Dieses Dokument ist nur auf Englisch verfügbar. Die englische Version ist die rechtlich bindende Version.

1. Who we are

elapso ("the Service") is operated by Lukasz Magdziarz, a private individual based in Belgium.

Esplanade Paul-Henri Spaak 3
1150 Woluwe-Saint-Pierre, Belgium
hello@elapso.com

As data controller under the General Data Protection Regulation (EU) 2016/679 (GDPR), I am responsible for the personal data processed through this Service.

This Privacy Policy covers the elapso website (elapso.com) and the elapso mobile applications for Android and iOS. Sections that apply only to the mobile apps are marked as such.

2. What data we collect

We collect only the data necessary to provide the Service:

  • Account data: username, email address, optional first/last name and bio, optional profile avatar image, date of account creation. Each account is assigned a unique referral code; if you create an account via another user's referral link, we record which user referred you (the relationship is stored as an internal link between your account and the referrer's account and is not publicly displayed). If you sign up or log in with a third-party sign-in provider (Google, Apple, Facebook, X, Microsoft, or GitHub), we receive your name (where the provider shares it), your email address, and a provider account identifier from that provider; we store only your name, email address, and the provider account identifier used to link the sign-in method to your elapso account, and we never receive your password for that provider. If you use Apple's "Hide My Email" option, the relay address Apple generates is treated as your email address. You can link and unlink sign-in providers at any time from your account settings.
  • Content you create: events, descriptions, optional event cover images, tags, optional location data (place name, city, country, and geographic coordinates — entered voluntarily when creating or editing an event), comments, emoji reactions on events, time capsule messages you write on event pages, folders, challenges you create, and the user accounts you choose to follow. Time capsule messages are private — they are stored securely and only revealed to you once the associated event's countdown has ended. Messages are screened by an automated AI service at the time of submission to detect content that violates the acceptable use policy; they are not published to other users. Once submitted, a time capsule message cannot be edited (it remains sealed), but you can delete it at any time from the event page or the mobile app.
  • Challenge participation data: when you join a challenge — including challenges concerning health-related habits such as quitting smoking or drinking — we store which challenge you joined, the date and time you started each attempt, whether your participation is currently active, and the date you ended each attempt. This history is preserved across restarts so you can review your previous streaks. This data is used solely to display your progress, compute your elapsed days, and send you milestone notification emails if you have enabled that preference. Participation in a public challenge makes your username and elapsed day count visible to other participants on the challenge page, except on challenges elapso designates as identity-hidden (typically covering sensitive topics such as addiction recovery), where participant identities are never displayed publicly — only aggregate counts are shown. The quit-tracker landing pages (elapso.com/quit/) let you calculate your progress and savings without an account: your inputs (quit date, consumption, cost) are stored solely in your browser's local storage and are never transmitted to our servers unless you explicitly choose to join a challenge, at which point only your chosen start date is sent and stored as above.
  • Subscription preferences: notification frequency settings for events you choose to follow, and your per-type notification preferences (whether to receive notifications when someone comments on your event, replies to your comment, shares a folder with you, adds a time capsule to your event, creates a new event while you follow them, you reach a milestone on a countup event, or you reach a milestone in a challenge). These preferences are stored in your account and can be changed at any time from your account Settings page.
  • Engagement data: experience points (XP), activity streaks, and badges/achievements earned by using the Service. This data is derived from your activity and used solely to provide the gamification features of the Service.
  • Feedback submissions: if you submit feedback via the feedback form, we store the category, description, and the page URL at the time of submission. If you provide an email address, that is also stored. Providing an email address is optional and the form is available to both registered and anonymous visitors.
  • Analytics data: when you browse the Service, we record the page URL visited, the referring URL (the page you came from), a session identifier derived from your browser session cookie, the device category (mobile, tablet, or desktop, derived from your browser's user-agent string), any search queries you submit, and your approximate geographic location (country, region, and city where available). Location is derived from your IP address at the time of the request using the MaxMind GeoLite2-City database, which runs locally on our servers — your IP address is never sent to MaxMind or any other third party, and is not stored. This data is used solely to understand aggregate traffic, geographic distribution, search patterns, and device usage, and to improve the Service. It contains no name or email address, and is retained for 12 months before being automatically deleted.
  • Technical data: IP addresses and request timestamps, stored in server logs for security purposes. Logs are retained for a maximum of 30 days.
  • Push notification token (mobile app only): if you install the elapso mobile app and grant notification permission, a push notification token generated by the Expo push service is stored in your account. It is used solely to deliver the notifications you have enabled and is deleted when you delete your account. You can revoke notification permission at any time in your device settings, which renders the token inactive.
  • Device location (mobile app only): if you use the location picker when creating an event in the mobile app and grant location permission, your device's GPS coordinates are read once to centre the map. The coordinates are only stored if you choose to attach the selected location to an event. The app does not track your location in the background. You can deny or revoke location permission at any time in your device settings.

Anonymous "try it" countdowns: the try-it page lets you create a countdown without an account. The countdown you enter there is processed entirely in your browser and is not stored on our servers. It is only saved if you subsequently create an account and choose to save it.

Email reminder sign-up ("Remind me"): if you enter your email address in a "Remind me" form, we send a single confirmation email containing a signed link (double opt-in). No account is created and no reminder is activated unless you click that link; the link expires after 48 hours and unconfirmed requests leave no stored data. Clicking the link creates a password-free account holding only your email address and an auto-generated username, verifies your email address, and activates the reminder subscription — which you can cancel at any time from the Subscriptions page, and you can delete the account itself at any time. The legal basis is your consent (Art. 6(1)(a) GDPR), given by clicking the confirmation link.

We do not use analytics trackers, advertising networks, or social media pixels. Apart from your voluntary participation in health-related challenges (described above), we do not collect sensitive personal data (religion, political views, etc.).

3. Legal basis for processing

  • Performance of a contract (Art. 6(1)(b) GDPR): processing your account data and content to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): retaining server logs for security, fraud prevention, and service integrity.
  • Consent (Art. 6(1)(a) GDPR): sending you email reminders for events, activity notification emails (e.g. comments, folder shares), and milestone notification emails for countup events and challenges — you may withdraw consent at any time by disabling individual notification types in your account Settings page.

4. How we use your data

  • To create and maintain your account.
  • To display your public events and profile to other users. If another user follows you, your recently created public events and public comments may appear in their activity feed.
  • To send email notifications and digests you have explicitly requested, including activity notifications (e.g. when someone comments on your event or shares a folder with you) and milestone notifications for countup events and challenges, based on your per-type notification preferences. You can disable any or all of these at any time from your account Settings page.
  • To analyse aggregate traffic patterns (pages visited, referral sources) and improve the Service. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR). No individual browsing profiles are built and the data is never shared with third parties.
  • To display a map and location name on the event detail page, and to enable location-based search (by country or city), when you voluntarily attach a location to an event. Location data you add to an event is visible to anyone who can view that event according to its visibility setting.
  • To serve embeddable countdown widgets for public events. Any website can embed a public event's countdown; the embed shows only the event title, its date, and the running counter — no account data. When a visitor views a page containing an elapso embed, their browser requests the widget from our servers and the standard technical data described in section 2 applies. Private events cannot be embedded.
  • To moderate user-submitted content — text and images you submit (event titles, descriptions, comments, time capsule messages, cover images) are screened by an automated AI service to detect content that violates the acceptable use policy. See section 5 for details of the third-party processor used.
  • To protect the feedback and sign-up forms against automated spam — when you open the feedback form or the sign-up page, a Cloudflare Turnstile bot-detection challenge runs in the background. Your IP address and browser characteristics are processed by Cloudflare to confirm the submission comes from a human visitor. This processing is based on our legitimate interest in protecting the Service from automated abuse (Art. 6(1)(f) GDPR). See section 5 for details.
  • To ensure the security and proper operation of the Service.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-party service providers

The following third-party services are used to operate the Service. Each processes data according to their own privacy policies and GDPR commitments:

  • Render (render.com) — cloud hosting and infrastructure, servers located in the United States. Data transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
  • Cloudflare R2 — file storage for event cover images, EU region where possible.
  • Cloudflare Turnstile (Cloudflare, Inc.) — bot-detection service used on the feedback form and the sign-up page to distinguish human visitors from automated submissions. When you open the feedback form or the sign-up page, your browser executes a challenge script served by Cloudflare. Cloudflare may process your IP address and browser characteristics to generate a challenge token; no visible puzzle is shown to users. Data is processed by Cloudflare, Inc. (United States); transfers are covered by Standard Contractual Clauses under Art. 46 GDPR. See Cloudflare's Privacy Policy for details.
  • Social sign-in providers — optional authentication services: Google Sign-In (Google LLC, United States — privacy policy), Sign in with Apple (Apple Inc., United States — privacy policy), Facebook Login (Meta Platforms Ireland Ltd. — privacy policy), X (X Corp., United States — privacy policy), Microsoft (Microsoft Corporation, United States — privacy policy), and GitHub (GitHub, Inc., United States — privacy policy). Only if you choose "Continue with …" on the sign-up, log-in, or connected-accounts page, you are redirected to that provider, which authenticates you and processes your IP address and device information under its own privacy policy. The provider then shares your name, email address, and an account identifier with elapso to create or access your account. If you sign up with email and password instead, no data is exchanged with any of these providers. Transfers to providers outside the EEA are covered by Standard Contractual Clauses under Art. 46 GDPR.
  • Mailgun — transactional email provider used solely to deliver the notification emails you have subscribed to.
  • Anthropic (anthropic.com) — AI content moderation. Text and images you submit are sent to Anthropic's API to screen for content that violates the acceptable use policy. Anthropic processes this data as a data processor acting on our instructions. Anthropic does not use API data to train its models. Data is processed in the United States; transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR. See Anthropic's Data Processing Addendum for details.
  • Bunny Fonts (fonts.bunny.net) — EU-hosted web font service, used to load typefaces. Bunny Fonts does not collect personal data or set cookies.
  • Nominatim / OpenStreetMap Foundation (nominatim.openstreetmap.org) — geocoding service used when you type a location in the event form. As you type, the location search text (e.g. "Brussels") is sent to Nominatim's public API to retrieve address suggestions and geographic coordinates. Only the search text is transmitted — no account data, username, or email is included in these requests. The OpenStreetMap Foundation (OSMF) is a UK-based non-profit; see their privacy policy for details. You can leave the location field blank if you prefer not to use this service.
  • OpenStreetMap tile servers (tile.openstreetmap.org) — when you view an event page that has a location set, your browser loads map tile images directly from OpenStreetMap's servers. In doing so, your browser's IP address is transmitted to OpenStreetMap's infrastructure. No elapso account data is sent. If you do not wish your IP address to be sent to OpenStreetMap, you can use a VPN or browser extension to prevent it; this does not affect any other feature of elapso.
  • Expo push notification service (Expo, Inc.) — mobile app only — push notifications in the elapso mobile app are delivered through Expo's push service. When you grant notification permission, Expo generates a push token on your device; notifications we send to you are routed through Expo's servers (United States) and the platform services of Apple (APNs) or Google (Firebase Cloud Messaging), depending on your device. The notification content (e.g. "someone commented on your event") transits these services. Transfers are covered by Standard Contractual Clauses under Art. 46 GDPR. See Expo's Privacy Policy for details.
  • Google Maps (Google LLC) — Android app only — maps shown in the elapso Android app are rendered by the Google Maps component built into Android. When a map is displayed, your device communicates with Google's servers, which process your IP address and device identifiers under Google's Privacy Policy. This applies only to screens in the Android app that display a map (event detail pages with a location, the event map, and the location picker). The iOS app uses Apple Maps, and the website uses OpenStreetMap.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking service.

6. Cookies

elapso uses only strictly necessary and functional cookies:

  • sessionid — keeps you logged in during your visit. Expires at the end of your browser session.
  • csrftoken — protects forms against cross-site request forgery attacks. Expires at the end of your browser session.
  • django_language — stores your language preference so the correct language is shown on your next visit. Persistent for 1 year. Contains no personal identifiers.
  • Cloudflare Turnstile challenge state — set by Cloudflare Turnstile when you use the feedback form or the sign-up page, to verify the submission originates from a human visitor. This is a functional security cookie set by Cloudflare, not by elapso. It does not track you across websites and contains no personal identifiers.

These cookies do not track you across websites and are exempt from consent requirements under the ePrivacy Directive. We do not use advertising, analytics, or third-party tracking cookies.

7. Data retention

  • Account and content data is retained for as long as your account is active.
  • Accounts whose email address is never verified and that contain no content (no events or comments) may be deleted after 7 days, as they are presumed to be automated signups.
  • When you delete your account, all personal data associated with it (profile, events, comments, emoji reactions, time capsule messages, subscriptions, folders) is immediately and permanently deleted.
  • Analytics data (page views, referrers, session identifiers) is retained for 12 months and then automatically deleted.
  • Server logs are retained for a maximum of 30 days.

8. Automated decision-making

The Service uses automated moderation to screen content. When the automated system detects repeated policy violations within a 24-hour window, your account may be automatically suspended for 48 hours without human review. This constitutes automated individual decision-making that may significantly affect you within the meaning of Art. 22 GDPR.

You have the right to:

  • Request human review of the automated suspension decision.
  • Express your point of view regarding the decision.
  • Contest the decision if you believe it was applied in error.

To exercise these rights, contact hello@elapso.com. We will respond within a reasonable timeframe.

9. Your rights under GDPR

As a data subject in the EU, you have the following rights:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate data via your profile settings.
  • Right to erasure (Art. 17): delete your account and all associated data at any time from your account settings.
  • Right to restriction of processing (Art. 18): request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): download your personal data in a machine-readable format. You can export your account data (profile, events, comments, emoji reactions, and time capsule messages) directly from your account settings page.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to withdraw consent: for email notifications, withdraw at any time via your subscription settings.

To exercise any of these rights, email hello@elapso.com. I will respond within 30 days as required by GDPR.

10. Right to lodge a complaint

You have the right to lodge a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit / Autorité de Protection des Données
Rue de la Presse 35, 1000 Brussels
www.dataprotectionauthority.be
contact@apd-gba.be

11. Changes to this policy

This Privacy Policy may be updated from time to time. The current version is always available at this URL. For significant changes, I will make reasonable efforts to inform registered users, but you are encouraged to review this page periodically.

12. Contact

Questions or requests regarding your personal data can be sent to: hello@elapso.com