Privacy Policy

1. Who we are

elapso ("the Service") is operated by Lukasz Magdziarz, a private individual based in Belgium. You can contact me at hello@elapso.com.

As data controller under the General Data Protection Regulation (EU) 2016/679 (GDPR), I am responsible for the personal data processed through this Service.

2. What data we collect

We collect only the data necessary to provide the Service:

Account data: username, email address, optional first/last name and bio, optional profile avatar image, date of account creation. Each account is assigned a unique referral code; if you create an account via another user's referral link, we record which user referred you (the relationship is stored as an internal link between your account and the referrer's account and is not publicly displayed).
Content you create: events, descriptions, optional event cover images, tags, optional location data (place name, city, country, and geographic coordinates — entered voluntarily when creating or editing an event), comments, emoji reactions on events, time capsule messages you write on event pages, folders, challenges you create, and the user accounts you choose to follow. Time capsule messages are private — they are stored securely and only revealed to you once the associated event's countdown has ended. Messages are screened by an automated AI service at the time of submission to detect content that violates the acceptable use policy; they are not published to other users. Once submitted, a time capsule message cannot be edited or deleted.
Challenge participation data: when you join a challenge, we store which challenge you joined, the date and time you started each attempt, whether your participation is currently active, and the date you ended each attempt. This history is preserved across restarts so you can review your previous streaks. This data is used solely to display your progress, compute your elapsed days, and send you milestone notification emails if you have enabled that preference. Participation in a public challenge makes your username and elapsed day count visible to other participants on the challenge page.
Subscription preferences: notification frequency settings for events you choose to follow, and your per-type notification preferences (whether to receive notifications when someone comments on your event, replies to your comment, shares a folder with you, adds a time capsule to your event, creates a new event while you follow them, you reach a milestone on a countup event, or you reach a milestone in a challenge). These preferences are stored in your account and can be changed at any time from your account Settings page.
Engagement data: experience points (XP), activity streaks, and badges/achievements earned by using the Service. This data is derived from your activity and used solely to provide the gamification features of the Service.
Feedback submissions: if you submit feedback via the feedback form, we store the category, description, and the page URL at the time of submission. If you provide an email address, that is also stored. Providing an email address is optional and the form is available to both registered and anonymous visitors.
Analytics data: when you browse the Service, we record the page URL visited, the referring URL (the page you came from), a session identifier derived from your browser session cookie, the device category (mobile, tablet, or desktop, derived from your browser's user-agent string), any search queries you submit, and your approximate geographic location (country, region, and city where available). Location is derived from your IP address at the time of the request using the MaxMind GeoLite2-City database, which runs locally on our servers — your IP address is never sent to MaxMind or any other third party, and is not stored. This data is used solely to understand aggregate traffic, geographic distribution, search patterns, and device usage, and to improve the Service. It contains no name or email address, and is retained for 12 months before being automatically deleted.
Technical data: IP addresses and request timestamps, stored in server logs for security purposes. Logs are retained for a maximum of 30 days.

We do not use analytics trackers, advertising networks, or social media pixels. We do not collect sensitive personal data (health, religion, political views, etc.).

3. Legal basis for processing

Performance of a contract (Art. 6(1)(b) GDPR): processing your account data and content to provide the Service you signed up for.
Legitimate interest (Art. 6(1)(f) GDPR): retaining server logs for security, fraud prevention, and service integrity.
Consent (Art. 6(1)(a) GDPR): sending you email reminders for events, activity notification emails (e.g. comments, folder shares), and milestone notification emails for countup events and challenges — you may withdraw consent at any time by disabling individual notification types in your account Settings page.

4. How we use your data

To create and maintain your account.
To display your public events and profile to other users. If another user follows you, your recently created public events and public comments may appear in their activity feed.
To send email notifications and digests you have explicitly requested, including activity notifications (e.g. when someone comments on your event or shares a folder with you) and milestone notifications for countup events and challenges, based on your per-type notification preferences. You can disable any or all of these at any time from your account Settings page.
To analyse aggregate traffic patterns (pages visited, referral sources) and improve the Service. This processing is based on our legitimate interest (Art. 6(1)(f) GDPR). No individual browsing profiles are built and the data is never shared with third parties.
To display a map and location name on the event detail page, and to enable location-based search (by country or city), when you voluntarily attach a location to an event. Location data you add to an event is visible to anyone who can view that event according to its visibility setting.
To moderate user-submitted content — text and images you submit (event titles, descriptions, comments, time capsule messages, cover images) are screened by an automated AI service to detect content that violates the acceptable use policy. See section 5 for details of the third-party processor used.
To ensure the security and proper operation of the Service.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-party service providers

The following third-party services are used to operate the Service. Each processes data according to their own privacy policies and GDPR commitments:

Render (render.com) — cloud hosting and infrastructure, servers located in the United States. Data transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.
Cloudflare R2 — file storage for event cover images, EU region where possible.
Mailgun — transactional email provider used solely to deliver the notification emails you have subscribed to.
Anthropic (anthropic.com) — AI content moderation. Text and images you submit are sent to Anthropic's API to screen for content that violates the acceptable use policy. Anthropic processes this data as a data processor acting on our instructions. Anthropic does not use API data to train its models. Data is processed in the United States; transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR. See Anthropic's Data Processing Addendum for details.
Bunny Fonts (fonts.bunny.net) — EU-hosted web font service, used to load typefaces. Bunny Fonts does not collect personal data or set cookies.
Nominatim / OpenStreetMap Foundation (nominatim.openstreetmap.org) — geocoding service used when you type a location in the event form. As you type, the location search text (e.g. "Brussels") is sent to Nominatim's public API to retrieve address suggestions and geographic coordinates. Only the search text is transmitted — no account data, username, or email is included in these requests. The OpenStreetMap Foundation (OSMF) is a UK-based non-profit; see their privacy policy for details. You can leave the location field blank if you prefer not to use this service.
OpenStreetMap tile servers (tile.openstreetmap.org) — when you view an event page that has a location set, your browser loads map tile images directly from OpenStreetMap's servers. In doing so, your browser's IP address is transmitted to OpenStreetMap's infrastructure. No elapso account data is sent. If you do not wish your IP address to be sent to OpenStreetMap, you can use a VPN or browser extension to prevent it; this does not affect any other feature of elapso.

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking service.

6. Cookies

elapso uses only strictly necessary and functional cookies:

sessionid — keeps you logged in during your visit. Expires at the end of your browser session.
csrftoken — protects forms against cross-site request forgery attacks. Expires at the end of your browser session.
django_language — stores your language preference so the correct language is shown on your next visit. Persistent for 1 year. Contains no personal identifiers.

These cookies do not track you across websites and are exempt from consent requirements under the ePrivacy Directive. We do not use advertising, analytics, or tracking cookies.

7. Data retention

Account and content data is retained for as long as your account is active.
When you delete your account, all personal data associated with it (profile, events, comments, emoji reactions, time capsule messages, subscriptions, folders) is immediately and permanently deleted.
Analytics data (page views, referrers, session identifiers) is retained for 12 months and then automatically deleted.
Server logs are retained for a maximum of 30 days.

8. Automated decision-making

The Service uses automated moderation to screen content. When the automated system detects repeated policy violations within a 24-hour window, your account may be automatically suspended for 48 hours without human review. This constitutes automated individual decision-making that may significantly affect you within the meaning of Art. 22 GDPR.

You have the right to:

Request human review of the automated suspension decision.
Express your point of view regarding the decision.
Contest the decision if you believe it was applied in error.

To exercise these rights, contact hello@elapso.com. We will respond within a reasonable timeframe.

9. Your rights under GDPR

As a data subject in the EU, you have the following rights:

Right of access (Art. 15): request a copy of the personal data we hold about you.
Right to rectification (Art. 16): correct inaccurate data via your profile settings.
Right to erasure (Art. 17): delete your account and all associated data at any time from your account settings.
Right to restriction of processing (Art. 18): request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20): download your personal data in a machine-readable format. You can export your account data (profile, events, comments, emoji reactions, and time capsule messages) directly from your account settings page.
Right to object (Art. 21): object to processing based on legitimate interest.
Right to withdraw consent: for email notifications, withdraw at any time via your subscription settings.

To exercise any of these rights, email hello@elapso.com. I will respond within 30 days as required by GDPR.

10. Right to lodge a complaint

You have the right to lodge a complaint with the Belgian supervisory authority:

Gegevensbeschermingsautoriteit / Autorité de Protection des Données
Rue de la Presse 35, 1000 Brussels
www.dataprotectionauthority.be
contact@apd-gba.be

11. Changes to this policy

This Privacy Policy may be updated from time to time. The current version is always available at this URL. For significant changes, I will make reasonable efforts to inform registered users, but you are encouraged to review this page periodically.

12. Contact

Questions or requests regarding your personal data can be sent to: hello@elapso.com