Privacy Policy

Last updated: April 2026

1. Data Controller

Sebastian Vates
Spitzauer Wiese 19
83416 Saaldorf-Surheim, Germany
Email: [email protected]

A data protection officer has not been appointed as the legal requirements for such an appointment are not met.

2. Overview

Family Calendar is designed with data minimization in mind. We only collect data that is strictly necessary for the app to function. There is no tracking, no advertising, and no sharing of data with third parties for marketing or analytics purposes.

3. What Data We Process

3.1 Calendar Data

The content you create in Family Calendar (events, persons, birthdays, general entries such as public holidays, school holidays, or waste collection dates) is stored on our servers and synchronized across your devices. We also store calendar settings (e.g., state/region for public holidays, default view, time format). Event titles are used for suggestions and search functionality.

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Until the calendar is deleted by the user

3.2 Device Data

When registering a device, we store:

• A self-chosen device name (e.g., "Mom's iPhone")
• The platform (iOS, macOS, or Web)
• A hashed authentication token
• Timestamp of last use

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Until the device is removed from the calendar or the calendar is deleted. Removed devices are deleted immediately.

When joining a calendar, a temporary join request is created (device name, platform, status). It automatically expires after 10 minutes.

3.3 Payment Data (Subscription)

Payment processing is handled by Polar (Polar SH Inc.). Polar acts as an independent data controller for payment processing. We store:

• Polar customer ID
• Email address (collected by Polar during the payment process)
• Subscription status and period

Note: No email address is required to create a calendar. However, an email address is required by Polar when purchasing a subscription.

We do not have access to your credit card or bank details. These are processed exclusively by Polar. See Polar's privacy policy at polar.sh/legal/privacy.

• Legal basis: Performance of contract (Art. 6(1)(b) GDPR)
• Retention: Subscription data is retained for the duration of the contractual relationship and beyond in accordance with statutory retention obligations (up to 10 years per § 147 AO, § 257 HGB).

3.5 Server Logs and Connection Data

We do not maintain any application logs containing IP addresses or user agents. Our backend only records:

• HTTP method (e.g., GET, POST)
• Requested API endpoint
• HTTP status code
• Response time

These logs contain no personal data and are written to standard output (stdout).

IP addresses are processed transiently in memory only for rate limiting and abuse protection, and are discarded after at most one hour without being persisted.

Our infrastructure providers (Cloudflare for the landing page, Fly.io for the app and backend) necessarily collect connection data (IP address, user agent) at the edge or load balancer for content delivery and security purposes. Retention and scope are governed by their respective privacy policies (see §4.1 and §4.2).

• Legal basis: Legitimate interest in the security and operation of the service (Art. 6(1)(f) GDPR)

3.6 Local Browser Storage

The web app stores the following data locally in your browser (localStorage):

• Authentication token (to maintain your login state)
• Calendar ID

This data does not leave your browser and is not transmitted to us. We do not use cookies.

4. Data Processors and Third Parties

We use the following service providers:

4.1 Fly.io (App and Backend Hosting)

Fly.io, Inc. operates the web app (app.family-calendar.de) and our backend in the Frankfurt, Germany region. Fly.io acts as a data processor pursuant to Art. 28 GDPR. A data processing agreement (DPA) is in place.

More information: fly.io/legal/privacy-policy

4.2 Cloudflare Pages (Landing Page Hosting)

The landing page (family-calendar.de) is served via Cloudflare Pages, a service of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare necessarily processes the IP address and user agent of visitors to deliver content, handle TLS encryption, and protect against attacks (DDoS, bots).

Cloudflare acts as a data processor pursuant to Art. 28 GDPR; a data processing addendum is in place. Cloudflare is also certified under the EU-US Data Privacy Framework.

Note: The landing page contains no forms, no logins, and does not process any calendar data. The app itself does not run through Cloudflare (see 4.1).

More information: cloudflare.com/privacypolicy · cloudflare-customer-dpa

4.3 Polar (Payment Processing)

Polar SH Inc. processes payments as an independent data controller. Polar processes email addresses, payment details, and transaction data under its own responsibility.

More information: polar.sh/legal/privacy

4.4 Public Holidays API

To display public holidays, our server retrieves data from feiertage-api.de. No personal user data is transmitted. Only the selected state/region and year are queried. Results are cached on our server.

5. No Tracking, Analytics, or Profiling

We do not use any analytics or tracking tools. No cookies are set, no user profiles are created, and no data is shared with advertising services. No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

6. Data Transfers to Third Countries

Calendar and device data is stored exclusively on servers in Germany (Frankfurt). Transfers to third countries (USA) occur in the following cases:

• Cloudflare: Delivery of the landing page (Cloudflare, Inc., USA) — affects IP address and user agent when visiting family-calendar.de
• Polar: Payment processing (Polar SH Inc., USA) — only when you subscribe

All transfers are safeguarded by appropriate guarantees (EU-US Data Privacy Framework or Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR).

7. Your Rights

You have the right to:

• Access the data we store about you (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on legitimate interests (Art. 21 GDPR)

To exercise your rights, contact us at: [email protected]. We will respond to your request within one month.

8. Data Deletion

To delete your entire calendar including all associated data (events, persons, birthdays, devices, subscription data), contact us at [email protected]. Deletion is irreversible and complete. Statutory retention obligations (e.g., for payment data) remain unaffected.

9. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
www.lda.bayern.de

10. Changes

We reserve the right to update this privacy policy as needed, e.g., due to changes in the app or legal requirements. The current version is always available on this page.