Back

Privacy Policy

Last updated: 17 May 2026

yearview.app is a visual yearly planner operated by SelfCare, Lda. (Portugal). This policy describes, in plain language, what data we collect, why, where we store it, and how you can have it deleted.

Data controller

SelfCare, Lda., a Portuguese limited company with registered office at Av. Duque D'Ávila, Nº 46, 3º A, 1050-086 Lisboa, Portugal, tax number 510 803 890.

Contact for privacy matters: rui.alves@rupeal.com.

We do not have a formal Data Protection Officer (DPO) — the email above is the direct channel for any request related to your data.

What we collect

When you sign in with Google, we receive from Google:

  • Your Google account ID, name, email address, and profile picture URL.
  • An access token and refresh token that let us call the Google Calendar API on your behalf, with the scopes you approved.

When you use the app, we store on our server:

  • The blocks you create (events, locations, contexts): title, dates, times (if applicable), color, busy flag.
  • The categories you define (keyword, color, description).
  • Your preferences (theme, view mode, etc.).
  • The ID of the Google Calendar you chose as the sync target.
  • For each synced block, the IDs of the corresponding events in your Google Calendar (so we can update/delete them later).

We do not use analytics, we do not use tracking cookies, and there are no third-party trackers in this application. The only cookie is the NextAuth.js session cookie (HttpOnly, Secure, SameSite=Lax) used to keep you authenticated.

What we use it for

  • Authenticating you (knowing who you are when you return).
  • Showing you your calendar across sessions and devices.
  • Syncing (one-way push) blocks to your Google Calendar, if you enable that feature.

We do not sell or share your data with third parties for marketing. The subprocessors listed below are purely technical infrastructure.

Where we store it

  • Database (all blocks, categories, tokens, sessions): Neon, Inc. — Postgres hosted in eu-central-1 (Frankfurt, Germany).
  • Application server: Hetzner Online GmbH — datacenter in Falkenstein, Germany.
  • DNS: Cloudflare, Inc. (DNS resolution only, no proxy/caching active).
  • TLS certificates: Let's Encrypt (ISRG).

Your application data never leaves the European Union except when we explicitly send it to the Google Calendar API (Google, US) during sync — which only happens if you turn the feature on.

Subprocessors

  • Google LLC — Identity (OAuth) + Google Calendar API. Policy: https://policies.google.com/privacy
  • Neon, Inc. — Postgres hosting. Policy: https://neon.com/privacy-policy
  • Hetzner Online GmbH — compute. Policy: https://www.hetzner.com/legal/privacy-policy
  • Cloudflare, Inc. — DNS. Policy: https://www.cloudflare.com/privacypolicy/

Retention

We keep your application data for as long as your account is active. NextAuth sessions expire after 30 days of inactivity. Container logs (Coolify) are kept for about 7 days for troubleshooting.

When you delete your account (request by email to rui.alves@rupeal.com), all your application data and OAuth tokens are removed from our server within 30 days. Events previously pushed to your Google Calendar are not removed automatically — you can remove them manually from GCal.

Your rights (GDPR)

As an EU resident, you have the right to:

  • Access — request a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and data.
  • Portability — receive your data in JSON format.
  • Object — object to any processing.
  • Withdraw consent — for Google Calendar sync, you can revoke access at https://myaccount.google.com/permissions at any time.

To exercise any of these rights, write to rui.alves@rupeal.com. We respond within 30 days.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD): https://www.cnpd.pt/

Security

All traffic is encrypted in transit (TLS 1.3, HTTPS enforced). OAuth tokens are stored in the database under restricted access. Your Google account password never passes through us — all authentication is delegated to Google via OAuth 2.0 with PKCE.

Despite our care, no system is 100% secure. In the event of a security incident affecting your data, we commit to notifying you by email within 72 hours.

Changes to this policy

If we change this policy materially, we update the date at the top and (if you have an active account) we notify you by email before the change takes effect.