This Privacy Policy explains how Wastime ("we", "us", "our") collects, uses, discloses, and otherwise processes personal data when you use our mobile applications (iOS and Android) and our web application (collectively, the "Application"). It is written to satisfy the transparency requirements of the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and App Store / Google Play privacy disclosure expectations.

If you do not agree with this Privacy Policy, do not use the Application.

Who We Are (Controller) and How to Contact Us

For the purposes of GDPR, the data controller is:

We have not appointed a Data Protection Officer (DPO). If you have privacy questions or want to exercise your rights, contact us using the details above.

Information We Collect

1. Information You Provide

Depending on how you use the Application, you may provide the following categories of personal data:

• Account and authentication data: email address; authentication provider (e.g., email/password, Google, Apple, Facebook); account identifiers associated with the provider.
• Profile data (optional): display name; first and last name (if you provide them); profile photo (if you choose to set or upload one); language/locale and time zone preferences.
• Life calendar inputs: date of birth and life expectancy values used to generate life calendar features (as provided by you or inferred from your inputs).
• User content: calendars (including published calendars), descriptions, milestones, stories, time tracking entries, favorites, settings, and other content you create or upload within the Application.
• Preferences: optional preferences such as newsletter opt-in status (we do not send marketing emails at this time, but we may store the preference).
• Support and communications: name, email, and the content of your messages when you contact support or submit feedback.
• User-submitted reports: report category, comment, evidence URL, and optional attachments you provide when reporting content or problems.

Registration is not required for all features. However, certain features (including synchronization, publishing, or premium functionality) may require an account.

2. Information We Collect Automatically

When you access or use the Application, we and our service providers may automatically collect:

• Device and app information: device type/model, operating system, app version, language, and time zone.
• Web technical information: browser type/version, screen resolution, and basic connection information.
• Log and security data: IP address, timestamps, diagnostic information, and security events associated with requests to our backend services.
• Identifiers: a pseudonymous visitor identifier used for functionality and security (see "Cookies and Similar Technologies" below), and account identifiers such as Firebase user ID when you are signed in.

3. Analytics and Crash Reporting

The mobile applications may use Firebase Analytics, Firebase Crashlytics, and Firebase Performance Monitoring to help us understand how the Application is used, measure performance, and diagnose stability issues. We may also use Firebase Remote Config to safely roll out changes and run configuration experiments. These services may collect information such as device identifiers, app interaction events, performance metrics, crash logs, and related diagnostic data.

We do not use analytics data to display third-party targeted advertising in the Application. If you are located in a jurisdiction where consent is required for analytics, additional user controls (such as opt-in/opt-out mechanisms) may be required. At this time, analytics and related telemetry may be enabled by default in the mobile applications.

On iOS, the Application does not access the device advertising identifier (IDFA) and does not request AppTrackingTransparency (ATT) authorization.

How We Use Your Information

We use personal data for the following purposes (depending on how you use the Application):

• Provide the Application: create and manage accounts; authenticate users; provide core functionality (including synchronization and publishing where available); provide requested content and features.
• Operate and secure services: prevent fraud, abuse, and unauthorized access; maintain the integrity and availability of our services; troubleshoot and debug.
• Support: respond to inquiries, feedback, and support requests; communicate service-related messages.
• Improve and develop: analyze performance and usage to improve functionality, reliability, and user experience.
• Subscriptions and entitlements: verify subscription status and enable premium access (payments are processed by Apple/Google; subscription status may be managed via RevenueCat).
• Legal compliance: comply with legal obligations, enforce our terms, and protect our rights and the rights of users.

Public Content and Sharing

The Application may offer features that allow you to publish or share content (for example, publishing a calendar). If you choose to publish content, the information you submit may become accessible to other users or the public. Published calendars are accessible without login to anyone who has the link (public-by-link). Public fields may include your calendar title, description, life expectancy value, publication date, engagement counters (such as likes and views), milestones you choose to include, and may include your display name (or show you as "Anonymous") depending on your publishing settings.

You are responsible for ensuring you do not include personal data or sensitive information in published content that you do not want to be public. If you remove published content or delete your account, we will remove it from active display, but copies may persist temporarily (for example, in caches). We implement technical measures intended to prevent indexing of published pages by search engines; however, we cannot guarantee how third parties process content once it has been shared.

Cookies and Similar Technologies (Web)

The web application uses first-party cookies and local storage for essential functionality and user preferences. Examples include:

• Visitor identifier (wt_vid cookie and wt_visitor_id in local storage): used to maintain basic functionality, security, and abuse prevention. The cookie is set with a maximum age of up to 2 years.
• Locale preference (wasted-time-locale cookie and userLocale in local storage): used to store language/locale preference and improve user experience.

You can control cookies through your browser settings. Disabling certain cookies or storage may affect the availability of some features.

Geolocation

The web application requests access to your device location via your browser. This request may occur automatically (for example, on initial load) in order to determine your country and time zone for localization purposes.

If you grant permission, your browser may provide precise latitude/longitude coordinates. We do not store precise coordinates in our backend as part of this process; we use them to infer your country and store the inferred country code and/or your time zone server-side for localization and consistency across sessions. If you deny permission, we use other signals (such as language, time zone, or device settings) to provide a default experience. You can withdraw permission at any time through your browser or device settings.

Third-Party Services and Disclosures

We use third parties to help us provide and operate the Application. Depending on your platform and usage, this may include:

• Google Firebase (Firebase Authentication, Firebase Storage, Firebase Analytics, Firebase Crashlytics, Firebase Remote Config, Firebase Performance Monitoring) — authentication, optional profile assets, analytics, stability monitoring, configuration rollout, and performance measurement.
• Microsoft Azure — hosting and backend infrastructure (including databases and storage used by the Application).
• RevenueCat — subscription status management and entitlement verification for in-app purchases.
• Apple App Store and Google Play Store — payment processing for subscriptions and in-app purchases; we do not receive or store your payment card details.
• External links (e.g., PayPal, Buy Me a Coffee) — if you choose to open an external website, that service’s privacy policy applies.

RevenueCat receives an app-specific internal user identifier and subscription/entitlement status to help us determine whether premium features should be enabled. We do not send subscriber attributes (such as your email address or display name) to RevenueCat.

To the extent permitted by applicable law, we share personal data with service providers (processors) that process personal data on our behalf and under our instructions (for example, for hosting, authentication, analytics, and subscription status verification). Certain third parties may act as independent controllers for their own processing (for example, Apple/Google for purchases, and social login providers for authentication).

Each third party processes personal data under its own terms and privacy policies. We encourage you to review them:

• Firebase Privacy Policy
• RevenueCat Privacy Policy
• Apple Privacy Policy
• Google Privacy Policy

We may also disclose personal data to competent authorities, regulators, or third parties if required by law, or if we believe disclosure is necessary to protect our rights, users, or the security of the Application.

Data Storage, Security, and International Transfers

Our backend infrastructure is hosted on Microsoft Azure. As of the date of this Privacy Policy, our primary backend hosting region is Poland (Azure Poland Central). Firebase services may process data in the United States and other countries where Google or its subprocessors operate, depending on the Firebase product and configuration.

When personal data is transferred internationally, we rely on appropriate safeguards as required by applicable law (such as Standard Contractual Clauses, where applicable) and implement technical and organizational measures designed to protect your personal data.

We implement reasonable administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention depends on the type of data and why we process it. For example:

• Account data: retained while your account is active and until you delete your account, subject to limited backup retention.
• User content: retained while associated with your account and until deleted by you or as part of account deletion.
• Support communications: retained for a reasonable period to resolve requests and for record-keeping.
• Logs and security records: retained for limited periods appropriate to security, abuse prevention, and troubleshooting.

If you delete your account (or otherwise request deletion), we delete your personal data from our active systems without undue delay and generally immediately. We do not restore deleted accounts. Residual copies may persist in encrypted backups for a limited period and will be overwritten in accordance with our backup lifecycle.

Your Rights

Depending on your location, you may have certain rights regarding your personal information:

Under GDPR (European Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data
• Portability: Receive your data in a structured format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time (without affecting lawfulness before withdrawal)
• Complaint: Lodge a complaint with a supervisory authority in your habitual residence, place of work, or the place of the alleged infringement

If you are in Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO). You can contact us first so we can address your concerns, but you are not required to do so before lodging a complaint.

Under CCPA/CPRA (California Residents)

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate personal information (where applicable)
• Right to Opt-Out of Sale/Sharing: Opt-out of the sale or sharing of personal information (we do not sell personal information, and we do not share it for cross-context behavioral advertising)
• Right to Limit Use of Sensitive Personal Information: Where applicable, request limits on certain uses of sensitive personal information
• Right to Non-Discrimination: No discrimination for exercising rights

Where CCPA/CPRA applies, we generally respond to verifiable consumer requests within 45 days, and we may extend that period where permitted by law.

To exercise these rights, you can:

• Use the account deletion and data deletion features within the Application (where available)
• Contact us at [email protected]

We may need to verify your identity before responding to certain requests. If you use an authorized agent to submit a request on your behalf, we may request proof of the agent’s authorization and may still need to verify your identity directly.

Children's Privacy

The Application is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13.

If you are located in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with age-based consent requirements, and you are under the age at which you can provide valid consent to data processing (for example, 16 in some jurisdictions), you should not use the Application without involvement and consent of a parent or guardian.

If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly. Parents or guardians who believe their child has provided us with personal information should contact us immediately.

Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases to process personal data, depending on the context:

• Contract (Art. 6(1)(b)): to provide the Application and requested features (including account creation, authentication, and delivering premium entitlements).
• Legitimate interests (Art. 6(1)(f)): to secure, maintain, and improve the Application; prevent abuse; and defend legal claims (balanced against your rights).
• Consent (Art. 6(1)(a)): where required for analytics, geolocation, or other optional processing, and where we offer a choice (for example, certain measurement features on mobile platforms).
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws and lawful requests.

If, in the future, the Application collects and processes special categories of data (such as health-related information) within optional features, we will process such data only where a valid legal basis exists (including explicit consent under Art. 9(2)(a) where required) and will provide appropriate additional disclosures.

California Notice at Collection (Summary)

California residents have the right to receive notice at collection. In summary, we may collect the following categories of personal information (as defined by CCPA/CPRA), depending on your use of the Application:

• Identifiers (e.g., email address, Firebase user ID, pseudonymous visitor ID).
• Internet or other electronic network activity (e.g., interactions with the Application, device/app events).
• Geolocation data (if you grant device/browser location permission; precise coordinates may be processed to infer your country, and we store the inferred country/time zone for localization).
• Customer records (e.g., name and email in support requests).
• User-generated content you choose to create or upload.

Where we process geolocation data, we use it to provide localization and consistency across sessions and not for advertising. Under CPRA, precise geolocation may be considered "sensitive personal information"; we do not use or disclose it for purposes other than those necessary to provide the Application.

We collect personal information (i) directly from you (for example, when you create an account or contact support), (ii) automatically from your device or browser (for example, through logs, cookies, and similar technologies), and (iii) from third parties you choose to use (for example, social sign-in providers and app stores for purchases).

We collect and use these categories for the business and commercial purposes described in this Privacy Policy, and we retain them as described in the "Data Retention" section. We do not sell personal information, and we do not share it for cross-context behavioral advertising.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will provide notice by updating this page and the "Last updated" date, and, where reasonably feasible, by additional notice (for example, via an in-app notice).

We encourage you to review this Privacy Policy periodically. Your continued use of the Application after the effective date of any changes means you acknowledge the updated Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us:

We will respond to your inquiries within a reasonable timeframe and address your concerns appropriately.