Privacy Policy

Select Language

English

Get Started

1. Controller

The controller responsible for processing personal data under the EU General Data Protection Regulation (GDPR) is:

AnnuCal GmbH
Lerchenstraße 28
22767 Hamburg
Germany

Phone: +49 40 50719309‬
Email: info@annucal.com
Managing Director: Jan-Willem Wulff

2. Purpose of Processing and Legal Basis

We process personal data to provide and improve AnnuCal, ensure reliable operation, and enable user support. Processing takes place on the following legal bases:

2.1 Use of the Service (Art. 6(1)(b) GDPR – Contract performance)

To create and operate your AnnuCal account, we process:

Name
Email address
Encrypted password
Language preferences
Calendar, scheduling, and event data entered by you
App settings and configurations

2.2 Technical Operation and Security (Art. 6(1)(f) GDPR – Legitimate interest)

For system stability and security, we process:

IP address
Browser type and version
Date and time of access
Server log files
Session cookies
Error and diagnostic information

Our legitimate interest lies in maintaining the security and proper functioning of the platform.

2.3 Communication (Art. 6(1)(b), (f), and where applicable Art. 6(1)(a) GDPR)

We send essential service-related emails such as:
• account confirmation
• password reset messages
• security notifications
• operational updates
• important product or service-related changes

These communications are sent where necessary to provide the service, maintain security, or ensure the reliable operation of AnnuCal.

In addition, if you subscribe to our newsletter or otherwise give your consent, we may send occasional email updates about product news, major feature releases, and other relevant AnnuCal updates.

For newsletter and email campaign delivery, we use Mailchimp, a service provided by Intuit Mailchimp.

The legal basis for essential service-related communication is Art. 6(1)(b) GDPR where necessary for the performance of a contract, and Art. 6(1)(f) GDPR where necessary for security, operational reliability, and important service communication.

The legal basis for newsletter or marketing-related communication is your consent under Art. 6(1)(a) GDPR, where such consent is required.

2.4 Single Sign-On (SSO) – Voluntary (Art. 6(1)(a) GDPR – Consent)

If you choose to sign in using an external provider (e.g., Google), the provider may transmit your name, email address, and profile data to us.
SSO is optional and requires your explicit consent.

2.5 Payments, Subscriptions and Billing via Stripe (Art. 6(1)(b), (f) GDPR)

If you purchase a paid plan, start a trial, maintain a subscription, or make a voluntary support payment, we process personal data as necessary to provide payment, billing, and subscription-related services.

For this purpose, we use Stripe Payments Europe, Ltd. and its affiliated companies as our payment service provider.

Depending on the transaction, the following data may be processed:

• name
• email address
• billing address
• country and tax-related information, if applicable
• subscription status and billing period
• invoices, invoice history, and payment status
• payment method information and transaction metadata
• customer support information related to billing issues, if applicable

We use this processing to:

• complete payments
• manage subscriptions, renewals, and cancellations
• generate invoices and billing records
• handle refunds and payment-related support requests
• prevent abuse and protect the reliability and security of our billing processes

The legal basis is Art. 6(1)(b) GDPR where processing is necessary for the performance of a contract or to take steps prior to entering into a contract, and Art. 6(1)(f) GDPR for fraud prevention, billing security, and the reliable operation of our payment processes.

We do not receive or store full payment card numbers ourselves. Payment card data is processed directly by Stripe.

3. Categories of Recipients

We do not sell your data or use it for advertising.

To provide our service, we work with selected processors in accordance with Art. 28 GDPR:

Hosting and data center services: Frankfurt, Germany
Email delivery services: to send system-relevant messages
Monitoring and diagnostics: to ensure platform stability
SSO providers (optional): Google LLC (USA)
Payment and billing services: Stripe Payments Europe, Ltd. and affiliated Stripe entities for payment processing, subscriptions, invoicing, and related billing operations
Email delivery and newsletter services: Intuit Mailchimp for newsletter distribution, email campaigns, and related communication management

These service providers act strictly on our instructions.

4. Data Transfers to Third Countries

As a general rule, your data is not transferred outside the EU/EEA.

Exception: If you use Google Single Sign-On
In this case, data may be transferred to the United States.

Legal safeguards include:

Your explicit consent (Art. 6(1)(a) GDPR)
Standard Contractual Clauses (SCCs) under Art. 46 GDPR

You may withdraw your consent at any time by discontinuing use of SSO.

Exception: If payment, subscription, or billing services are processed through Stripe, personal data may be transferred to countries outside the EU/EEA, including the United States, where necessary for the provision of Stripe’s services.

Legal safeguards may include Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR and other applicable transfer mechanisms.

Exception: If newsletter or email communication services are provided through Mailchimp, personal data such as email address and related campaign data may be transferred to countries outside the EU/EEA, including the United States, where necessary for the provision of Mailchimp’s services.

Legal safeguards may include Standard Contractual Clauses (SCCs) and other applicable transfer mechanisms.

Legal safeguards may include Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR and other applicable transfer mechanisms.

Legal safeguards may include Standard Contractual Clauses (SCCs) and other applicable transfer mechanisms.

5. Storage Periods

We store personal data only as long as necessary for the purpose of providing the service.

Account data: until the account is deleted
Calendar and event data: until deleted by the user
Backups: automatically deleted after 14 days
Server log files: stored for up to 30 days
Billing and invoice records: retained for as long as required by applicable commercial and tax retention obligations

Once your account is deleted, all personal data is fully removed within the backup retention period.

6. Cookies

AnnuCal uses only essential cookies, primarily:

Session cookies (required for login, navigation, and security)

We do not use tracking, analytics, or advertising cookies.

7. Your Rights Under the GDPR

You have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restrict processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR) to processing based on legitimate interests
Right to withdraw consent at any time (Art. 7(3) GDPR), e.g., for SSO

To exercise your rights, contact us at:
info@annucal.com

Right to lodge a complaint

You may lodge a complaint with any data protection supervisory authority.
For example:

Hamburg Commissioner for Data Protection and Freedom of Information
https://datenschutz-hamburg.de/

8. No Automated Decision-Making

We do not engage in automated decision-making or profiling under Art. 22 GDPR.

9. Data Security

We protect your data using technical and organizational measures, including:

SSL/TLS encryption
Access controls
Role-based permissions
Encrypted passwords
Daily secure backups
Certified data centers located in Germany

10. Changes to This Privacy Policy

We may update this policy to reflect legal, technical, or functional changes.
The latest version will always be available on our website.