Privacy Policy (Align)

2.1 Account and identity data

• Name / display name (required; can be a nickname and does not need to be your legal name)
• Email address (optional, if you upgrade your account)

2.2 Event and availability data (core service)

• Event title
• Expected date range / timeframe
• Event length in days
• Optional expected number of participants
• Participant lists and invitation/participation status
• Availability timeframes submitted by participants (including your timezone, and if used: preference levels and notes)

2.3 Calendar data (optional, Mobile App only)

If you opt in to calendar access on iOS/Android, the Mobile App reads calendar data locally on your device to identify busy days. Only a per-day blocked/free status is uploaded to our backend — no event titles, times, calendar names, or other details are ever sent to our servers. All detailed calendar information stays stored exclusively on your device.

We do not write to, modify, or delete your device calendar events. Calendar access is optional; you can use Align without granting calendar permissions.

2.4 Notifications and device data

• Push notification tokens for mobile and web (only collected when you grant notification permission; used only to send Service notifications)
• Basic technical/log data needed for security and operation (e.g., IP address and timestamps in server logs)

2.5 Email verification and magic link authentication

We use Brevo (transactional email) to send one-time magic link tokens to your email address. These tokens are used for email verification and for passwordless login (e.g., signing in on a different browser or device). Tokens are temporary and expire after use.

3.1 Necessary cookies

The Web App uses necessary cookies only, such as:

• Session/authentication (e.g., JWT in an httpOnly cookie)
• Security protections (e.g., CSRF protection if applicable)

These cookies are required to provide the Service. We do not use analytics or marketing cookies and do not use tracking pixels.

Cookie preferences can be adjusted at /cookie-preferences.

4.1 Providing the Service (Art. 6(1)(b) - contract)

• Creating and managing accounts
• Creating/joining events, invitations, participant management
• Processing availability inputs and calculating suggested dates/time ranges
• Syncing and storing data needed for the Service

4.2 Security and service integrity (Art. 6(1)(f) - legitimate interests)

• Preventing abuse (e.g., rate limiting)
• Maintaining reliability, debugging, and protecting the Service

4.3 Consent for optional features (Art. 6(1)(a) - consent)

• Calendar access (device permission; Mobile App)
• Push notifications (device permission; Mobile App/Web where applicable)

You can withdraw consent at any time by disabling permissions in your device/browser settings.

5.1 Sharing with other users (your choice)

Your name (display name) and the availability you submit for an event are shared only with participants of that specific event.

5.2 Service providers (processors)

We use the following processors to operate Align:

• Hosting (server infrastructure): STRATO GmbH (Berlin, Germany) for server hosting where Coolify runs.
• Database and file storage: Self-hosted Supabase (PostgreSQL) operated by us, hosted on STRATO infrastructure.
• Transactional email: Brevo (for email verification, magic link authentication, and invitations).
• Push notifications (Mobile App): Expo push services (which relay to Apple Push Notification service (APNs) and/or Firebase Cloud Messaging (FCM) depending on platform).
• Public holiday lookup: Nager.at API - receives only a country code.

We do not use analytics providers, ad networks, marketing pixels, or error monitoring tools.

7.1 Accounts and personal data: 2-year auto-delete after inactivity

We automatically delete certain account-related personal data after 2 years of inactivity.

• Inactivity means: no requests from your account to our backend API (“last API request”). Any engagement that results in an authenticated API request counts as activity.
• Before deletion, we may notify you (if we have a verified email and you can receive emails) with a dual-warning schedule: 30 days before deletion and 7 days before deletion.

7.2 What is deleted vs. retained

Deleted (hard deletion): Account identifiers and associated personal data needed to identify you as a user, such as:

• account record (email)
• profile data (display name)
• push tokens associated with the account
• calendar busy snapshots associated with the account
• availability submissions that are only attributable to the account

Retained: Event data is kept for up to 5 years after the last activity on that event to preserve group scheduling context and event history. Where feasible, retained event records are de-linked from your account after deletion (e.g., removal of direct account identifiers), while keeping the event itself and non-identifying context.

7.3 Operational logs

We maintain structured operational logs to protect and operate the Service (e.g., security, debugging). We use structured logging (e.g., winston/pino) with log rotation.

Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority for our registered address is:

Hessischer Beauftragter für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden
https://www.datenschutz.hessen.de

How to exercise your rights

Email privacy@elch.cc with the subject “Privacy Request - Align”. We may need to verify your identity. We aim to respond within 30 days (or as required by law).

Deletion requests

We perform hard deletion (permanent removal from the database) for data that is eligible for deletion, in line with the right to erasure, unless retention is required by law or necessary to establish, exercise, or defend legal claims.