Privacy Policy
Last updated: March 12, 2026
This Privacy Policy explains how Zeitclaim ("we", "us", "our") collects, uses, and protects your personal data when you use our web application at zeitclaim.com (the "Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable data protection laws of the European Union and Germany.
1. Data Controller
Stefan Joschko - van Ackern
Schloßstraße 348
45359 Essen, Deutschland
Email: info@zeitclaim.com
Phone: +49 151 25272788
We are not required to appoint a Data Protection Officer (fewer than 20 employees regularly processing personal data).
2. What Data We Collect and Why
2.1 Account Data
Data: Email address, display name, profile picture
Source: Provided by you at registration, or obtained from GitHub when you use social sign-in
Purpose: Account creation, authentication, personalization
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
2.2 Activity Entries
Data: Time log entries including description, duration, date, category, and project
Source: Your input via AI chat or manual entry
Purpose: Core service — recording and organizing your tracked working time
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
2.3 Daily Journal
Data: A running log of all your input and changes for the day — capturing the complete context of what you recorded, including edits and revisions over time (one record per day)
Source: Your input and edits via the daily log interface
Purpose: Maintaining the source of truth for each day's data; enables the AI to accurately classify and reclassify your activity entries based on the full context of the day
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
Note: This data may be sent to Google Gemini as context when reclassifying activities for a given day. According to Google's API terms, this data is not stored or used for training.
2.4 Configuration Data (Projects, Categories, User Rules)
Data: Project names, category labels, and custom AI instructions you define
Source: Your settings in the app
Purpose: Providing context to the AI assistant so it can correctly classify your activity entries
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
Note: This data is sent to Google Gemini as prompt context with each AI request. According to Google's API terms, this data is not stored or used for training.
2.5 AI Chat History
Data: Your messages and AI responses, stored per calendar day
Source: Your interaction with the AI assistant
Purpose: Maintaining conversation context and displaying chat history
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
Note: Messages are sent to Google Gemini only during an active request. According to Google's API terms, Gemini does not store or train on API data.
2.6 Voice / Audio Data
Data: Audio recording of your voice input
Source: You activate the microphone in the chat interface
Purpose: Speech-to-text transcription
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Not stored. Audio is sent to OpenAI Whisper for transcription and immediately discarded. The resulting text becomes a chat message (see section 2.5).
2.7 Analytics Data (Consent-Based)
Data: Page views, feature usage events, anonymized session data
Source: Automatic collection via PostHog — only after your explicit consent
Purpose: Understanding usage patterns and improving the product
Legal basis: Art. 6(1)(a) GDPR — your consent
Retention: 1 year (PostHog event data, default retention setting); session replays: 30 days
Consent withdrawal: You can decline or withdraw consent at any time via cookie preferences. See our Cookie Policy.
Fallback without consent: We use a server-side anonymous hash (irreversible, daily salt discarded) that does not constitute personal data.
2.8 Server Logs
Data: IP address, user agent, HTTP request metadata, error logs
Source: Automatically generated by Vercel hosting infrastructure
Purpose: Security, debugging, abuse prevention
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (service security and integrity)
Retention: 30 days (Vercel default)
2.9 Error & Debugging Data
Data: IP address, user agent, browser and OS info, stack trace, error message, page URL, HTTP request metadata
Source: Automatically collected by our error monitoring tool when a JavaScript or server-side error occurs
Purpose: Error monitoring, debugging, and service reliability
Legal basis: Art. 6(1)(f) GDPR — legitimate interests (service integrity and debugging). No cookie consent required — no cookies or local storage are used for this purpose.
Retention: 90 days (Sentry default)
Sub-processor: Sentry (EU Cloud, Germany — data does not leave the EU)
2.10 Payment / Subscription Data
Data we receive: Customer email, subscription status, plan tier (via Paddle webhooks)
Data we do NOT process: Payment card numbers, billing address — all handled by Paddle as Merchant of Record
Purpose: Granting or revoking access to paid features
Legal basis: Art. 6(1)(b) GDPR — contract performance
Retention: Active account lifetime + 30 days after deletion request
Note: Payment processing is handled by Paddle (Paddle Payments Limited, Dublin, Ireland), our Merchant of Record (MoR). Paddle is the legal seller to our customers and an independent data controller for all payment card data, VAT, and invoicing. We never touch or store payment card details. See section 3.
2.11 Customer Support Communications
Data: Email address, message content, correspondence history
Source: Emails you send to info@zeitclaim.com
Purpose: Answering your support and legal inquiries
Legal basis: Art. 6(1)(f) GDPR — legitimate interests; Art. 6(1)(c) for legal requests
Retention: 2 years after last interaction
3. Third-Party Services and Sub-Processors
We share data with the following services to operate Zeitclaim. Each has a Data Processing Agreement (DPA) in place.
Infrastructure
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Convex | Database and backend | All user data (accounts, activities, chat history, categories, rules) | USA | ↗ |
| Vercel | Hosting, CDN, edge functions | IP address, request metadata, logs | USA / global | ↗ |
Authentication
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| GitHub (OAuth) | Optional social sign-in — used only if you choose “Continue with GitHub” | Name, email address, profile picture, GitHub user ID (used to create or link your account) | USA | ↗ |
When you sign in with GitHub, we receive only your basic profile data via a short-lived authorization code exchange. We never receive your GitHub password or private repository data.
AI Processing
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Google Gemini | AI chat processing | Chat messages, activity context, configuration data (as prompt context only — according to Google's API terms, not stored or used for training) | USA | ↗ |
| OpenAI Whisper | Voice transcription | Audio data (according to OpenAI's API terms, not stored — transcribed and immediately discarded) | USA | ↗ |
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Resend | Email delivery (transactional emails, OTP codes, service notifications) | Email address | EU (Ireland) | ↗ |
| Strato Webmail | Inbound support email hosting | Email address, message content | Germany | ↗ |
Analytics
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| PostHog | Product analytics (consent-based only) | Page views, usage events, anonymized session data | EU (Frankfurt) | ↗ |
Error Monitoring
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Sentry | Error tracking and debugging | IP address, user agent, browser/OS info, stack trace, error message, page URL | EU (Germany) | ↗ |
Payments
| Service | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Paddle | Merchant of Record — payment processing, subscriptions, tax, invoicing | Customer email, subscription status (via webhooks). Paddle independently controls all payment card data. | EU (Ireland) | ↗ |
Our payment processing is handled by Paddle (Paddle Payments Limited, Dublin, Ireland), our Merchant of Record. Paddle is the legal seller to our customers. They process all payment card data, collect VAT, issue invoices, and handle the right of withdrawal. We never touch or store payment card information. Paddle is an independent data controller for payment card data.
4. International Data Transfers
Some of our service providers are based in the United States. For these transfers, we rely on the following safeguards under GDPR Chapter V (Art. 44–50):
| Service | Transfer Mechanism |
|---|---|
| Convex | Standard Contractual Clauses (SCCs) |
| Vercel | Standard Contractual Clauses (SCCs) |
| Google (Gemini) | SCCs + EU-US Data Privacy Framework (DPF) |
| OpenAI (Whisper) | SCCs + EU-US Data Privacy Framework (DPF) |
| Paddle (Payments) | SCCs (EU entity, Ireland) |
| GitHub (OAuth sign-in) | SCCs + EU-US Data Privacy Framework (DPF) |
CLOUD Act disclosure: US-based service providers may be subject to US government data requests under the CLOUD Act or FISA Section 702. While we use contractual safeguards (SCCs) and rely on DPF certifications where available, we cannot fully exclude the possibility of US government access to data processed by these providers. We disclose this in the interest of transparency.
You may request copies of the safeguards we have in place by contacting us at info@zeitclaim.com.
5. AI Processing Transparency
Zeitclaim uses artificial intelligence to help you log activities:
- Google Gemini processes your chat messages along with your projects, categories, and custom rules as context. This data is sent via API only during an active request. According to Google's API terms, this data is not stored or used for model training.
- OpenAI Whisper transcribes your voice input. Audio is sent in real-time and immediately discarded after transcription. No audio is stored on our systems. According to OpenAI's API terms, audio is not retained after processing.
- No legally significant automated decisions: The AI parses your input and saves activity entries automatically. These are time tracking records with no legal or similarly significant effect. You are responsible for reviewing your logged data for accuracy. No legally binding decisions are made automatically (Art. 22 GDPR).
6. Cookies
We use essential cookies (session, authentication) that are strictly necessary for the Service to function. These do not require consent.
For analytics (PostHog), we request your explicit consent before setting any tracking cookies. You can manage your preferences at any time.
For full details, see our Cookie Policy.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — Request information about the personal data we hold about you.
- Rectification (Art. 16) — Request correction of inaccurate or incomplete data. You can also edit some data directly in your account settings.
- Erasure (Art. 17) — Request deletion of your personal data. We will delete your data within 30 days.
- Restriction (Art. 18) — Request restriction of processing under certain circumstances.
- Data portability (Art. 20) — Request a copy of your data in a structured, machine-readable format. Send a request to info@zeitclaim.com and we will provide an export within 30 days.
- Object (Art. 21) — Object to processing based on legitimate interests. For analytics, you can withdraw consent via cookie preferences.
- Withdraw consent (Art. 7(3)) — Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.
- Automated decision-making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not make any such decisions — AI-parsed activity entries are time tracking records only, with no legal or significant effect on you.
How to exercise your rights: Send an email to info@zeitclaim.com. We will respond within one month (Art. 12(3) GDPR). For complex requests, we may extend this by up to two additional months — we will notify you of any extension within the first month.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority. Our supervisory authority is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
https://www.ldi.nrw.de
8. Children
Zeitclaim is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a user is under 18, we will delete their account and data.
9. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will post the updated policy on this page and update the "Last updated" date above. For significant changes, we will notify you via email.
10. Contact
If you have questions about this Privacy Policy or your personal data, please contact us:
Stefan Joschko - van Ackern
Email: info@zeitclaim.com
Phone: +49 151 25272788