Privacy Policy
This privacy policy explains how personal data is processed on the website weekado.com and in the Weekado app (app.weekado.com and the iOS, iPadOS and macOS apps). In short: no ads, no tracking, no sharing of your data for commercial purposes. Your content is stored in the EU and processed solely to provide the service.
1. Controller
Martin Breitsprecher
c/o Neues Amt Altona
Große Bergstraße 264-266
22767 Hamburg, Germany
E-mail: martin@breitsprecher.de
2. The weekado.com website
The website is hosted on a server operated by Hetzner Online GmbH in Germany. When you visit it, the web server processes technically necessary access data (IP address, date and time, requested file, browser type) to deliver the site and keep it secure. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure, reliable operation). Server logs are not combined with other data and are deleted automatically on a rolling basis.
The website does not use cookies for analytics or marketing and embeds no third-party services; fonts are served locally. A single setting stored locally in your browser remembers your choice of light or dark appearance (technically necessary).
3. Account and sign-in (app)
Using the app requires an account (e-mail address and password). Authentication and the database are run by our processor Supabase; the data is stored in the EU (AWS region Frankfurt). Passwords are stored only as cryptographic hashes. Transactional e-mails (e.g. sign-up confirmation, password reset) are sent only when triggered by you; there is no newsletter. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
4. Your content: tasks, appointments, notes (app)
The content you create (tasks, appointments, notes, areas, settings) is stored in the EU database (Supabase, Frankfurt) and synced between your devices via the synchronization service PowerSync (data held in the EU). Each device additionally keeps a local copy so the app works offline. Automatic backups (snapshots) of your content are kept server-side to protect against data loss and are deleted on a rolling basis. Legal basis: Art. 6(1)(b) GDPR.
5. AI assistant (optional)
If you use the built-in assistant, your input (text, optionally photos and voice recordings) and the planning data needed to answer are processed. Depending on your configuration:
- Weekado AI (default): requests go through our server (Hetzner, Germany) to the AI providers Anthropic and OpenAI (USA). Transfers to the USA are based on the EU-US Data Privacy Framework or standard contractual clauses. Under the providers' API terms, your content is not used to train their models. Voice recordings are sent to OpenAI for transcription and are not stored permanently by us.
- Your own API key (optional): if you add your own Anthropic or OpenAI key, your device sends requests directly to that provider; they do not pass through our servers. Your own agreement with the provider applies. The key never leaves your device.
The assistant's chat history is kept only locally on your device and is not synced between devices. Legal basis: Art. 6(1)(b) GDPR; optional features are processed only when you actively use them.
6. Connecting external AI tools / MCP (optional)
You can give external AI applications (e.g. Claude or ChatGPT) access to your planning via the Model Context Protocol. Authorization is handled by Stytch (USA, EU-US Data Privacy Framework) using OAuth; access exists only after your explicit approval and can be revoked at any time. What data the external AI application processes itself is governed by its own privacy policy.
7. Public and school holidays (optional)
If you enable holiday or school-vacation display, the app fetches the dates for your chosen region from the OpenHolidays API. Only the region code is transmitted (together with your IP address for technical reasons), never account or content data. Responses are cached locally.
8. Payments
On the web: subscriptions are handled by the payment provider Stripe. Stripe processes the data required for payment (name, e-mail address, payment details); full payment details never reach our servers. On iOS: purchases go through the Apple App Store; we manage the subscription status via RevenueCat using a pseudonymous user ID. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR for statutory commercial and tax retention duties.
9. Recipients and processors
We use the following service providers:
- Hetzner Online GmbH (Germany) – hosting of website, app and API
- Supabase (EU data residency, AWS Frankfurt) – database and authentication
- PowerSync / JourneyApps (EU data residency) – device synchronization
- Anthropic PBC and OpenAI (USA) – AI assistant and transcription (only when used)
- Stytch (USA) – authorization of external AI connections (only when used)
- Stripe (web payments), Apple and RevenueCat (iOS purchases)
- OpenHolidays API – holiday and school-vacation dates (only when used)
Data processing agreements under Art. 28 GDPR are in place with our processors; transfers to third countries rely on adequacy decisions (in particular the EU-US Data Privacy Framework) or standard contractual clauses.
10. Retention and deletion
We store account and content data for as long as your account exists. You can delete your account at any time in the app settings; this removes your account and content from the database (backups expire on a rolling basis). Data subject to statutory retention duties (e.g. invoice data) is deleted once those periods end. You remove local copies on your devices by signing out or uninstalling.
11. Your rights
Regarding your personal data, you have the following rights against the controller:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You can also export your content yourself at any time from the app as a JSON or CSV file.
12. Status
This privacy policy is dated June 2026 and will be updated when the data processing changes.