Privacy Policy

Last updated: April 2026

1. Data Controller

Nataliia Skliar
Teichmummelring 16
12527 Berlin
Germany

Because the controller is based in the European Union, all personal data processing described below is governed by the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), regardless of where you use Heimdel.

2. Scope of this Policy

This policy applies to:

The Heimdel website at heimdel.com (marketing pages and waitlist).
The Heimdel mobile applications for iOS and Android (the “App”).
The Heimdel backend service at api.heimdel.com that the App connects to.

3. Data Collected by the App

a) Account information (authentication)

You sign in to Heimdel using one of the following providers:

Sign in with Apple — we receive a stable user identifier, your email address (or Apple’s private relay address if you choose to hide it), and on first sign-in only your first and last name if you choose to share them.
Sign in with Google — we receive a stable user identifier, your email address, and your name and profile picture URL.
Demo account — an anonymous temporary account created on tap. No personal information is collected. The account is automatically deleted 30 days after creation.

Purpose: identify you across sessions, link you to your family space, contact you about service issues.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

b) Family space content

When you use the App, the following content is stored on our backend so it can sync across devices and family members:

Calendar events you create (title, time, description).
Sticky notes (text, color, position).
To-do lists and items.
Family member entries you add (name, optional avatar).
Photos you upload to your family space (image file plus optional caption).
A city or location name you type in to receive weather information. Heimdel does not request access to your device’s GPS location.

Purpose: provide the core sync functionality of the App.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Sharing: this content is visible to other members of your family space (people who have signed in to the same shared space). It is not shared with third parties.

c) Technical data

When the App connects to our backend we automatically process:

An access token issued at sign-in.
The IP address of the device making the request.
The HTTP method, path, status code, response time, and a per-request identifier (logged for up to 30 days for diagnostics and abuse prevention).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure, reliable service).

d) Weather data

To display weather, the App sends the city name or coordinates you have entered to Open-Meteo. Open-Meteo is a free non-commercial weather API and does not require authentication. The request includes only the location and standard HTTP headers.

4. Tracking and Analytics in the App

The App does not use any third-party analytics, advertising, attribution, or tracking SDKs. The App does not display the App Tracking Transparency prompt because it does not track you across other companies’ apps or websites.

5. Account Deletion

You can delete your Heimdel account at any time directly inside the App: open the account screen and tap Delete Account, then type DELETE to confirm. Deletion is permanent and cannot be undone.

What happens when you delete your account:

If you are the only member of your family space, the entire family space is deleted, including all calendar events, sticky notes, to-do lists, family member entries, and uploaded photo files.
If your family space has other members, ownership of the space is transferred to another linked member. Your personal user record is removed; family content remains for the rest of your family.
If you signed in with Apple, the App also asks you to re-authenticate with Apple at the moment of deletion so we can call Apple’s /auth/revoke endpoint and detach Heimdel from your Apple ID. This is required by Apple’s Sign in with Apple terms.
Demo accounts are automatically deleted 30 days after creation by an internal cleanup job, with the same scope as a manual deletion.

If you cannot reach the in-app option, you can also email contact@heimdel.com from the address linked to your account and we will delete it for you.

6. Data Collected on the Website (heimdel.com)

a) Server log files

Our hosting provider (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany) automatically records the following information that your browser submits:

IP address of the requesting device
Date and time of the request
Name and URL of the page accessed
Volume of data transferred
HTTP status code
Browser type and version
Operating system
Referrer URL

These logs are used solely to ensure the website operates reliably and to improve our service. They are not combined with other data sources and are deleted automatically after 30 days at the latest.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a secure and stable website).

b) Waitlist email collection

If you sign up for the waitlist on our website we collect:

Your email address
The source from which you arrived (e.g. campaign or referral link)
The landing-page variant shown to you
The time of your sign-up

Purpose: measure interest in our product, notify you when the product launches, and share occasional product news.

Legal basis: Art. 6(1)(a) GDPR (consent). By submitting the form you consent to the processing of your email address for the purposes above.

Withdrawal: you can withdraw your consent at any time by emailing contact@heimdel.com. Processing carried out before the withdrawal remains lawful.

Retention: your email address is stored until you request its deletion or until the purpose for storage no longer applies.

c) Google Analytics

The website uses Google Analytics 4, a web-analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Analytics is loaded only after you give consent through our consent management platform (Cookiebot, Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark). IP addresses are anonymised by default.

Legal basis: Art. 6(1)(a) GDPR (consent).

International transfers: data may be transferred to Google servers in the United States. Google adheres to the EU-US Data Privacy Framework, and Standard Contractual Clauses (Art. 46(2)(c) GDPR) are used as an additional safeguard.

For more information see Google’s Privacy Policy and the Google Analytics Terms of Service.

d) Cookies

The website uses a small number of cookies. The Cookiebot consent cookie and admin session cookies are technically necessary (Art. 6(1)(f) GDPR). Analytics cookies are set only after you opt in (Art. 6(1)(a) GDPR). You can change or revoke your choices at any time via the “Cookie settings” link in the website footer. The App itself does not use cookies.

7. Hosting and Sub-processors

The Heimdel backend, database and uploaded photos are hosted on a server provided by Hetzner Online GmbH (Gunzenhausen, Germany), within the European Union.

Sub-processors used to deliver the service:

Hetzner Online GmbH — server, persistent storage, network infrastructure (EU).
Apple Inc. — Sign in with Apple identity verification (US, EU-US DPF).
Google LLC / Google Ireland Limited — Sign in with Google identity verification (Ireland / US, EU-US DPF).
Open-Meteo GmbH — weather forecast data (Switzerland; receives only the location you enter).
Let’s Encrypt (ISRG) — TLS certificate issuance.

8. Encryption in Transit

All connections between the App or your browser and our backend use TLS encryption (HTTPS/WSS). Photos and other family content are stored on disk on our server and are accessible only via authenticated requests.

9. Retention

Personal data is retained only for as long as necessary for the relevant processing purpose:

Account and family content: until you delete your account (see Section 5) or you become inactive for an extended period.
Demo accounts: automatically deleted 30 days after creation.
Server log files: automatically deleted by our hosting provider after at most 30 days.
Waitlist email addresses: until you request deletion.
Google Analytics data: per Google’s default settings (typically 14 months).

10. Your Rights

Under the GDPR you have the following rights with respect to your personal data:

Access (Art. 15 GDPR) — obtain confirmation of, and access to, the personal data we hold about you.
Rectification (Art. 16 GDPR) — correct inaccurate data.
Erasure (Art. 17 GDPR) — have your data deleted, subject to any statutory retention obligations.
Restriction of processing (Art. 18 GDPR).
Data portability (Art. 20 GDPR) — receive your data in a structured, commonly used, machine-readable format.
Withdraw consent (Art. 7(3) GDPR) at any time, with effect for the future.
Object (Art. 21 GDPR) to processing carried out under legitimate interest.
Lodge a complaint with a data protection supervisory authority. The competent authority for our establishment is the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI).

11. Children

Heimdel is intended for adults managing their household. We do not knowingly collect personal data from children under 13 (or under 16 in jurisdictions that apply that threshold). If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this Policy

We may update this policy to reflect changes to the service or to legal requirements. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated in-app or by email where appropriate.

13. Contact

For questions about privacy, to exercise your rights, or to withdraw consent:

Email: contact@heimdel.com