TrackMate Time Tracker — Privacy Policy
This policy explains what data the TrackMate Time Tracker Chrome extension processes, why, where it is stored, and how it is protected.

Last updated: 09.06.2026
Version: 1.1.2
Contact: mustafa@onderyazilim.com
The short version. TrackMate runs entirely in your browser. It does not have its own server. It does not collect or sell your data. It does not store API tokens or passwords. All time tracking happens locally and is written directly to your own Jira instance using your existing browser session.
1) Single Purpose
The sole purpose of TrackMate Time Tracker is to track time spent on Jira issues and save that time as a Jira worklog. All additional features (weekly calendar view, daily reports, work-day configuration, public-holiday display, daily summary notification) exist to support this single purpose.

2) Data We Process
User-provided data: Worklog comments (optional), JQL preset queries you save, calendar settings (work days, daily goal, autosave interval, max-timer limit, country for public holidays), export column choices, language preference.
Jira issue context: Issue key, issue summary, parent issue summary, status, issue type, project name, transitions — fetched live from Jira's REST API as needed. Only your own user's worklogs are retrieved (filtered by worklogAuthor = currentUser()).
Timer state: Issue key, domain, running/paused flag, start timestamp, accumulated seconds, optional comment, optional live-worklog ID, session-only device ID (UUID) used to prevent double auto-save across devices.
Account identifier: Your Atlassian accountId and display name, retrieved from /rest/api/3/myself. Used only to scope worklog queries to you and to read/write your own Jira user properties. Cached in memory for up to 5 minutes.
Avatar URL: Returned by Jira; rendered only if its hostname matches .atlassian.net, .atlassian.com or *.gravatar.com.
Local diagnostics: Up to 500 log entries (timer events, sync results, errors). Hassasiyet için Bearer-style tokens, Atlassian PATs (ATATT…) ve e-mail addresses are automatically redacted before being written. HTTP request/response bodies are not logged unless you explicitly enable Verbose mode in an unpacked-developer build.
What we do not collect: No passwords, no API tokens, no OAuth tokens, no analytics events, no telemetry, no tracking pixels, no third-party cookies, no advertising identifiers, no browsing history.
3) How We Use Data
To start, pause, finish, and track time on a per-issue basis.
To create or update Jira worklogs through your existing browser session.
To list your worklogs for a chosen date or date range, on your request.
To generate weekly calendar views and CSV / JSON / HTML reports — entirely client-side.
To synchronise your own TrackMate preferences across your devices via Jira User Properties (described below).
To show a daily summary notification at 17:00 (if your browser permits notifications).
To diagnose extension issues by writing local log entries (capped at 500).
Data is not used for advertising, profiling, machine-learning training, or any analytics beyond the stated purpose.

4) Where Your Data Lives
TrackMate stores data in three places, all controlled by you:

Location What is stored Notes
chrome.storage.local Timer state, settings, JQL presets, status configuration, work-day choices, daily goal, language, local logs. Stored on this device only. Cleared when the extension is uninstalled. Not synced via Google account.
chrome.storage.session Short-lived cache: Jira status list, issue type list, current-report payload. Automatically cleared when the browser closes.
Jira User Property (cloud) Two properties on your own Jira account: trackmate_settings (your preferences) and trackmate_timer (the latest timer state for cross-device continuity). Lives inside your Atlassian account, governed by your organisation's Atlassian retention. Deletable in-app via "Delete Jira Configuration".
Migration note: earlier versions used chrome.storage.sync (Google account sync). Since v1.1.1 this has been removed entirely so project-related data does not transit through Google's sync infrastructure. The broad tabs permission was additionally dropped in v1.1.2.

5) Data Sharing
This extension shares data only with the parties strictly required to perform its function:

Atlassian (your Jira instance): All worklog reads / writes, status transitions, and user-property reads / writes go to https://.atlassian.net using your existing browser session cookie.
Public Holidays (bundled): Holiday data is loaded from a bundled data/holidays.json file shipped with the extension — no external network request is made. The toggle is off by default. Data covers 230+ countries and is updated at build time using publicly available sources.
Chrome / Google: Only via Chrome Extension APIs (storage, alarms, notifications, i18n) running on your device. Google does not receive TrackMate-specific data.
No data is sold, transferred to data brokers, used for personalised advertising, or used for credit assessment. There is no TrackMate server. Note: The broad tabs permission was removed in v1.1.2 — TrackMate now relies only on the narrower host_permissions for .atlassian.net, so the extension can no longer see the URLs or titles of non-Jira tabs.

6) Permissions & Justifications
storage alarms notifications Host permissions
7) Authentication
TrackMate does not implement OAuth, password storage, or API-token storage.
All Jira API calls run inside a content script on a tab where you are already signed in to Jira, and they use that tab's session cookie via standard fetch(..., { credentials: 'include' }).
When you sign out of Jira in the browser, the extension immediately loses access until you sign back in.
8) Data Retention
Local storage entries persist on your device until you uninstall the extension, clear extension data via chrome://extensions, or use the in-app "Delete Jira Configuration" / clear-logs actions.
Local logs are capped at 500 entries; older entries are automatically discarded.
The chrome.storage.session cache is cleared when the browser closes.
Jira-side worklog data and user properties are retained according to Atlassian's policies and your organisation's configuration. TrackMate does not control retention on the Jira side.
9) Remote Code Policy
The extension does not load or execute remote code (no remote JavaScript, no remote WebAssembly, no remote stylesheets injected as code). All executable code is packaged inside the extension and is reviewed by the Chrome Web Store. The Content Security Policy is restricted to script-src 'self', object-src 'none', and connect-src limited to the two host patterns listed above.

10) Security Measures
Input validation: Issue keys, Jira domains, worklog IDs, JQL queries, and imported settings files are all checked against strict regex / schema validators before any API call.
Prototype-pollution defence: Settings imported from JSON files are filtered through a key-whitelist into a null-prototype object; dangerous keys (proto, constructor, prototype) are rejected outright.
JQL injection defence: Length-limited and blacklist-checked before any search call.
API allow-list: Only paths starting with /rest/api/2/ or /rest/api/3/ are allowed to reach Jira.
Log sanitisation: Bearer tokens, Atlassian PATs (ATATT…), and e-mail addresses are stripped from log entries before they are written. Request and response bodies are not logged in published builds. Before exporting logs, you are warned about content-sensitivity.
Origin checks: The content script accepts messages only from this extension; the background service worker accepts messages only from the same extension ID.
Avatar URL whitelist: Only HTTPS avatar URLs on .atlassian.net, .atlassian.com, or *.gravatar.com are rendered.
Independent audit: A full static-analysis security audit was performed; the report is available alongside the source code as docs/SECURITY_AUDIT_REPORT.md.
11) User Rights & Choices
You may at any time:

Uninstall the extension; this removes chrome.storage.local data.
Use the in-app Delete Jira Configuration button to wipe the Jira user-property side.
Clear the local diagnostic log from the Logs page.
Disable the "Public Holidays" toggle to hide holiday highlights (all data is bundled locally — no external request).
Revoke browser-level notification permission at any time.
For questions or concerns, contact: mustafa@onderyazilim.com.

12) Policy Changes
This policy may be updated as the extension evolves. The current version is shown above as "Last updated" and "Version".

13) Chrome Web Store User Data Policy
TrackMate Time Tracker complies with the Chrome Web Store Limited Use of User Data requirements. All data processed by the extension is used exclusively to fulfil the single purpose stated in section 1, is handled within the user's own browser, and is never transferred to any third party other than the Atlassian instance the user is signed in to. The extension is offered on the Chrome Web Store at this page.

This document is provided for informational purposes and does not constitute legal advice. Where local regulations apply (e.g. GDPR, KVKK), consult a qualified legal professional.