Privacy Policy

Last updated: March 2026

1. Data Controller

Sebastian Vates
Spitzauer Wiese 19
83416 Saaldorf-Surheim, Germany
Email: hey@family-calendar.de

A data protection officer has not been appointed as the legal requirements for such an appointment are not met.

2. Overview

Family Calendar is designed with data minimization in mind. We only collect data that is strictly necessary for the app to function. There is no tracking, no advertising, and no sharing of data with third parties for marketing or analytics purposes.

3. What Data We Process

3.1 Calendar Data

The content you create in Family Calendar (events, persons, birthdays, general entries such as public holidays, school holidays, or waste collection dates) is stored on our servers and synchronized across your devices. We also store calendar settings (e.g., state/region for public holidays, default view, time format). Event titles are used for suggestions and search functionality.

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Until the calendar is deleted by the user

3.2 Device Data

When registering a device, we store:

• A self-chosen device name (e.g., "Mom's iPhone")
• The platform (iOS, macOS, or Web)
• A hashed authentication token
• Timestamp of last use

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Until the device is removed from the calendar or the calendar is deleted. Removed devices are fully deleted within 30 days.

When joining a calendar, a temporary join request is created (device name, platform, status). It automatically expires after 10 minutes.

3.3 Push Notifications

If you enable push notifications, we store a push token for your device. This token is used exclusively for sending notifications.

For push notifications, messages are delivered via the push service of your browser (e.g., Google FCM for Chrome, Mozilla Push Service for Firefox) or via the Apple Push Notification Service (APNs) for iOS and macOS. Your IP address is transmitted to the respective service provider in this process.

• Legal basis: Consent (Art. 6(1)(a) GDPR)
• Revocation: You can disable push notifications at any time in your device settings. The push token is then deleted.

3.4 Payment Data (Subscription)

Payment processing is handled by Polar (Polar SH Inc.). Polar acts as an independent data controller for payment processing. We store:

• Polar customer ID
• Email address (collected by Polar during the payment process)
• Subscription status and period

Note: No email address is required to create a calendar. However, an email address is required by Polar when purchasing a subscription.

We do not have access to your credit card or bank details. These are processed exclusively by Polar. See Polar's privacy policy at polar.sh/legal/privacy.

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Subscription data is retained for the duration of the contractual relationship and beyond in accordance with statutory retention obligations (up to 10 years per § 147 AO, § 257 HGB).

3.5 Server Log Data

Each time our servers are accessed, the following data is automatically collected:

• IP address
• Date and time of access
• Requested URL / API endpoint
• HTTP status code
• User agent (browser/app identifier)

This data is technically necessary to provide the service and detect abuse. It is not combined with other data sources.

• Legal basis: Legitimate interest in the security and operation of the service (Art. 6(1)(f) GDPR)
• Retention: Server logs are automatically deleted after 14 days.

3.6 Local Browser Storage

The web app stores the following data locally in your browser (localStorage):

• Authentication token (to maintain your login state)
• Calendar ID
• Offline data in IndexedDB (a local copy of your calendar data)

This data does not leave your browser and is not transmitted to us. We do not use cookies.

4. Data Processors and Third Parties

We use the following service providers:

4.1 Fly.io (Hosting)

Fly.io, Inc. operates our servers in the Frankfurt, Germany region. Fly.io acts as a data processor pursuant to Art. 28 GDPR. A data processing agreement (DPA) is in place.

More information: fly.io/legal/privacy-policy

4.2 Polar (Payment Processing)

Polar SH Inc. processes payments as an independent data controller. Polar processes email addresses, payment details, and transaction data under its own responsibility.

More information: polar.sh/legal/privacy

4.3 Push Services

For the delivery of push notifications, we use the following platform-specific services:

• Google Firebase Cloud Messaging (FCM) for Chrome-based browsers (Google LLC, USA)
• Mozilla Push Service for Firefox (Mozilla Corporation, USA)
• Apple Push Notification Service (APNs) for iOS and macOS (Apple Inc., USA)

The IP address of the receiving device is transmitted to the respective service. Message contents are transmitted with end-to-end encryption.

4.4 Public Holidays API

To display public holidays, our server retrieves data from feiertage-api.de. No personal user data is transmitted. Only the selected state/region and year are queried. Results are cached on our server.

5. No Tracking, Analytics, or Profiling

We do not use any analytics or tracking tools. No cookies are set, no user profiles are created, and no data is shared with advertising services. No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

6. Data Transfers to Third Countries

Calendar and device data is stored exclusively on servers in Germany (Frankfurt). Transfers to third countries (USA) occur in the following cases:

• Polar: Payment processing (Polar SH Inc., USA) — only when you subscribe
• Push services: Google FCM, Mozilla Push Service, or Apple APNs (USA) — only when you enable push notifications

All transfers are safeguarded by appropriate guarantees (EU-US Data Privacy Framework or Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR).

7. Your Rights

You have the right to:

• Access the data we store about you (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on legitimate interests (Art. 21 GDPR)

To exercise your rights, contact us at: hey@family-calendar.de. We will respond to your request within one month.

8. Data Deletion

You can delete your entire calendar including all associated data (events, persons, birthdays, devices, subscription data) at any time through the app. Deletion is irreversible and complete. Statutory retention obligations (e.g., for payment data) remain unaffected.

9. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de

10. Changes

We reserve the right to update this privacy policy as needed, e.g., due to changes in the app or legal requirements. The current version is always available on this page.