Privacy Policy
This is a non-binding English translation provided for convenience. The legally binding version is the German original.
Last updated: May 2026
1. Controller
Joel Schneider & Paul Yurian Kreft
Heym GbR (civil-law partnership)
Maybachstraße 22
50670 Köln, Germany
Email: privacy@heym.app
2. Data protection officer
We are not legally required to appoint a data protection officer (§ 38 BDSG). For privacy-related questions, please use the contact details above.
3. Overview of processing
As part of our service we process the following categories of personal data:
- Account data — name, email address, profile image, time zone
- Content data — tasks, goals, habits, life areas, labels, pomodoro sessions, favorites, settings
- Payment data — billing information, payment history (via Stripe)
- Usage data — access timestamps, device and browser information
- Technical data — IP addresses, error messages, request metadata
4. Applicable legal bases
We process personal data on the following GDPR legal bases:
- Consent (Art. 6 (1) (a) GDPR) — the data subject has consented to processing for a specific purpose (e.g. web analytics).
- Performance of a contract (Art. 6 (1) (b) GDPR) — processing is necessary to perform the user agreement.
- Legitimate interests (Art. 6 (1) (f) GDPR) — processing is necessary to safeguard our legitimate interests, provided the data subject's interests do not prevail.
5. Registration and user account
During registration we collect the following data:
- Email address
- Name (where transmitted by the identity provider)
- Profile image (where transmitted by the identity provider)
- Time zone
Depending on the chosen sign-in method, some of these fields may be unavailable. When signing in with Apple Sign-In, the user may hide their name and use an Apple-generated relay address instead of their actual email. In that case we process only the pseudonyms supplied to us.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). Registration is a prerequisite for using our service.
6. Authentication
We offer several sign-in methods: external identity providers (Google, Apple) and email-based sign-in (magic link). Data is only transmitted once you actively select the relevant method.
6.1 Email authentication (magic link)
When signing in via magic link you enter your email address and receive a one-time sign-in link by email. Your email address is transmitted to our authentication provider Supabase (see section 9.1) for this purpose. The email is delivered via the service Resend (see section 9.4).
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
6.2 Google OAuth
When signing in via Google, your name, email address and profile image are transmitted from your Google account.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Transfer to third countries: Google is certified under the EU-U.S. Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023).
Google's privacy policy: https://policies.google.com/privacy
6.3 Apple Sign-In
When signing in via Apple, your name and email address are transmitted from your Apple account. Apple lets you hide your email address (Private Relay); in that case an Apple-generated forwarding address is transmitted.
Provider: Apple Distribution International Ltd., Hollyhill Industrial Estate, Cork, Ireland
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Transfer to third countries: Apple is certified under the EU-U.S. Data Privacy Framework.
Apple's privacy policy: https://www.apple.com/legal/privacy/
7. Usage data (your content)
As part of using our service we process and store the content you create:
- Tasks (title, description, due dates, priorities, completion status)
- Goals (title, description, measurements, progress values)
- Habits (title, frequency, target values, daily completions, notes)
- Life areas (name, vision text)
- Labels and categorizations
- Pomodoro sessions (duration, type, status)
- Personal settings and preferences
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). Storing this data is the core purpose of our service.
8. Payment processing (Stripe)
We use the payment provider Stripe for paid subscriptions. Credit card data is processed directly by Stripe and is never stored on our servers.
Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland
Data processed: name, email address, billing address, payment information, transaction history
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Transfer to third countries: Stripe is certified under the EU-U.S. Data Privacy Framework and additionally relies on EU standard contractual clauses (SCCs).
Stripe's privacy policy: https://stripe.com/privacy
9. Hosting and infrastructure
9.1 Database and authentication (Supabase)
Our database and authentication are hosted by Supabase. All user data is stored in a PostgreSQL database in the EU.
Provider: Supabase, Inc., 970 Toa Payoh North, San Francisco, CA 94133, USA (contracting entity; Supabase Pte Ltd in Singapore is an affiliated company)
Server location: EU (Ireland, AWS eu-west-1)
Data processed: all data listed in sections 5–7
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Transfer to third countries: Data is stored in the EU. Because Supabase is headquartered outside the EEA, we rely on EU standard contractual clauses (SCCs) pursuant to Art. 46 GDPR.
9.2 Application hosting (Vercel)
Our web application is hosted on the Vercel platform. All HTTP requests to our service are processed by Vercel infrastructure.
Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA
Data processed: IP addresses, HTTP request metadata (URL, headers, method), server logs
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in reliable, performant hosting).
Transfer to third countries: Vercel is certified under the EU-U.S. Data Privacy Framework and additionally relies on EU standard contractual clauses (SCCs).
9.3 DNS and network protection (Cloudflare)
We use Cloudflare for DNS resolution, DDoS protection and edge routing. All traffic to our service is routed through Cloudflare infrastructure.
Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA
Data processed: IP addresses, HTTP request metadata, TLS connection information
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in security, availability and performant delivery of our service).
Transfer to third countries: Cloudflare is certified under the EU-U.S. Data Privacy Framework and additionally relies on EU standard contractual clauses (SCCs).
9.4 Email delivery (Resend)
For authentication emails (magic links, email confirmations) we use Resend as our SMTP provider.
Provider: Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA
Data processed: recipient email address, send timestamp, delivery status
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
Transfer to third countries: Resend is based in the United States. We rely on EU standard contractual clauses (SCCs).
10. Error monitoring (Sentry)
To ensure stability and to fix bugs we use the service Sentry. Technical information is collected automatically when an error occurs.
We additionally use Sentry Session Replay to help us reproduce errors. User interactions (clicks, navigation, input fields) are captured as technical recordings. Session replays are collected for 10 % of all sessions and for 100 % of sessions in which an error occurs. Input fields flagged as sensitive (in particular password fields) are automatically masked before transmission to Sentry.
Objection: You can object to session-replay recording at any time by emailing privacy@heym.app. After we confirm your objection, no further session replays will be recorded for your account.
Provider: Functional Software, Inc. (Sentry), 1501 Mariposa St #408, San Francisco, CA 94107, USA
Data processed: error messages, device information, browser type, timestamps, IP addresses, session recordings (clicks, navigation, DOM interactions)
Server location: EU (Germany)
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the stability and debuggability of our service).
Transfer to third countries: Sentry is certified under the EU-U.S. Data Privacy Framework. Data is stored in the EU region (Germany).
11. Rate limiting and security (Upstash)
To protect against abuse and to ensure service availability we use rate limiting.
Provider: Upstash, Inc., San Francisco, CA, USA
Data processed: IP addresses, request metadata (timestamp, frequency)
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in security and abuse prevention).
Retention: data is retained only briefly (a few hours) and is then automatically deleted.
12. Web analytics (PostHog)
We use the analytics service PostHog to understand and improve usage of our website. PostHog is only activated after your explicit consent. As long as you have not granted consent, no data is collected.
Provider: PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA
Server location: EU (Frankfurt, Germany; PostHog Cloud EU instance)
Data processed: page views, interactions, device information, IP address (anonymized where applicable)
Legal basis: Art. 6 (1) (a) GDPR (consent). Cookies and comparable storage mechanisms are set only after your active consent in accordance with § 25 (1) TDDDG.
Withdrawal of consent: You can withdraw your consent at any time with effect for the future by changing your consent settings or by contacting us at privacy@heym.app.
13. Content management (marketing website)
Our marketing website uses Sanity CMS to deliver editorial content (blog, glossary, releases).
Provider: Sanity AS, Oslo, Norway (EEA)
Data processed: when content is retrieved via the Sanity CDN, your IP address may be processed.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in delivering our website content).
Transfer to third countries: Sanity is based in Norway (EEA). No transfer to third countries takes place.
14. Fonts
We use fonts that are hosted locally on our servers (self-hosted via next/font). No data is transmitted to external providers (e.g. Google) when fonts are loaded.
15. Content delivery network (jsDelivr)
For our API documentation we load a JavaScript library via the public CDN jsDelivr. When the API documentation page is loaded, your browser connects to jsDelivr's servers.
Provider: Prospect One Sp. z o.o., Kraków, Poland (EEA)
Data processed: IP address, browser information, timestamp
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing functional API documentation).
Transfer to third countries: jsDelivr is operated by a Polish company (EEA). The CDN uses globally distributed servers; as a result your IP address may be transferred to servers outside the EEA when content is delivered.
16. Cookies and local storage
Strictly necessary cookies
We set an authentication cookie to manage your session. This cookie is strictly necessary and is set once you sign in.
| Cookie | Purpose | Retention | Legal basis |
|---|---|---|---|
sb-*-auth-token | Authentication and session management | Session-lifetime or until you sign out | § 25 (2) TDDDG (strictly necessary), Art. 6 (1) (b) GDPR |
Local storage
We use the browser's local storage for your appearance settings (e.g. light or dark theme). This data does not leave your browser and is not transmitted to our servers.
Analytics cookies
Where PostHog is enabled, analytics cookies may be used. These are set only after your explicit consent in accordance with § 25 (1) TDDDG. Without your consent, no tracking takes place.
17. API access for third-party applications
As part of paid subscriptions we offer an API. When the API is used, we additionally process:
- API keys (name, permission scope, creation date)
- Usage logs (HTTP method, path, status code, response time)
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).
18. Data processing agreements
We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with every processor named in this privacy policy who processes personal data on our behalf. These agreements ensure that our processors only process personal data on our instructions and that they implement appropriate technical and organizational measures to protect your data.
19. International data transfers
Some of our processors are based outside the EEA. We safeguard your data through the following measures:
| Service | Headquarters | Data location | Safeguard |
|---|---|---|---|
| Google (OAuth) | Ireland / USA | EU | EU-U.S. Data Privacy Framework |
| Apple (Sign-In) | Ireland / USA | EU | EU-U.S. Data Privacy Framework |
| Supabase | USA / Singapore | EU (Ireland) | EU standard contractual clauses (SCCs) |
| Stripe | Ireland / USA | EU | EU-U.S. Data Privacy Framework + SCCs |
| Sentry | USA | EU (Germany) | EU-U.S. Data Privacy Framework |
| Upstash | USA | EU | EU standard contractual clauses (SCCs) |
| PostHog | USA | EU (Germany) | EU standard contractual clauses (SCCs); consent-gated only |
| Vercel | USA | Global (edge) | EU-U.S. Data Privacy Framework + SCCs |
| Cloudflare | USA | Global (edge) | EU-U.S. Data Privacy Framework + SCCs |
| Resend | USA | USA | EU standard contractual clauses (SCCs) |
| jsDelivr | Poland (EEA) | Global (CDN) | EEA headquarters; CDN servers may be distributed worldwide |
| Sanity | Norway (EEA) | EEA | No transfer to third countries |
20. Retention periods and deletion
- Account data: until you delete your account
- Content data (tasks, goals, etc.): until deleted by you or upon account closure
- Deleted content (trash): 30 days after deletion, then permanently removed
- Payment data: 10 years pursuant to German commercial and tax retention obligations (§ 147 AO, § 257 HGB)
- Error logs (Sentry): 90 days
- Rate-limit data (Upstash): a few hours
- Analytics data (PostHog): anonymized after 24 months
21. Your rights
You have the following rights regarding your personal data:
- Access (Art. 15 GDPR): you may request information about the personal data we process.
- Rectification (Art. 16 GDPR): you may request correction of inaccurate data.
- Erasure (Art. 17 GDPR): you may request deletion of your data, subject to statutory retention obligations.
- Restriction (Art. 18 GDPR): you may request restriction of processing.
- Data portability (Art. 20 GDPR): you may receive your data in a structured, commonly used and machine-readable format.
- Objection (Art. 21 GDPR): you may object at any time to processing based on Art. 6 (1) (f) GDPR.
- Withdrawal of consent (Art. 7 (3) GDPR): any consent granted may be withdrawn at any time with effect for the future.
To exercise your rights, please contact: privacy@heym.app
22. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Competent is the supervisory authority of the German federal state in which we are based, or the authority at your place of residence or the place of the alleged infringement.
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf
Kavalleriestraße 2–4, 40213 Düsseldorf
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de
23. Automated decision-making
No automated decision-making, including profiling, within the meaning of Art. 22 GDPR takes place.
24. Changes to this privacy policy
We reserve the right to adapt this privacy policy to reflect changes in applicable law or in our service or data processing. The current version is always available on this page. For material changes we will notify you separately.