Last updated: July 2026 (PostHog Analytics)
The following information provides an overview of what happens to your personal data when you visit this website or use the app. Personal data is any information that can be used to identify you personally.
Max Anton Schneider
c/o MDC Management#1582
Welserstraße 3
87463 Dietmannsried
Email: info@maxantonschneider.com
This website and the app are provided through the hosting platform Vercel (provider: Vercel Inc., USA). When you access the service, technical data such as your IP address, browser type, operating system, referrer URL and time of access is automatically processed in server log files where necessary to operate and secure the infrastructure. The legal basis is Article 6(1)(f) GDPR (legitimate interest in technically reliable provision of the website and app).
A data processing agreement under Article 28 GDPR is in place with Vercel where required. For transfers to the USA, Vercel relies among other things on EU Standard Contractual Clauses. More information: vercel.com/legal/privacy-policy
The user database is operated by Supabase, Inc. (970 Toa Payoh North, Singapore). Data is stored exclusively in the EU region Frankfurt (AWS eu-central-1). Supabase processes personal data only on our behalf. A data processing agreement under Article 28 GDPR is in place with Supabase. More information: supabase.com/privacy
We use Better Auth, an open-source authentication system, for signing in and operating the app. It sets cookies that are technically necessary for secure login and to maintain your session. The app cannot be used without these cookies.
| Cookie | Purpose / duration |
|---|---|
better-auth.session_token | Session management after login — session |
better-auth.csrf_token | Protection against CSRF attacks — session |
meinsystem_cookie_consent | Stores your cookie-banner selection — up to 182 days |
The legal basis is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in application security).
We also use a cookie consent banner to store your choice concerning external media and usage statistics. This choice is stored only in your browser and is not linked to your user account. For signed-in users, we additionally synchronise analytics consent with the account so that server-side statistics events are processed only after consent has been given. You can change your selection at any time through “Cookie settings” in the footer.
The legal basis for storing the cookie choice is Article 6(1)(f) GDPR (legitimate interest in privacy-compliant documentation of your choice) and Section 25(2) TTDSG where storage is technically necessary.
A YouTube video may be embedded on the landing page. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The video is loaded only if you actively accept the “External media” category or the “YouTube” service in the cookie consent banner. Before consent, only a local placeholder is shown and no connection to YouTube or Google is established.
After consent, the video is embedded through youtube-nocookie.com. In particular, your IP address, device and browser information, referrer, time of access and playback interactions may be transmitted to Google/YouTube. YouTube may also use cookies or comparable technologies such as local storage. Transfers to third countries, especially the USA, cannot be ruled out.
The legal basis for loading the YouTube video is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG. You may withdraw consent at any time with future effect through “Cookie settings” in the footer. More information is available in Google’s privacy policy: policies.google.com/privacy
If you enable the “Statistics & product improvement” category in the cookie banner, PostHog sets cookies or stores comparable identifiers in local storage. They are set only after consent.
| Cookie | Purpose / duration |
|---|---|
ph_phc_* | PostHog session and user identifier — up to 30 days |
ph_posthog | PostHog client configuration — up to 30 days |
The legal basis is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG. See Section 5 for details.
PostHog: We use PostHog (provider: PostHog Inc., EU Cloud with servers in Frankfurt, EU) to measure reach, compile usage statistics, analyse errors and improve the product. Processing occurs only if you actively accept the “Statistics & product improvement” category in the cookie banner.
Data processed may include page views and navigation paths, device and browser information, referrer, timestamps, technical error reports and, after login, your internal user ID for assigning sessions. We also record custom usage events such as registration, onboarding completion, checkout steps, use of features (routines, appointments, goals, todos) and subscription-status changes. These events contain no content from your routines, notes, goals or mood entries.
Without your consent, no PostHog cookies are set; at most, an aggregated, privacy-friendly count without a personal identifier is performed (cookieless mode). More information: posthog.com/privacy. A data processing agreement under Article 28 GDPR is in place with PostHog.
The legal basis is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG for cookies/local storage. You may withdraw consent at any time with future effect through “Cookie settings” in the footer.
You can sign in with your Google account (OAuth 2.0). If you use this option, you are redirected to Google. After you consent, Google sends us the following data:
This data is used solely to create and manage your user account. The legal basis is Article 6(1)(a) GDPR (your consent during login) and Article 6(1)(b) GDPR (performance of a contract).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google privacy policy: policies.google.com/privacy
Pro-plan users can connect Google Calendar to meinsystem.app. After your express consent, the following data is retrieved from Google and stored in our database:
These tokens are transmitted securely using TLS and serve solely to write meinsystem.app appointments to your Google Calendar or retrieve appointments from it. They are not used for other purposes or disclosed to third parties.
You can revoke the connection at any time in app settings. All stored tokens are then deleted immediately. The legal basis is Article 6(1)(a) GDPR (consent). Retention: until the connection is revoked or the account is deleted.
If you enable push notifications, the app stores technical access data from your browser on our servers that is required to deliver notifications:
This data is used solely to deliver notifications you configure in the app, such as appointment reminders. It is not used for advertising or disclosed to third parties.
You can disable push notifications at any time in browser or app settings. Stored access data is then deleted. The legal basis is Article 6(1)(a) GDPR (consent). Retention: until deactivation or account deletion.
Content you create in meinsystem.app—routines, calendar appointments, tasks, goals, notes and similar data—is stored in a PostgreSQL database at Supabase (Frankfurt data centre, EU) so you can access it from different devices. Content data, especially routines, notes, todo and goal titles, appointment names and daily progress, is encrypted at application level with AES-256-GCM before storage. Transmission between your device and the app is additionally encrypted with TLS.
The application processes and decrypts content on the server where required to provide features you use. This is therefore not end-to-end encryption. During normal operation, we do not manually access your personal entries. Their content is not analysed for advertising. After consent in the cookie banner, we may analyse usage behaviour, such as which features are used, in pseudonymised form for statistics and product improvement—without accessing entry content. Information you voluntarily send in a support request is used only to handle it.
This data is not sold, used for advertising or profiling, or shared with other users. The legal basis is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(a) GDPR (consent; see Section 10).
You can delete your account and all stored data at any time through Settings. After deletion, your data is removed immediately and completely from our database.
meinsystem.app allows you to record daily energy and mood values and optional free-text notes. This data may permit conclusions about health and is therefore a special category of personal data under Article 9 GDPR.
The following data is stored:
Processing is based exclusively on your express consent under Article 9(2)(a) GDPR. This consent is actively requested when the dashboard is first opened and stored with a timestamp in our database. You can withdraw consent at any time by completely deleting your account through Settings → Delete account. All entries are then removed immediately.
The data is used solely for personal reflection within the app. It is not analysed, disclosed to third parties or used for other purposes. Retention: until account deletion.
During onboarding and after Privacy Policy updates, we obtain two separate consents: (1) general data processing and (2) express consent for energy and mood data under Article 9 GDPR. The accepted Privacy Policy version, for example “2026-04”, is stored with a timestamp in your account.
Consent is logged with date and time. The dashboard cannot be used without consent, because otherwise core data storage would have no legal basis.
Withdrawal: You may withdraw consent at any time without giving a reason by completely deleting your account under Settings → Delete account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).
Legal bases: Article 6(1)(a) GDPR (general consent) and Article 9(2)(a) GDPR (consent for health data).
We store personal data only for as long as necessary for the relevant purpose or as required by statutory retention obligations:
| Data category | Retention period |
|---|---|
| User account & app data | Until account deletion |
| Energy & mood data (Article 9 GDPR) | Until account deletion / withdrawal of consent |
| Session tokens | Automatically deleted after expiry |
| Email confirmation & reset tokens | Automatically deleted after expiry |
| Google Calendar OAuth tokens | Until revocation or account deletion (stored encrypted) |
| OAuth login tokens (Better Auth) | Until logout or account deletion (stored encrypted) |
| Daily-progress history | Automatically deleted after 365 days |
| Push-notification data | Until deactivation or account deletion |
| Server logs (Vercel) | Under Vercel's policy (typically for a limited period) |
| PostHog Analytics | 30 days (PostHog project setting); no new events after withdrawal |
| Payment data (Lemon Squeezy) | 10 years (Section 147 AO / Section 257 HGB); then anonymised |
| Database backups (Supabase) | No more than 30 days after creation |
We use Lemon Squeezy (Lemon Squeezy LLC, 222 South Main Street Suite 500, Salt Lake City, UT 84101, USA) to process Pro-plan payments. The following data is transmitted to Lemon Squeezy:
The legal basis is Article 6(1)(b) GDPR. Lemon Squeezy uses EU Standard Contractual Clauses for transfers to the USA. The statutory retention period for payment data is 10 years (Section 147 AO / Section 257 HGB).
Lemon Squeezy privacy policy: lemonsqueezy.com/privacy
This website uses SSL or TLS encryption for security. You can recognise an encrypted connection by https:// in the address bar and the lock symbol in your browser.
You have the following rights concerning your personal data:
You can download your stored data at any time as a JSON file under “Export my data” in app settings (Article 20 GDPR).
You also have the right to lodge a complaint with the competent data protection supervisory authority.
For questions about data protection, please contact: info@maxantonschneider.com