Skip to content
C
ChronoKit

Privacy Policy

Last updated: 21 March 2026

ChronoKit (“we”, “us”, “our”) operates the website at chronokit.io. This policy explains what personal data we collect, why, and your rights under the General Data Protection Regulation (GDPR).

1. Data We Collect

Account data (authenticated users only)

When you sign in with GitHub or Google we receive your email address, display name, and profile picture URL from the OAuth provider. We store your email address to identify your account and link it to any subscription or API keys you create.

Payment data

If you subscribe to ChronoKit Pro, your email address is passed to Stripe for payment processing. We do not store card numbers or full payment details — Stripe handles all payment data directly. See Stripe’s Privacy Policy.

API usage data

For accounts with developer API keys, we record per-day request counts to enforce rate limits and display usage statistics in your account dashboard. This data is stored in our database and Redis cache for up to 90 days.

User preferences

Preferences you set (home timezone, temperature unit, time format) are stored in your browser’s localStorage and, if you are signed in, synced to our database so they persist across devices.

Analytics data

We use Vercel Analytics to count page views and measure site performance. Vercel Analytics does not use cookies, does not track individual users across sessions, and does not collect personally identifiable information. Data is aggregated and used only to understand which features are popular and how the site performs. See Vercel’s Analytics privacy documentation.

Error data

We may use Sentry for application error monitoring when configured. If active, Sentry captures JavaScript error stack traces, browser version, and the URL where the error occurred. No personally identifiable information is intentionally included in error reports.

2. Cookies

ChronoKit uses only strictly necessary cookies. No advertising or tracking cookies are set. Our page-view analytics (Vercel Analytics) are cookie-free.

CookiePurposeDuration
ck_stSecurity token that authenticates browser requests to our API1 hour (auto-renewed)
next-auth.session-tokenEncrypted authentication session (signed-in users only)Session / 30 days
next-auth.csrf-tokenCross-site request forgery protection during sign-inSession

Because these cookies are strictly necessary for the service to function, they do not require your consent under the ePrivacy Directive.

3. Legal Bases for Processing (GDPR)

  • Contractual necessity (Art. 6(1)(b)) — Processing your email to manage your account, subscription, and API keys.
  • Legitimate interest (Art. 6(1)(f)) — Security tokens and CSRF cookies to protect users and the service from abuse.
  • Legal obligation (Art. 6(1)(c)) — Retaining payment records as required by applicable law.

4. Data Processors

We share data with the following sub-processors to operate the service:

  • Vercel — Frontend hosting (EU Frankfurt region) and cookie-free page view analytics
  • Railway — Backend hosting and database (EU Frankfurt region)
  • Stripe — Payment processing
  • GitHub / Google — OAuth authentication providers
  • Sentry — Error monitoring (if enabled)
  • Anthropic — AI chat feature (messages sent to the ChronoKit AI assistant are processed by Anthropic)

5. Data Retention

  • Account data — Retained while your account is active and for 30 days after deletion.
  • API usage stats — Rolling 90-day window.
  • Payment records — Retained for 7 years as required by EU accounting regulations.

6. Your Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Access — Request a copy of the data we hold about you.
  • Rectification — Ask us to correct inaccurate data.
  • Erasure — Request deletion of your account and personal data.
  • Portability — Receive your data in a machine-readable format.
  • Objection — Object to processing based on legitimate interest.
  • Restriction — Ask us to restrict processing in certain circumstances.

To exercise any of these rights, email us at privacy@chronokit.io. We will respond within 30 days.

7. Security

All data is transmitted over HTTPS. Session cookies are httpOnly, Secure, and SameSite=Lax. Our API uses signed tokens to prevent unauthorized access.

8. Children

ChronoKit is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by updating the “Last updated” date at the top. Continued use of ChronoKit after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related questions or to exercise your rights, contact us at privacy@chronokit.io.