OAuth Scope Justification

Purpose

Read-only access to the user's Google Calendar events to generate timesheet exports.

Why This Scope Is Needed

FillTheTimesheet pulls calendar events to auto-populate timesheet spreadsheets. Without this scope, the core functionality of the app — converting calendar events into timesheet rows — would not work. We request read-only access because we never need to create, modify, or delete events.

Data Accessed

• Event titles (summary)
• Start and end date/time
• Event descriptions
• Organizer name and email
• Attendee names and emails
• Event location
• All-day event status
• Event recurrence information

Does NOT Access

• Calendar settings or preferences
• Other users' calendars (only the authenticated user's calendars)
• We never create, modify, or delete any events

Data Retention

Calendar data is processed in the user's browser by default. Data exists in browser memory only during the active session. If you enable automated email reports, encrypted tokens are stored server-side to fetch events on your behalf. If you use AI features, event metadata is sent to Google Gemini for real-time processing (not stored).

Purpose

Read-only access to Microsoft 365 / Outlook calendar events for timesheet generation.

Why This Scope Is Needed

Same as Google Calendar — we pull calendar events to generate timesheet rows. Read-only access is sufficient; we never create or modify events.

Data Accessed

• Event titles, start/end times, descriptions
• Organizer and attendee information
• Event location and recurrence

Does NOT Access

• Calendar settings, other users' calendars, or shared mailboxes
• We never create, modify, or delete events

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Retrieve the user's email and display name to show which Microsoft account is connected.

Why This Scope Is Needed

Displays the connected Microsoft account in the UI for user confirmation.

Data Accessed

• Email address
• Display name

Does NOT Access

• Directory data, organizational info, or other users' profiles
• Mail, files, or any other Microsoft 365 data

Data Retention

Stored locally in the browser. Cleared on disconnect.

Purpose

Read-only access to past and upcoming Zoom meetings to include meeting time in timesheets.

Why This Scope Is Needed

Zoom meetings are a significant part of many workers' schedules. We pull meeting data to include meeting time in timesheet exports alongside calendar events.

Data Accessed

• Meeting titles, start/end times, duration
• Meeting type and status
• User email address

Does NOT Access

• Meeting recordings, chat messages, or transcripts
• We never create, modify, or delete meetings
• Other participants' personal information

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Read-only access to Jira issues and worklogs to include task time in timesheets.

Why This Scope Is Needed

Many users track work in Jira. We pull issues with worklogs to auto-populate timesheet rows with task names and time spent. offline_access allows token refresh without requiring the user to re-authenticate every hour.

Data Accessed

• Issue titles, descriptions, and status
• Worklog entries (time spent)
• User display name and email

Does NOT Access

• Jira admin settings, permissions, or project configurations
• We never create, modify, or delete issues or worklogs
• Attachments or comments content

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Read-only access to ClickUp tasks and time entries for timesheet generation.

Why This Scope Is Needed

ClickUp users can include their tracked tasks and time entries in exported timesheets.

Data Accessed

• Task names, descriptions, and status
• Time tracking entries
• Workspace and space names

Does NOT Access

• We never create, modify, or delete tasks or time entries
• Workspace settings, members, or billing information

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Read-only access to Asana tasks, projects, and time tracking for timesheet generation.

Why This Scope Is Needed

Asana users can include their tasks and tracked time in exported timesheets.

Data Accessed

• Task names and descriptions
• Project names
• Time tracking entries
• Workspace information

Does NOT Access

• We never create, modify, or delete tasks, projects, or time entries
• Workspace admin settings, billing, or member management

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Read-only access to Monday.com boards and items for timesheet generation.

Why This Scope Is Needed

Monday.com users can include their board items and time data in exported timesheets.

Data Accessed

• Board and item names
• Column values (status, dates, time tracking)
• User information

Does NOT Access

• We never create, modify, or delete boards or items
• Account settings, billing, or admin configurations

Data Retention

Processed client-side by default. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.

Purpose

Access to Toggl Track time entries for timesheet generation.

Why This Scope Is Needed

Toggl Track is a popular time tracking tool. We pull time entries to include tracked work in exported timesheets.

Data Accessed

• Time entry descriptions and durations
• Project and workspace names
• Start/end timestamps

Does NOT Access

• We never create, modify, or delete time entries
• Billing, invoicing, or team management data
• Other team members' time entries

Data Retention

Processed client-side by default. The API token is stored encrypted in the user's browser. If you enable automated email reports, encrypted tokens are stored server-side to fetch data on your behalf.