day-type classifications (worked, off, PTO, sick, federal holiday)
  • Notes or comments associated with timesheet entries
  • Client assignments, project assignments, and start/end dates
  • Approval history (who approved or attested, and when)
  • Attestation timestamps and the IP address from which an attestation was submitted
  • Generated export documents (e.g., PDFs, Excel files)

2.3 Tenant and Customer Configuration Data

For each Tenant (Customer organization), we collect:

  • Company name and chosen subdomain
  • Notification email and CC list
  • Logo (if uploaded)
  • Client and project configurations
  • Export format preferences
  • Trial and subscription status

2.4 Technical and Usage Information

When users interact with the Service, our infrastructure automatically collects:

  • IP address
  • Browser type and version
  • Operating system
  • Device type (e.g., mobile, desktop)
  • Time, date, and duration of access
  • Pages and features used
  • Error logs and diagnostic information
  • Referring URLs

2.5 Communications

When users contact us by email or other means, we collect the content of those communications and any attached information.

2.6 Payment Information

For Customers on paid plans, our payment processor collects billing contact information, payment method details, and transaction history. Tricon does not store full payment card numbers; this information is held by our payment processor under their security standards.

---

3. How We Use Information

We use personal information for the following purposes:

3.1 Providing and Operating the Service

  • Authenticating users and managing access
  • Storing, processing, and exporting timesheet and work data
  • Generating PDFs, Excel exports, and other documents
  • Sending operational notifications (timesheet submissions, approvals, reminders)
  • Maintaining and improving the security, reliability, and performance of the Service

3.2 Customer Support

  • Responding to inquiries, troubleshooting issues, and assisting with account management

3.3 Billing and Payment Processing

  • Calculating monthly active-consultant counts and issuing invoices
  • Processing payments

3.4 Communications

  • Sending transactional emails (verification, password reset, timesheet notifications)
  • Sending Service-related announcements (e.g., upcoming maintenance, material policy changes)

We do not send marketing emails from within the Service application itself except as opted into. Communications about new features or general MTT news, if any, will only be sent with the recipient's consent or as permitted under applicable law.

3.5 Compliance and Legal Obligations

  • Complying with legal obligations, including tax, accounting, and labor-data retention obligations of our Customers
  • Responding to lawful requests from law enforcement or government authorities
  • Enforcing our Terms of Service and protecting our and others' legal rights

3.6 Aggregated and De-Identified Data

We may create aggregated, anonymized, or de-identified data from personal information (data that cannot reasonably be linked back to an individual) and use it for any lawful purpose, including improving the Service.

3.7 What We Do NOT Use Information For

  • AI / ML training: Tricon does not use Customer Data (including timesheet data, consultant records, or any other content submitted to the Service) to train artificial intelligence or machine learning models.
  • Selling personal information: Tricon does not sell personal information to third parties.
  • Cross-context behavioral advertising: Tricon does not share personal information with advertisers or use it for behavioral advertising.

---

4. How We Share Information

We do not sell personal information. We share information only as described below.

4.1 With Your Tenant

Information you enter or generate in the Service is shared with other authorized users of the same Tenant according to their roles. For example, a tenant administrator can see all consultants' timesheets within the Tenant; an approver can see timesheets assigned to them for review.

4.2 With Service Providers (Sub-Processors)

We engage trusted third-party service providers to help us operate the Service. These sub-processors process personal information on our behalf and are contractually obligated to protect it. As of the effective date, our sub-processors include:

| Sub-Processor | Purpose | Location | |---|---|---| | Render Services, Inc. | Cloud hosting (application servers and PostgreSQL database) | United States | | Resend, Inc. | Transactional email delivery | United States | | Google LLC (Google Workspace) | Internal email and document collaboration | United States | | Anthropic, PBC | AI-assisted internal engineering tools (does not access Customer Data) | United States |

The current list of sub-processors is available on request and may be updated from time to time. We will notify Customers of material changes to sub-processors with at least thirty (30) days' notice where reasonably practicable.

4.3 With Authorities and in Legal Matters

We may disclose personal information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or governmental request
  • Enforce our Terms of Service, including investigation of potential violations
  • Detect, prevent, or otherwise address fraud, security, or technical issues
  • Protect the rights, property, or safety of Tricon, our users, or the public

4.4 In Connection with a Business Transfer

If Tricon is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, personal information may be transferred as part of that transaction. We will notify affected Customers of any such transfer and any material changes to the handling of personal information.

4.5 With Your Consent

We may share personal information with third parties when you direct us to do so or otherwise consent.

---

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption in transit: All connections to the Service use TLS encryption.
  • Encryption at rest: Database storage and backups are encrypted at rest.
  • Per-tenant data isolation: Customer Data is logically scoped by Tenant identifier; the Service is designed to prevent cross-tenant data access.
  • Access controls: Internal access to Customer Data is limited to personnel who need it to operate the Service and is subject to authentication and audit logging.
  • Password protection: User passwords are stored only as cryptographic hashes; we cannot retrieve a forgotten password (only reset it).
  • Audit trail: Submission, approval, and attestation events are logged with timestamps and (for attestations) IP address to support audit and dispute resolution.

No security system is impenetrable, and we cannot guarantee absolute security. You are responsible for safeguarding your own credentials and for promptly notifying us of any suspected unauthorized access.

---

6. Data Retention

6.1 Active Customers

We retain Customer Data for as long as the Tenant maintains an active account.

6.2 After Termination

Following termination of a Tenant's account:

  • We retain Customer Data for thirty (30) days to allow you to export your data.
  • After this 30-day period, we may delete Customer Data from our active systems.
  • We may retain certain information for longer periods if required by applicable law (such as tax, accounting, or labor-data retention regulations) or in aggregated/de-identified form.
  • Backups may persist for a limited period beyond active-system deletion in accordance with our backup retention practices, after which they are overwritten or deleted.

6.3 Operational Logs and Diagnostics

Technical logs (such as access logs and error logs) are typically retained for ninety (90) days for operational and security purposes and are then deleted or anonymized.

6.4 Communications

Email communications with our support team may be retained indefinitely for service quality and dispute resolution, unless the user requests deletion.

---

7. Your Privacy Rights

The rights available to you depend on the jurisdiction in which you reside. We honor applicable rights as set forth below.

7.1 Universal Rights (Available to All Users)

Regardless of jurisdiction, you may:

  • Access your account information by logging in to the Service
  • Update your account information through your profile settings
  • Export your timesheet data using the Service's export features
  • Delete your account by contacting your Tenant Administrator (for users within a Tenant) or by contacting us at privacy@getmtt.com (for Tenant Administrators or solo Customers)

7.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we have collected about you and how we have used and disclosed it (see Sections 2, 3, and 4 of this Policy)
  • Access the specific pieces of personal information we have collected about you
  • Delete personal information we have collected about you, subject to certain exceptions (such as information needed to complete a transaction, comply with a legal obligation, or detect security incidents)
  • Correct inaccurate personal information we maintain about you
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising — note that we do not sell or share personal information for these purposes
  • Limit the use and disclosure of "sensitive personal information" — note that we do not use sensitive personal information for purposes that would trigger this right
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@getmtt.com. We will verify your identity before responding to a request. We will respond within forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary, with notice to you.

You may authorize an agent to make a request on your behalf. We will require verification of the agent's authorization.

7.3 Other U.S. State Privacy Rights

Residents of certain other U.S. states may have similar rights under their state's privacy laws. As of the effective date of this Policy, these states include (but are not limited to) Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware. Rights generally include the right to access, correct, delete, and obtain a portable copy of personal information, and to opt out of certain processing activities.

To exercise these rights, please contact us at privacy@getmtt.com. We will verify your identity and respond within the timeframes required by your state's law.

7.4 International Users

The Service is operated from the United States, and personal information is processed and stored in the United States. If you access the Service from outside the United States, your personal information may be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

The Service is not specifically targeted at users in the European Economic Area, United Kingdom, or other jurisdictions outside the United States. If you are a user in such a jurisdiction, please contact us at privacy@getmtt.com to discuss the applicability of local data protection laws to our processing of your information.

---

8. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without verifiable parental consent, we will delete that information. If you believe a child under 16 has provided personal information to us, please contact us at privacy@getmtt.com.

---

9. Cookies and Similar Technologies

9.1 What We Use

We use cookies and similar technologies (such as web beacons and local storage) to:

  • Keep users logged in across pages of the Service
  • Remember user preferences and settings
  • Understand how the Service is being used (analytics)
  • Maintain security and prevent fraud

9.2 Types of Cookies

  • Strictly necessary cookies: Required for the Service to function (e.g., session cookies for authentication). These cannot be disabled.
  • Functional cookies: Used to remember preferences and settings.
  • Analytics cookies: Used to understand aggregated usage of the Service. We may use first-party analytics or limited third-party analytics that do not engage in cross-site tracking.

9.3 Your Choices

Most browsers allow you to manage cookies through browser settings. You may also use browser-level "Do Not Track" signals or Global Privacy Control (GPC) signals; where applicable law requires us to honor these signals as opt-out requests, we will do so.

Note that disabling strictly necessary cookies will prevent the Service from functioning.

---

10. Third-Party Links

The Service or our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services before providing them with personal information.

---

11. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify Customers by email (to the Tenant Administrator's address) and/or by posting a notice within the Service at least thirty (30) days before the changes take effect. The "Last Updated" date at the top of this Policy reflects the date of the most recent revision.

Non-material changes (such as clarifications or typo corrections) may be made without advance notice.

Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the revised Policy.

---

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information:

Tricon Infotech LLC Privacy inquiries: privacy@getmtt.com General support: support@getmtt.com Legal inquiries: legal@getmtt.com Website: https://www.getmtt.com

For California residents, you may also designate an authorized agent to make privacy requests on your behalf by following the instructions in our response to your request.

---

13. Data Controller / Operator

Tricon Infotech LLC, a New Jersey limited liability company, is the operator of the Service.

For personal information of Customer end users (consultants, approvers, and other Tenant users), the Customer is generally the controller (or business, in CCPA terms) of that information, and Tricon acts as a service provider or processor on behalf of the Customer. Privacy requests from end users about their information are best directed to their Customer in the first instance; Tricon will assist Customers in responding to such requests as required by applicable law.

---