Privacy Policy

Last updated: July 2026 (PostHog Analytics)

1. General information

The following information provides an overview of what happens to your personal data when you visit this website or use the app. Personal data is any information that can be used to identify you personally.

2. Controller

Max Anton Schneider

c/o MDC Management#1582

Welserstraße 3

87463 Dietmannsried

Email: info@maxantonschneider.com

3. Hosting

This website and the app are provided through the hosting platform Vercel (provider: Vercel Inc., USA). When you access the service, technical data such as your IP address, browser type, operating system, referrer URL and time of access is automatically processed in server log files where necessary to operate and secure the infrastructure. The legal basis is Article 6(1)(f) GDPR (legitimate interest in technically reliable provision of the website and app).

A data processing agreement under Article 28 GDPR is in place with Vercel where required. For transfers to the USA, Vercel relies among other things on EU Standard Contractual Clauses. More information: vercel.com/legal/privacy-policy

The user database is operated by Supabase, Inc. (970 Toa Payoh North, Singapore). Data is stored exclusively in the EU region Frankfurt (AWS eu-central-1). Supabase processes personal data only on our behalf. A data processing agreement under Article 28 GDPR is in place with Supabase. More information: supabase.com/privacy

4. Cookies, consent banner and authentication

We use Better Auth, an open-source authentication system, for signing in and operating the app. It sets cookies that are technically necessary for secure login and to maintain your session. The app cannot be used without these cookies.

CookiePurpose / duration
better-auth.session_tokenSession management after login — session
better-auth.csrf_tokenProtection against CSRF attacks — session
meinsystem_cookie_consentStores your cookie-banner selection — up to 182 days

The legal basis is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in application security).

We also use a cookie consent banner to store your choice concerning external media and usage statistics. This choice is stored only in your browser and is not linked to your user account. For signed-in users, we additionally synchronise analytics consent with the account so that server-side statistics events are processed only after consent has been given. You can change your selection at any time through “Cookie settings” in the footer.

The legal basis for storing the cookie choice is Article 6(1)(f) GDPR (legitimate interest in privacy-compliant documentation of your choice) and Section 25(2) TTDSG where storage is technically necessary.

YouTube videos / external media

A YouTube video may be embedded on the landing page. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The video is loaded only if you actively accept the “External media” category or the “YouTube” service in the cookie consent banner. Before consent, only a local placeholder is shown and no connection to YouTube or Google is established.

After consent, the video is embedded through youtube-nocookie.com. In particular, your IP address, device and browser information, referrer, time of access and playback interactions may be transmitted to Google/YouTube. YouTube may also use cookies or comparable technologies such as local storage. Transfers to third countries, especially the USA, cannot be ruled out.

The legal basis for loading the YouTube video is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG. You may withdraw consent at any time with future effect through “Cookie settings” in the footer. More information is available in Google’s privacy policy: policies.google.com/privacy

Statistics cookies (PostHog)

If you enable the “Statistics & product improvement” category in the cookie banner, PostHog sets cookies or stores comparable identifiers in local storage. They are set only after consent.

CookiePurpose / duration
ph_phc_*PostHog session and user identifier — up to 30 days
ph_posthogPostHog client configuration — up to 30 days

The legal basis is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG. See Section 5 for details.

5. Web analytics (PostHog)

PostHog: We use PostHog (provider: PostHog Inc., EU Cloud with servers in Frankfurt, EU) to measure reach, compile usage statistics, analyse errors and improve the product. Processing occurs only if you actively accept the “Statistics & product improvement” category in the cookie banner.

Data processed may include page views and navigation paths, device and browser information, referrer, timestamps, technical error reports and, after login, your internal user ID for assigning sessions. We also record custom usage events such as registration, onboarding completion, checkout steps, use of features (routines, appointments, goals, todos) and subscription-status changes. These events contain no content from your routines, notes, goals or mood entries.

Without your consent, no PostHog cookies are set; at most, an aggregated, privacy-friendly count without a personal identifier is performed (cookieless mode). More information: posthog.com/privacy. A data processing agreement under Article 28 GDPR is in place with PostHog.

The legal basis is your consent under Article 6(1)(a) GDPR and Section 25(1) TTDSG for cookies/local storage. You may withdraw consent at any time with future effect through “Cookie settings” in the footer.

6. Sign in with Google

You can sign in with your Google account (OAuth 2.0). If you use this option, you are redirected to Google. After you consent, Google sends us the following data:

  • Name
  • Email address
  • Profile image (optional)
  • Google account ID (for unique assignment)

This data is used solely to create and manage your user account. The legal basis is Article 6(1)(a) GDPR (your consent during login) and Article 6(1)(b) GDPR (performance of a contract).

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google privacy policy: policies.google.com/privacy

7. Google Calendar integration (Pro plan)

Pro-plan users can connect Google Calendar to meinsystem.app. After your express consent, the following data is retrieved from Google and stored in our database:

  • OAuth 2.0 access token (short-lived, for API access)
  • OAuth 2.0 refresh token (to renew the access token)
  • Granted permissions (scope)
  • Access-token expiry time
  • ID of the connected Google Calendar

These tokens are transmitted securely using TLS and serve solely to write meinsystem.app appointments to your Google Calendar or retrieve appointments from it. They are not used for other purposes or disclosed to third parties.

You can revoke the connection at any time in app settings. All stored tokens are then deleted immediately. The legal basis is Article 6(1)(a) GDPR (consent). Retention: until the connection is revoked or the account is deleted.

8. Push notifications

If you enable push notifications, the app stores technical access data from your browser on our servers that is required to deliver notifications:

  • Push endpoint URL (specific to browser and device)
  • Cryptographic key (p256dh) for encrypted transmission
  • Authentication token (auth)

This data is used solely to deliver notifications you configure in the app, such as appointment reminders. It is not used for advertising or disclosed to third parties.

You can disable push notifications at any time in browser or app settings. Stored access data is then deleted. The legal basis is Article 6(1)(a) GDPR (consent). Retention: until deactivation or account deletion.

9. User data in the app

Content you create in meinsystem.app—routines, calendar appointments, tasks, goals, notes and similar data—is stored in a PostgreSQL database at Supabase (Frankfurt data centre, EU) so you can access it from different devices. Content data, especially routines, notes, todo and goal titles, appointment names and daily progress, is encrypted at application level with AES-256-GCM before storage. Transmission between your device and the app is additionally encrypted with TLS.

The application processes and decrypts content on the server where required to provide features you use. This is therefore not end-to-end encryption. During normal operation, we do not manually access your personal entries. Their content is not analysed for advertising. After consent in the cookie banner, we may analyse usage behaviour, such as which features are used, in pseudonymised form for statistics and product improvement—without accessing entry content. Information you voluntarily send in a support request is used only to handle it.

This data is not sold, used for advertising or profiling, or shared with other users. The legal basis is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(a) GDPR (consent; see Section 10).

You can delete your account and all stored data at any time through Settings. After deletion, your data is removed immediately and completely from our database.

10. Energy and mood data (special categories under Article 9 GDPR)

meinsystem.app allows you to record daily energy and mood values and optional free-text notes. This data may permit conclusions about health and is therefore a special category of personal data under Article 9 GDPR.

The following data is stored:

  • Energy value (scale 1–5)
  • Mood value (scale 1–5)
  • Date and optional time of the entry
  • Optional free-text note

Processing is based exclusively on your express consent under Article 9(2)(a) GDPR. This consent is actively requested when the dashboard is first opened and stored with a timestamp in our database. You can withdraw consent at any time by completely deleting your account through Settings → Delete account. All entries are then removed immediately.

The data is used solely for personal reflection within the app. It is not analysed, disclosed to third parties or used for other purposes. Retention: until account deletion.

11. Consent management

During onboarding and after Privacy Policy updates, we obtain two separate consents: (1) general data processing and (2) express consent for energy and mood data under Article 9 GDPR. The accepted Privacy Policy version, for example “2026-04”, is stored with a timestamp in your account.

  • Storage of all app content (routines, todos, calendar, goals)
  • Storage of energy and mood data as a special category under Article 9 GDPR
  • Storage of optional free-text notes throughout the app

Consent is logged with date and time. The dashboard cannot be used without consent, because otherwise core data storage would have no legal basis.

Withdrawal: You may withdraw consent at any time without giving a reason by completely deleting your account under Settings → Delete account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).

Legal bases: Article 6(1)(a) GDPR (general consent) and Article 9(2)(a) GDPR (consent for health data).

12. Retention periods

We store personal data only for as long as necessary for the relevant purpose or as required by statutory retention obligations:

Data categoryRetention period
User account & app dataUntil account deletion
Energy & mood data (Article 9 GDPR)Until account deletion / withdrawal of consent
Session tokensAutomatically deleted after expiry
Email confirmation & reset tokensAutomatically deleted after expiry
Google Calendar OAuth tokensUntil revocation or account deletion (stored encrypted)
OAuth login tokens (Better Auth)Until logout or account deletion (stored encrypted)
Daily-progress historyAutomatically deleted after 365 days
Push-notification dataUntil deactivation or account deletion
Server logs (Vercel)Under Vercel's policy (typically for a limited period)
PostHog Analytics30 days (PostHog project setting); no new events after withdrawal
Payment data (Lemon Squeezy)10 years (Section 147 AO / Section 257 HGB); then anonymised
Database backups (Supabase)No more than 30 days after creation

13. Payment processing (Pro plan)

We use Lemon Squeezy (Lemon Squeezy LLC, 222 South Main Street Suite 500, Salt Lake City, UT 84101, USA) to process Pro-plan payments. The following data is transmitted to Lemon Squeezy:

  • Name
  • Email address
  • Payment method and transaction data
  • Billing address

The legal basis is Article 6(1)(b) GDPR. Lemon Squeezy uses EU Standard Contractual Clauses for transfers to the USA. The statutory retention period for payment data is 10 years (Section 147 AO / Section 257 HGB).

Lemon Squeezy privacy policy: lemonsqueezy.com/privacy

14. SSL encryption

This website uses SSL or TLS encryption for security. You can recognise an encrypted connection by https:// in the address bar and the lock symbol in your browser.

15. Your rights

You have the following rights concerning your personal data:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)
  • Right to withdraw consent (Article 7(3) GDPR)

You can download your stored data at any time as a JSON file under “Export my data” in app settings (Article 20 GDPR).

You also have the right to lodge a complaint with the competent data protection supervisory authority.

16. Contact for privacy questions

For questions about data protection, please contact: info@maxantonschneider.com