Privacy Policy
How we handle your personal data.
Last updated May 25, 2026
1. Who we are
PickASunnyDay (the "App", "we", "us", "our") is a weather-planning app and this website. The data controller under Article 4(7) GDPR is:
Nils Schiwora, trading as Nils Schiwora Trading Services Ahornstr. 37 14547 Beelitz Germany
If you have questions about this policy or want to exercise your rights, write to privacy@pickasunnyday.app.
For our business address in Brandenburg, the competent supervisory authority is Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg). You can always file a complaint with the authority of your habitual residence (Art. 77 GDPR).
2. What data we process
We separate three flows: the website (this domain), the iOS App, and on-device only processing.
2.1 Website
| Data | When | Source |
|---|---|---|
| Standard request data (IP address, user agent, referrer) | Every page request | Sent by your browser to our hosting provider |
| Consent state ("accepted" / "declined") | After you click on the cookie banner | Stored locally in your browser under psd:cookie-consent |
| UTM parameters | When you visit with utm_* query parameters |
Stored locally in your browser under psd:utm (session storage) |
This website loads PostHog product analytics, hosted at eu.i.posthog.com (EU region), behind cookie consent. Nothing is loaded or sent until you accept the cookie banner. If you decline, no PostHog cookie is set and no events are sent. We do not load session recording, autocapture, advertising, or any other third-party tracking, and the PostHog project is configured to discard client IP addresses. The same PostHog project is used for product analytics inside the iOS App (see Section 2.2), so we can understand the funnel from this site to the app without sharing data with a second analytics vendor. Captured events are limited to: page views, App Store CTA clicks, language switches, and FAQ expansions.
2.2 iOS App
| Data | Purpose |
|---|---|
| Account identifier (via Supabase Auth — anonymous by default, optionally tied to an email) | To keep your saved locations, plans, and entitlement consistent across reinstalls |
| Approximate location (foreground only, via Apple's location permission) | To compute the sunshine forecast for a place you select |
| Locations you save or search | To show forecasts for places you care about |
| Your planning preferences (preferred time of day, required sunny hours, rain tolerance) | To rank days against your needs |
Subscription entitlement state (plus) mirrored from RevenueCat |
To unlock paid features after a successful App Store purchase |
| Expo push notification token | Only if you allow notifications, so we can send alerts about upcoming sunny days you asked to watch |
Product analytics events (e.g. paywall_viewed, day_detail_viewed) and crash reports |
Sent to PostHog and Sentry respectively — see Section 4 |
Location, saved places, and planning preferences are sent to our backend so it can return a forecast — they are not processed exclusively on your device.
2.3 What stays on your device
Your device identifier, in-app activity that we do not capture as an analytics event, and any draft inputs before you submit them do not leave your device.
3. Why we process it (legal bases)
| Purpose | Legal basis (Art. 6(1) GDPR) |
|---|---|
| Delivering the forecast service in the App | Performance of a contract — Art. 6(1)(b) |
| Processing your App Store subscription | Performance of a contract — Art. 6(1)(b) |
| Sending notifications you opted into | Consent — Art. 6(1)(a) |
| Product analytics (if enabled) to understand which features work | Legitimate interest — Art. 6(1)(f). You can object at any time (Section 7). |
| Detecting abuse and securing the service | Legitimate interest — Art. 6(1)(f) |
| Meeting legal retention duties (tax, accounting) | Legal obligation — Art. 6(1)(c) |
4. Service providers and recipients
We use a small number of processors.
| Provider | Role | Region | Notes |
|---|---|---|---|
| Vercel Inc. | Hosting for this website and the mobile API | Vercel Edge Network globally; functions in USA (iad1) and API also EU (fra1) |
Standard request data (IP address, user agent) flows through Vercel logs for abuse prevention. |
| Supabase | Database, authentication, and server-side storage for your account, saved locations, planning preferences, push tokens, and entitlement mirror | EU — Central (Frankfurt, eu-central-1) |
Operates as a data processor under a Data Processing Agreement. |
| Trigger.dev | Scheduled background jobs (alerting, watched-plan rescoring) | EU — Central (Frankfurt, eu-central-1) |
Runs server-side; has no direct access to your device. |
| Open-Meteo | Source of the underlying weather forecast data the App ranks | EU (Open-Meteo is operated from Germany) | Our backend queries Open-Meteo server-side, never your device — so Open-Meteo does not receive your IP address or device identifier from us. Open-Meteo requires attribution under CC BY 4.0; the iOS App shows this in Settings → Help & About → About & legal and in Acknowledgments. |
| Apple Inc. | App distribution, App Store subscription processing, push delivery via APNs | USA (with EU sub-processors) | Apple receives purchase and refund metadata directly from you under Apple's own privacy policy. |
| Expo (Expo Application Services) | Building the mobile app, routing push notifications via APNs | USA | The Expo push token identifies your device installation, not you personally. |
| RevenueCat | Managing the plus subscription entitlement and exposing it back to the App and our backend |
USA | We use RevenueCat as the subscription source of truth. It processes App Store transaction metadata and your RevenueCat-issued user identifier. |
| PostHog | Product analytics for the landing site and the iOS App | EU — eu.i.posthog.com |
Single project used by both surfaces so we can read the landing → app funnel. Events are limited to product and conversion usage (e.g. $pageview, cta_click, language_switch, faq_expand on the site; paywall_viewed, day_detail_viewed in the App). Session replay and autocapture are disabled, client IP addresses are discarded in PostHog, and landing analytics fires only after the cookie banner is accepted. |
| Sentry | Crash and error reporting for the iOS App | EU | Receives stack traces and limited device metadata. |
We do not sell your data and we do not use it for personalised advertising.
5. International transfers
The following processors are based in or operate from the United States: Vercel (where applicable), Apple, Expo, and RevenueCat. PostHog has been moved to its EU region (eu.i.posthog.com) for both the landing site and the iOS App, so PostHog event data does not leave the EU. Trigger.dev runs the project in Frankfurt (eu-central-1). Sentry stores this project's crash-report data in its EU region. The processor terms for the non-EU processors have been confirmed for launch. Transfers to non-EU recipients rely on Standard Contractual Clauses adopted by the European Commission, plus supplementary measures where required by Schrems II. Where a provider participates in the EU-US Data Privacy Framework, we also rely on its current certification as an additional safeguard.
6. How long we keep your data
| Category | Retention |
|---|---|
| Saved locations and planning preferences | Until you delete them in the App or delete your account |
| Push notification token | Until you revoke notification permission or uninstall the App |
| Product analytics events | Up to 12 months under the current PostHog Cloud Free plan |
| Crash reports | Up to 90 days in Sentry under the current self-serve plan/trial |
| Subscription and invoicing records | Up to 10 years where required by German tax and commercial law (§ 147 AO, § 257 HGB) |
| Server access logs | Vercel runtime logs: 1 day on the current Pro plan; Supabase API/database logs: 1 day on the current Free project, 7 days after the planned Pro upgrade |
7. Your rights
Under the GDPR you can:
- Ask for confirmation of what we process about you and a copy of it (Art. 15)
- Have inaccurate data corrected (Art. 16)
- Have your data deleted (Art. 17), subject to legal retention duties
- Restrict processing while a dispute is open (Art. 18)
- Receive your data in a portable, machine-readable format (Art. 20)
- Object to processing based on legitimate interest, including analytics (Art. 21)
- Withdraw any consent you gave us at any time, with effect for the future (Art. 7(3))
- Lodge a complaint with a supervisory authority (Art. 77)
To exercise any of these rights, email privacy@pickasunnyday.app. We aim to respond within 30 days (Art. 12(3)).
To delete your account and the data tied to it: see the Support page.
8. Children
The App is not directed at children under 16. We do not knowingly process data of users under 16 without verifiable parental consent (Art. 8 GDPR). If you believe a child has signed up, write to privacy@pickasunnyday.app and we will delete the account.
9. Security
We use HTTPS for all traffic, store credentials and tokens encrypted at rest, and limit internal access on a need-to-know basis. No system is perfectly secure. If you become aware of a vulnerability, please report it to security@pickasunnyday.app.
10. Changes to this policy
We will post material changes here and, where the change affects you (for example, a new processor handling your data), notify you by email or in the App at least 14 days before the change takes effect. The date at the top of this page shows when it was last revised.
11. Contact
For all privacy questions and rights requests:
Nils Schiwora trading as Nils Schiwora Trading Services Ahornstr. 37 14547 Beelitz Germany Email: privacy@pickasunnyday.app