Alarms that actually know your day

1. Who we are

Data controller: Picky Alarm (“we”, “us”, “our”). For data protection enquiries, please use the contact form below.

2. Data we collect

We collect the following categories of personal data:

• Account data - email address, display name, and a hashed password when you register.
• Calendar data - event titles, dates, times, and locations, accessed through Google OAuth when you choose to link your calendar. This data is processed only to schedule your alarms.
• App preferences - volume levels, notification preferences, and display settings stored locally on your device and, if you are signed in, associated with your account on our servers.
• Alarm backup data (optional — opt-in required) — if you enable Auto-sync alarms to cloud in the app Settings, your alarm configurations (name, time, recurrence schedule, and ringtone preference) are stored on our servers and linked to your account. This allows your alarms to be restored if you reinstall the app. Cloud backup is disabled by default and can be turned off at any time; disabling it does not delete already-synced alarms from our servers, but deleting your account removes all alarm data permanently.
• Contact form data - name, email address, and message content you provide when you contact us through this website.
• Technical data - IP addresses and request timestamps in server logs, retained for security and operational purposes.
• Crash reports (optional — consent required) — if you enable “Share crash reports” in the app Settings, anonymised crash data (device model, OS version, app version, and a stack trace) is sent to Firebase Crashlytics. No account data or personally identifiable information is included.
• Usage data (optional — consent required) — if you enable “Share anonymous usage data” in the app Settings, basic session events (e.g. app open) are sent to Firebase Analytics. No account data or personally identifiable information is included.

3. How we use your data

• Providing the service (legal basis: contract) - account management, authentication, and delivering alarm functionality based on your calendar.
• Responding to enquiries (legal basis: legitimate interest) - replying to messages submitted via our contact form.
• Security and fraud prevention (legal basis: legitimate interest) - detecting and investigating abuse or unauthorised access.
• Legal compliance (legal basis: legal obligation) - retaining records where required by applicable law.

4. Data sharing

We do not sell your personal data. We share data only in the following circumstances:

• Google LLC - calendar data is fetched via Google’s APIs under the OAuth 2.0 authorisation you grant explicitly in the app. Governed by Google’s Privacy Policy.
• Firebase (Google LLC) - used for the following purposes, all governed by Firebase’s Privacy Policy:
  • Firebase Cloud Messaging — if you link a Google Calendar, your device token is shared to deliver push notifications about calendar changes.
  • Firebase Crashlytics (consent-based) — if you opt in, anonymised crash reports are transmitted to Google’s servers, which may be located outside the EEA. Google LLC participates in the EU–US Data Privacy Framework and provides Standard Contractual Clauses.
  • Firebase Analytics (consent-based) — if you opt in, anonymised usage events are transmitted under the same transfer safeguards as above.
  You can withdraw consent at any time in the app Settings under Privacy.
• IONOS SE - our hosting provider, based in Germany (EU), processes data on our behalf as a data processor under a Data Processing Agreement. Your data is stored and processed within the European Economic Area.
• Legal authorities - where required by law or valid legal process.

5. Third-party services on this website

• Google Fonts - this website loads the Nunito typeface from Google’s servers. Your IP address is transmitted to Google when the font is fetched. You may use a browser extension to block external font loading. See Google’s Privacy Policy.
• hCaptcha - our contact form uses hCaptcha to prevent spam. hCaptcha processes data in accordance with its Privacy Policy. The legal basis for processing is our legitimate interest in preventing automated abuse.

6. Cookies and analytics

This website uses only technically necessary cookies for session management. We do not use advertising cookies or tracking pixels.

The mobile app may collect anonymised usage and crash data via Firebase Analytics and Firebase Crashlytics only if you explicitly opt in through the app Settings. No analytics are collected by default.

Third-party services (Google Fonts, hCaptcha) may set their own cookies subject to their respective privacy policies.

7. Data retention

• Account data - retained until you delete your account. Deletion removes your profile and associated data within 30 days.
• Calendar data - fetched on demand and cached for up to 24 hours; not stored permanently.
• Alarm backup data - retained for as long as your account is active. Permanently deleted within 30 days of account deletion. You can also delete individual alarms from the app at any time, which removes them from our servers immediately.
• Contact form data - retained for up to 12 months for correspondence records, then deleted.
• Server logs - retained for 90 days, then automatically purged.

8. Your rights (GDPR)

If you are in the European Economic Area or the United Kingdom, you have the following rights:

• Right of access (Art. 15) - request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) - ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) - request deletion of your personal data where there is no overriding legal basis for retention.
• Right to restriction (Art. 18) - request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20) - receive your data in a structured, machine-readable format.
• Right to object (Art. 21) - object to processing based on legitimate interests.
• Right to withdraw consent - where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please use the contact form (indicate “Data Request” in your message). We will respond within 30 days as required by GDPR Art. 12. You also have the right to lodge a complaint with your national data protection authority.

9. Children’s privacy

Picky Alarm is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or by email. Continued use of the service after changes constitutes acceptance of the revised policy.