Privacy Policy

Last updated: February 2026

1. Overview

We take the protection of your personal data seriously. This privacy policy explains what data we process, why we process it, and which rights you have.

2. Data we process

We process account data (for example name and email), profile data (for example country, region, vacation days), calendar events, and trip-planning entries where you use these features in the app.

3. Processors and providers

We use Supabase (EU region) for database and authentication, Google OAuth for sign-in, and Vercel for hosting and analytics after consent. For AI features, we use OpenAI and Google Gemini through our server-side routes.

4. Cookies

We use strictly necessary cookies for sign-in and session management. Analytics cookies are set only after consent and can be changed at any time in cookie settings.

Cookies set by this application (overview):

  • Session / Auth (Supabase): Session and sign-in state, HttpOnly, secure.
  • td_anon: Anonymous ID for pre-login onboarding (e.g. /takedays), HttpOnly.
  • NEXT_LOCALE: Selected language (e.g. en, de).
  • cookie-consent: Your cookie consent (necessary / all).
  • calendar_state: OAuth state during calendar connect (Google/Outlook), short-lived, HttpOnly.

5. Legal basis

Processing is based in particular on contract performance (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and your consent (Art. 6(1)(a) GDPR), where applicable.

6. Retention

We retain data only as long as necessary for each purpose or as required by law. You can request account deletion, after which personal data is removed within technical and legal constraints.

7. Your rights

You have rights of access, rectification, erasure, restriction, portability, and objection. To exercise your rights, contact us via the email address listed in the legal notice.

8. Data security

We implement technical and organizational security measures, including TLS encryption, role-based access controls, and regular security checks.

9. International transfers

Where data is processed outside the EU, transfers rely on appropriate safeguards, such as EU standard contractual clauses.

10. Changes to this policy

We may update this privacy policy when legal or technical conditions change. The current version is always available on this page.