Privacy Policy
Last updated: May 22, 2026
🇪🇺 Data in Europe✓ GDPR compliant🚫 No trackers🔒 TLS Encryption
1. Data Controller
- The data controller is the publisher of the Custody Schedule application.
- Contact — [email protected]
2. Data Collected and Purposes
- Account — Email address, OAuth identifier (Google) — authentication and session management.
- Co-parenting — Household names, children's first names and profile photos, custody configurations, co-parent messages, school-bag lists — service delivery.
- Technical — Anonymized Web Vitals (LCP, CLS, INP) — performance improvement. No personally identifiable information.
3. Legal Basis (Art. 6 GDPR)
- Art. 6.1.b — Contractual performance — Processing of co-parenting data required for service delivery.
- Art. 6.1.f — Legitimate interest — Anonymized performance metrics to improve the application.
- Art. 6.1.a — Consent — Explicit parental consent before any processing of children's data (Art. 8 GDPR).
4. Children's Data (Art. 8 GDPR)
- Adding a child requires explicit confirmation of parental authority.
- Children's first names and profile photos are stored in our secure infrastructure, hosted in Europe.
- This data is never shared with third parties for commercial purposes.
5. Processors and Transfers
- Supabase Inc. — Database hosting, authentication and file storage — servers located in Europe (European Union). Standard Contractual Clauses (SCC) governing transfers to the United States.
- Cloudflare Inc. — Content delivery network, network attack protection and DNS resolution. Processing governed by SCCs.
- No advertising networks, no behavioral profiling tools, no sale of data to third parties.
6. Retention Periods
- Account data — Retained as long as the account is active.
- Co-parenting data — Retained as long as the household exists. 30-day trash bin after deletion, then permanently purged.
- Performance metrics — Aggregated, without personal identifiers, retained for 90 days.
8. Security
- Each user can only access data belonging to their own household — access controls are enforced at the database level, independently of the application layer.
- Sessions are managed via secure authentication mechanisms. All communications between your device and our servers are encrypted.
- The application undergoes regular security reviews.
9. Cookies
- Only strictly necessary technical cookies for authentication and session management.
- No advertising or profiling cookies.
10. Breach Notification (Art. 33-34)
- In the event of a breach, notification to the CNIL within 72 hours.
- Notification of affected individuals if the breach poses a high risk.
7. Your GDPR Rights
15
Access
View all your data.
16
Rectification
Correct your data via the interface.
17
Erasure
Delete your account and all associated data.
20
Portability
Export your data as a readable PDF from your profile.
21
Objection
Object to processing based on legitimate interest.
To exercise your rights: contact form — choose “Privacy, GDPR, data export or DPO”. Response within 30 days.
11. DPO Contact
For any data protection questions: contact form — same category: “Privacy, GDPR, data export or DPO”.
You have the right to lodge a complaint with the CNIL (www.cnil.fr).