Privacy Policy

When you create an account, we collect:

• Email address - Required for account creation and communication
• Username - Chosen by you for identification within the App
• Profile photograph - Optional, uploaded by you
• Password - Stored in hashed (encrypted) form; we cannot read your password
• Authentication tokens - Technical tokens for secure session management

Content you voluntarily add to your timelines:

• Photographs and media files - Images and videos you upload
• Timeline entries - Text descriptions, dates, titles, and notes
• Milestone data - Birth information, growth measurements, vaccination records
• Names and biographical information - Names of children, pets, and family members

Automatically collected when you use the App:

• Device information - Device type, operating system, and version
• App version - Version of Zeitarc installed
• IP address - Collected for security and fraud prevention
• Crash reports - Technical data when the App encounters errors
• Usage data - Features used, timestamps, and interaction patterns

If you choose to sign in with Google:

• Google account email - Your primary Google email address
• Google profile name - Your display name from Google
• Google profile picture - If available and permissions granted

We only receive data you authorize Google to share. We do not access your Google contacts, calendars, or other Google services.

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights:

• Security: Our interest in preventing fraud and unauthorized access is balanced against minimal privacy impact of technical data collection
• Improvement: Our interest in fixing bugs and improving the App uses anonymized/aggregated data where possible

You have the right to object to processing based on legitimate interests. See Section 7 for how to exercise this right.

If you choose to record vaccination records, growth measurements, or health milestones, this may constitute health data. We process this data based on:

• Explicit consent (Art. 9(2)(a)) - You actively choose to enter this data
• Data manifestly made public by you (Art. 9(2)(e)) - If you choose to share it

You are never required to enter health data. All health-related fields are optional.

While Zeitarc stores information about children (names, birth dates, photos), this data is provided and controlled by parents/guardians - the actual users of the App. Parents retain full control over what information is recorded.

We do not process biometric data. Photographs are stored as regular image files and are not used for facial recognition or biometric identification.

When you delete your account:

• Your personal data is marked for deletion immediately
• Data is permanently deleted from active systems within 30 days
• Backup copies are purged within 30 additional days
• Some anonymized, aggregated data may be retained for analytics

To delete your account, use the "Delete Account" option in App settings or email privacy@zeitarc.com.

We may share your data with the following categories of recipients:

Your data is primarily stored on servers located within the European Union (Germany). Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries with EU adequacy decisions
• Standard Contractual Clauses (SCCs): EU-approved contract terms with recipients
• Supplementary measures: Additional technical and organizational safeguards where required

You may request a copy of the safeguards in place by contacting us.

We do not sell, rent, or trade your personal data to third parties for marketing purposes. Your family memories are not a product.

We may disclose your data if required by law:

• To comply with legal process or government requests
• To protect our rights, privacy, safety, or property
• To enforce our Terms of Service
• In connection with a merger, acquisition, or sale of assets (with notice to you)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. This includes information about:

• The purposes of processing
• The categories of data processed
• Recipients of your data
• Retention periods
• The source of data (if not collected from you)

You can correct inaccurate personal data or complete incomplete data. You can update most data directly in the App, or contact us for assistance.

You can request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Deletion is required by law

Note: We may retain data where we have a legal obligation or legitimate need (e.g., legal claims, security records).

You can request that we limit how we use your data when:

• You contest the accuracy of the data (while we verify)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV). This applies to data you provided to us and processed based on consent or contract.

You can export your timeline data directly from the App or request a full data export by contacting us.

You can object to processing based on legitimate interests or for direct marketing purposes. For legitimate interests, we will stop processing unless we demonstrate compelling legitimate grounds that override your interests.

Note: We do not use your data for direct marketing or profiling.

We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you. No profiling or automated decision-making is used in Zeitarc.

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights:

• Email: privacy@zeitarc.com
• Include your account email address for verification
• Specify which right(s) you wish to exercise
• We may request additional information to verify your identity

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data is encrypted on our servers
• Password security: Passwords are hashed using industry-standard algorithms (bcrypt); we cannot read your password
• Access controls: Strict role-based access to production systems
• Secure authentication: JWT tokens with appropriate expiration
• Regular updates: Security patches applied promptly

• Limited employee access to personal data (need-to-know basis)
• Security awareness and data protection training
• Incident response procedures
• Regular security assessments

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (where required)
• Notify affected users without undue delay if there is high risk
• Document the breach and remedial actions taken

Zeitarc is intended for use by adults (parents, guardians, and caregivers) aged 16 years or older. We do not knowingly collect personal data directly from children under 16.

While the App is designed to help document children's lives, we recognize that this data requires special protection:

• Only parents/guardians control what information is entered
• Children's data is not shared with third parties for marketing
• Parents can delete all data about their children at any time
• We do not use children's data for profiling or analytics

As a parent using Zeitarc, you are the data controller for information you choose to enter about your children. We act as a data processor for this content, storing it securely on your behalf.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete that data promptly. If you believe a child has provided us data directly, please contact us.

The Zeitarc mobile app does not use cookies. We use the following local storage mechanisms:

• Secure storage: Authentication tokens (essential for login)
• Local preferences: App settings and user preferences
• Cache: Temporary storage for performance (images, data)

Our marketing website uses only essential cookies necessary for the website to function. We do not use:

• Advertising or tracking cookies
• Third-party analytics cookies
• Social media tracking pixels

We honor Do Not Track browser signals. We do not track users across third-party websites.

We will notify you of material changes by:

• Posting the updated policy with a new "Last updated" date
• Sending an email notification for significant changes
• Displaying a notice in the App for significant changes

Your continued use of Zeitarc after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you should stop using the App and delete your account.

For any questions or requests regarding this Privacy Policy or your data:

We aim to respond to all legitimate requests within one month.

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. We encourage you to contact us first so we can address your concerns.

You may contact your local Data Protection Authority (DPA). A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

• Standard requests: Within 1 month
• Complex requests: Up to 3 months (with notification)
• Urgent security matters: Within 72 hours