1. Controller Information

This data privacy policy informs you about how your personal data is processed when using the Pomodoro Timer application.

2. Data Collection and Processing

When you use our Pomodoro Timer application, we collect and process the following minimal data:

2.1 Session Data

We generate a random user ID for your session, which is stored in your browser's cookies. This anonymous ID helps us maintain your timer settings between visits. This ID is generated using cryptographically secure methods and cannot be used to identify you personally.

2.2 Timer Data

We temporarily store the state of your timer (running/stopped, time remaining, mode) in server memory. This data is linked to your session ID but contains no personally identifiable information. This data is not persisted in a database and is lost when the server restarts.

2.3 Anonymous Usage Analytics

We collect fully anonymized usage statistics to monitor server load and improve our application's performance. This includes:

• Anonymous session identifiers (cannot be linked to individuals)
• Timer actions (start, stop, or complete a focus/break session)
• Timer mode (focus or break)
• Timer duration settings
• Timestamps of actions

This data is used solely for technical purposes to understand usage patterns and ensure adequate server capacity. No personal information is collected or stored through these analytics.

2.4 Technical Data

The application may automatically collect technical information such as:

• IP address (for security purposes only)
• Browser type and version
• Date and time of access

This information helps us ensure the security and functionality of our application.

2.5 Session Statistics (Heatmap and Streaks)

Session statistics (date and count of completed focus sessions per day) are stored in our database, linked to your anonymous session ID. This data is used to display the heatmap and streak features. Your browser may cache it locally for quick display.

2.6 Optional Sign-In (Google / GitHub)

If you sign in with Google or GitHub in Settings:

• We link your provider identity (email, name, provider user ID) to your anonymous session ID to enable optional cross-device sync.
• We store only the provider, provider user ID, and optional email/name. We do not store OAuth tokens long-term.
• Your session statistics remain associated with your session; signing in links your account for future sync features.

Legal basis: Art. 6(1)(b) GDPR (performance of the service). The respective provider's privacy policy applies to the sign-in flow.

3. Legal Basis for Processing

We process your data based on the following legal grounds:

• Art. 6(1)(b) GDPR: Processing necessary for the performance of a contract (providing the timer service)
• Art. 6(1)(f) GDPR: Processing based on our legitimate interests (ensuring security and functionality, monitoring server performance)

4. Cookies and Local Storage

We use essential cookies and browser local storage to enable the core functionality of our application:

• Session cookie: Stores your anonymous user ID to maintain your timer state
• CSRF token cookie: Protects against cross-site request forgery attacks
• Local storage: May cache session statistics for quick display. The database is the source of truth.

These cookies and local storage are necessary for the application to function properly and do not require explicit consent under German law when used solely for this purpose.

5. Data Retention

Your session data is stored in browser cookies and will persist until:

• You delete your browser cookies
• Your cookies expire naturally (typically after browser sessions or a predefined period)

Session statistics are stored in our database and retained until you request deletion. You can request deletion at any time using the Delete my data option in Settings. Local storage cache persists until you clear site data.

Timer state data stored on our servers is only kept in volatile memory and is deleted when the server restarts or when you close your session.

Anonymous usage statistics are stored in our database and retained for up to 12 months to analyze usage patterns and ensure adequate server capacity.

6. Data Sharing

We do not share your data with third parties. Your timer data, session information, and anonymous usage statistics remain exclusively on our servers and in your browser's cookies and local storage.

When you sign in with Google or GitHub, the sign-in flow is handled by the respective provider; we do not share your session statistics with third parties.

7. Analytics and Third-Party Services

This application uses only internal, anonymized analytics to monitor server performance and usage patterns. We do not use any third-party analytics services, tracking tools, or advertising networks.

Optional sign-in uses Google or GitHub OAuth. The sign-in flow is handled by the respective provider; their privacy policies apply.

8. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. The current version will always be available on this page.

Last updated: 2026-02-26

9. Your Rights

Under the GDPR you have the right to:

• Access (Art. 15): Obtain confirmation as to whether we process your data and a copy of that data
• Rectification (Art. 16): Have inaccurate personal data corrected
• Erasure (Art. 17): Request deletion of your data, including via the "Delete my data" option in Settings
• Restriction (Art. 18): Request that we limit how we use your data in certain circumstances
• Data portability (Art. 20): Receive your data in a structured, commonly used format where applicable
• Object (Art. 21): Object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time
• Lodge a complaint (Art. 77): Complain to a supervisory authority in your country

To exercise these rights or for any privacy-related questions, please use the "Delete my data" option in Settings for erasure, or contact us via the repository linked from the application (e.g. GitHub).