This is a pre-publication draft written during the Tempus GDPR remediation programme. Final copy is pending legal review; the substance will not change materially, but contact details and the operating entity may be adjusted before launch.
1. Who we are
Tempus is a habit-tracking mobile application operated by the Tempus team (we, us, our). We are the data controller for the personal data described in this notice. You can reach us at privacy@tempusapp.info.
2. What we collect
| Category | Source | Purpose |
|---|---|---|
| Phone number | You, at signup | Authenticate your account |
| Email address | You, optional | Authenticate; send verification codes |
| Username and emoji avatar | You | Display your profile in-app |
| Habit and task content you create | You | Provide the core service |
| Task completion history | You | Show streaks and progress |
| Linked calendar URLs (ICS) | You | Fetch and display your calendar events |
| Custom mood content | You | Generate personalised motivational phrases |
| Authentication metadata | Firebase | Sign-in IP and device fingerprint for abuse prevention |
| Subscription metadata | Apple / Google IAP via RevenueCat | Deliver and manage your Tempus Pro subscription |
| Product-analytics events & device metadata | PostHog SDK in the app | Understand which features are used and improve the product |
We do not collect precise location data, contacts, advertising IDs, or analytics beyond what Firebase requires for authentication.
3. Why we process this data
Our lawful bases under the GDPR are:
- Contractual necessity (Art. 6(1)(b)) — to operate the account you signed up for. This is also our basis for processing subscription data when you purchase Tempus Pro: the data is necessary to deliver the service you have paid for.
- Consent (Art. 6(1)(a)) — for optional processing such as AI-generated phrase personalisation and calendar integration. You can withdraw consent at any time.
- Legitimate interest (Art. 6(1)(f)) — to detect abuse, keep the service running securely, and operate product analytics that help us improve Tempus. You can opt out of analytics at any time in Settings → Privacy.
4. Who else processes your data
We use the processors below. Each has a signed data-processing agreement with us.
| Processor | Role | Location |
|---|---|---|
| Google Firebase Authentication | Verifies phone / email / Google / Apple sign-in. | Global, Standard Contractual Clauses |
| Supabase | Hosts the Postgres database where your account data lives. | European Union region |
| Resend | Delivers transactional email such as your one-time verification codes. We send your email address and the message body. | United States, Standard Contractual Clauses |
| Anthropic | Generates personalised motivational phrases from the free-text examples you provide when creating a custom mood. Model used: Claude Haiku 4.5. We do not send your name, phone number, email, tasks, or calendar data to Anthropic. Anthropic does not use this content to train their models under their commercial terms. See anthropic.com/privacy. | United States, Standard Contractual Clauses |
| Canny | Hosts the in-app feature requests board where you can suggest features and vote on others' suggestions. We send your Firebase UID, username, and email address via a signed SSO token so you are automatically logged in. We never send your task content, calendar data, or custom mood phrases to Canny. See canny.io/privacy. | United States, Standard Contractual Clauses |
| RevenueCat | Validates Tempus Pro in-app purchases, tracks subscription status, and notifies our backend of billing events via webhook. Used only if you subscribe. We send your Firebase UID and the purchase events forwarded by Apple or Google; we never send your name, phone number, email, tasks, or calendar data to RevenueCat. See revenuecat.com/privacy. | United States, Standard Contractual Clauses |
| Apple App Store / Google Play | Process the actual purchase if you subscribe to Tempus Pro. Apple and Google are independent controllers for the payment data they collect from you. We never see your card details. | Per their respective privacy policies |
| PostHog | Collects product-analytics events so we can understand how Tempus is used and which features need work. Hosted at us.i.posthog.com; IP addresses are anonymised at the edge before storage. Before you sign in: a random anonymous device id, screen views, app lifecycle events, and device metadata (model, OS, app version, locale, timezone, network type, screen size). After you sign in: your Firebase UID, email, username, authentication method, and Tempus Pro status — used only to segment dashboards. We never send your task content, calendar event titles, custom mood phrases, IP address, GPS location, or advertising identifiers to PostHog. See posthog.com/privacy. | United States, Standard Contractual Clauses |
If we add a processor, we update this page and bump the version before the change takes effect.
5. International transfers
Firebase, Resend, Anthropic, RevenueCat, Canny, and PostHog process data outside the European Economic Area. We rely on the European Commission's adequacy decisions where available and Standard Contractual Clauses (SCCs) otherwise. Copies of the SCCs are available on request.
6. How long we keep your data
- Active accounts: for as long as your account exists.
- Inactive accounts: we delete or anonymise accounts that have not signed in for 24 consecutive months.
- Subscription data: retained for the lifetime of the account. On account deletion we also call RevenueCat to delete your subscriber record.
- Analytics events (PostHog): retained according to the PostHog plan we run on (currently up to 12 months for raw events). When you delete your account we call
posthog.reset()to disassociate your device from your user record; you can also email us to request deletion of historical analytics data tied to your Firebase UID. - One-time codes: stored as a salted hash and cleared immediately after use, or after 10 minutes if unused.
- Encrypted backups: retained for up to 30 days.
- Server logs: retained for up to 30 days. We do not log phone numbers or email addresses.
7. Your rights
Under the GDPR you have the right to:
- Access a copy of the data we hold about you (Art. 15). Use Download my data in Settings, or email us.
- Correct inaccurate data (Art. 16). Most fields are editable in the app.
- Delete your account and all associated data (Art. 17). Use Delete account in Settings, or email us.
- Port your data to another provider (Art. 20). The export format is machine-readable JSON.
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent for consent-based processing (Art. 7).
- Lodge a complaint with the supervisory authority in the EU member state where you live or work. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
To exercise any right, email privacy@tempusapp.info. We reply within one month (Art. 12(3)).
8. Security
We encrypt all network traffic with HTTPS, hash one-time codes with BCrypt, and restrict database access to a single backend service credential. Detailed technical measures are available on request.
9. Children
Tempus is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child has signed up, email us and we will delete the account.
10. Changes to this policy
When we change this notice materially, we bump the version (shown at the top of this page) and ask you to re-consent inside the app on your next sign-in.