Privacy Policy
Stand / Last updated: TODO(thomas): date
This policy explains how CronLoom processes personal data. TODO(thomas): final text must be reviewed by a lawyer. The authoritative German version is the Datenschutzerklärung.
1. Controller
TODO(thomas): name, address, email — see Impressum.
2. Data & legal bases
- Account data, time entries, clients, projects, rates — to perform the contract (Art. 6(1)(b)).
- Social login (Google/GitHub) — Art. 6(1)(b); each is an independent controller.
- Transactional email (Resend) — Art. 6(1)(b).
- Product analytics (PostHog, EU/Frankfurt) — cookieless or consent-based. TODO(thomas): confirm basis with lawyer.
- Payment data — handled by the Merchant of Record (Lemon Squeezy/Paddle) as its own controller.
3. Processors / recipients
- Hetzner (hosting, EU/Germany) — DPA in place.
- Resend (email, US) — EU Standard Contractual Clauses.
- PostHog (analytics) — EU Cloud (Frankfurt) / self-hosted.
- Merchant of Record — independent controller for payments.
TODO(thomas): maintain and link a current sub-processor list.
4. Your rights
Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. You can export and delete your data yourself under Settings → Privacy & data.
5. Cookies & tracking
A strictly necessary session cookie is used for login (no consent required). Analytics, where active, run cookieless or with consent. TODO(thomas): confirm with lawyer (§ 25 TDDDG).
This page is a scaffold. Final legal text must be reviewed by a lawyer
before launch (see TODO(thomas) markers).