Privacy Policy

The party responsible for processing your personal data within the meaning of the GDPR is the operator named in the Imprint. Please refer to the Imprint page for full contact details.

When you use OnlyChill, we process the following categories of personal data:

• Account data: email address, username, hashed password, avatar image (if uploaded).
• Profile data: display name and any profile information you choose to provide.
• Usage data: groups you create or join, stat collections, activity log entries, and timestamps of these actions.
• Technical data: IP address, browser type, device information, and access timestamps (processed transiently by our hosting provider).
• Subscription data: your current plan and the date you joined it.

We process your personal data for the following purposes:

• Providing the core OnlyChill service (creating groups, tracking stats, showing leaderboards).
• Authenticating your account and keeping it secure.
• Maintaining an audit trail of group activity for transparency between group members.
• Enforcing plan limits and, in the future, processing subscription payments.
• Improving the product and fixing bugs.

We process your data on the following legal bases under Art. 6 GDPR: (a) contract performance (Art. 6(1)(b) GDPR) — to deliver the service you signed up for; (b) legitimate interest (Art. 6(1)(f) GDPR) — to keep the service secure, prevent abuse, and improve the product; (c) consent (Art. 6(1)(a) GDPR) — where we ask you explicitly, e.g. for optional analytics cookies.

We retain your account data for as long as your account exists. Activity log entries are retained for the duration defined by your current plan (see the Billing page for current retention windows). When you delete your account, your personal data and associated content are permanently removed, except where retention is required by law.

Under the GDPR you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — to know what data we hold about you.
• Right to rectification (Art. 16 GDPR) — to correct inaccurate data.
• Right to erasure (Art. 17 GDPR) — to have your data deleted.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — to receive your data in a machine-readable format.
• Right to object (Art. 21 GDPR).
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

To exercise any of these rights, please contact us using the email address in the Imprint.

OnlyChill uses strictly necessary cookies to keep you signed in and to remember your theme preference. We do not currently use analytics or advertising cookies. See the Cookie Policy for details.

To operate OnlyChill we rely on the following third-party data processors, each bound by a data processing agreement where required:

• Supabase (Supabase Inc.) — provides our PostgreSQL database, authentication, and file storage. Personal data (email, password hash, profile data, group data) is stored on Supabase infrastructure.
• Vercel (Vercel Inc.) — hosts the Next.js application and processes request metadata (IP, user agent) to deliver pages.

We use industry-standard technical and organizational measures to protect your personal data, including TLS encryption in transit, hashed passwords, Row Level Security at the database level, and restricted access to production systems.

We may update this Privacy Policy from time to time. Material changes will be communicated in-app. The date at the top of this page indicates when the policy was last updated.