Data Processing Addendum
Last updated: April 6, 2026
1. Definitions
| Term | Definition |
|---|---|
| Controller | CommonTime, operator of https://commontime.cc |
| Data Subject | Any individual whose personal data is processed through the Service (organizers, participants) |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) |
| Processing | Any operation performed on Personal Data, as defined in GDPR Art. 4(2) |
| Processor | A third-party service provider processing Personal Data on behalf of the Controller |
| Sub-processor | A Processor engaged by another Processor to carry out specific processing activities |
| Service | The CommonTime decision-first group scheduling platform at https://commontime.cc |
| SCCs | EU Standard Contractual Clauses for international data transfers, as adopted by EU Commission Implementing Decision (EU) 2021/914 |
2. Scope and Purpose
2.1 Scope
This Data Processing Addendum governs the processing of Personal Data by the Service and its Sub-processors in connection with the operation of the CommonTime scheduling platform. It applies to all Personal Data processed through the Service, including data from authenticated organizers and unauthenticated participants.
2.2 Purpose of Processing
Personal Data is processed solely for the purpose of:
- Facilitating group scheduling and availability coordination
- Computing decision hints (algorithm-backed scheduling recommendations)
- Computing fairness metrics (Gini coefficient, coverage, exclusion rate)
- Finalizing and publishing calendar events
- Supporting the MCP agent gateway for programmatic scheduling
- Maintaining service reliability, security monitoring, and error tracking
2.3 Legal Basis
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Availability collection from participants | Art. 6(1)(b) — Performance of a contract |
| Organizer authentication (Google OAuth) | Art. 6(1)(b) — Contract performance |
| Calendar event finalization | Art. 6(1)(b) — Contract performance |
| Analytics (PostHog, self-hosted) | Art. 6(1)(a) — Consent (via cookie preferences) |
| Error monitoring (Sentry) | Art. 6(1)(f) — Legitimate interests (service reliability) |
| Security logging and rate limiting | Art. 6(1)(f) — Legitimate interests (security) |
3. Categories of Personal Data Processed
3.1 Organizer Data (Authenticated)
- Name and email (from Google OAuth) — retained until account deletion or 24 months of inactivity
- Google Calendar OAuth tokens (encrypted with AES-256-GCM) — retained until connection revoked
- Calendar event metadata — retained until poll finalization + 90 days
3.2 Participant Data (Unauthenticated)
- Participant name (user-provided) — retained until poll expiration or 12 months
- Availability selections (binary matrix) — retained until poll expiration or 12 months
- Timezone — retained until poll expiration or 12 months
3.3 Automatically Collected Data
- IP address — 90 days (analytics), 30 days (security logs)
- Browser/device metadata — 90 days (analytics)
- Cookies (session, preferences) — session duration or 365 days
- Error context (stack traces) — 90 days (Sentry)
4. Sub-processor List
Supabase Inc.
Database (PostgreSQL + RLS) and authentication. Data location: eu-central-1 (AWS Frankfurt). Data remains in the EU.
Google Cloud Platform
Application hosting (Cloud Run) and container registry. Data location: europe-west1 (Belgium). Data remains in the EU.
PostHog (self-hosted)
Product analytics. Self-hosted on GCP europe-west1-b (Belgium). No data leaves our infrastructure to a third-party analytics processor.
Sentry (Functional Software Inc.)
Error monitoring and performance tracking. Data may be processed in the US. Transfer mechanism: EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor). IP addresses are anonymized. No participant data is sent to Sentry.
Google (OAuth)
Organizer authentication and calendar API access. Google's data processing terms include SCCs for any data that transits non-EU infrastructure.
5. International Data Transfers
All primary data storage is within the European Economic Area (EEA):
- Supabase: eu-central-1 (Frankfurt) — no international transfer
- Google Cloud Run: europe-west1 (Belgium) — no international transfer
- PostHog: self-hosted on GCP europe-west1-b — no international transfer
For Sub-processors outside the EEA (Sentry, Google OAuth), transfer mechanisms include EU Standard Contractual Clauses (SCCs). Supplementary measures: encryption in transit (TLS 1.2+), data minimization in error reports, IP anonymization.
6. Technical and Organizational Measures
6.1 Encryption
- At rest: AES-256-GCM with scrypt-derived keys. OAuth tokens encrypted before database storage.
- In transit: TLS 1.2+ enforced on all endpoints. HTTPS-only.
- Token hashing: Edit tokens hashed with SHA-256; agent tokens hashed with HMAC-SHA256.
6.2 Access Controls
- Row-Level Security (RLS) enforced on all Supabase tables
- Service role separation (server-only vs client-side keys)
- Distributed rate limiting on all API endpoints
- CSRF protection on state-changing operations
- Input validation with Zod schemas and SQL wildcard blocking
6.3 Availability
- Google Cloud Run with auto-scaling in europe-west1
- Supabase managed PostgreSQL with automated backups
- Sentry for error tracking; PostHog for usage analytics
7. Data Subject Rights
CommonTime supports Data Subject rights as required by GDPR Chapter III:
- Right of Access (Art. 15) — Self-service data export for organizers. Participant data available via GDPR endpoint. Response within 30 days.
- Right to Erasure (Art. 17) — Self-service account deletion for organizers. Participant data deleted with poll expiration or upon request. Response within 30 days.
- Right to Data Portability (Art. 20) — JSON export of all user data.
- Right to Object (Art. 21) — Opt-out of analytics via granular cookie preferences (immediate effect).
7.1 Participant-Specific Considerations
Participants do not create accounts. Their data is linked to specific polls, not to a persistent identity. Participants can request deletion by contacting the poll organizer or CommonTime directly. Participant data is automatically deleted when the poll expires or reaches the 12-month retention limit.
8. Data Breach Notification
- Sub-processor to Controller: notification within 48 hours of becoming aware of a breach
- Controller to Supervisory Authority: notification within 72 hours (GDPR Art. 33)
- Controller to Data Subjects: without undue delay where the breach poses high risk (GDPR Art. 34)
9. Data Deletion and Return
Upon termination or at the Controller's request:
- All Personal Data deleted or returned within 30 days
- Backup copies deleted within 90 days of termination
Automated Data Lifecycle
| Data Type | Auto-deletion Trigger |
|---|---|
| Poll data | Poll expiration or 12 months of inactivity |
| Organizer account data | Account deletion or 24 months of inactivity |
| Analytics (PostHog) | 90-day rolling retention |
| Error logs (Sentry) | 90-day rolling retention |
| Security/access logs | 30-day rolling retention |
10. Governing Law and Jurisdiction
This DPA shall be governed by the laws of the European Union and the applicable member state of the Controller's establishment. Disputes arising from this DPA shall be resolved in accordance with the dispute resolution mechanisms of the underlying service agreement.
11. Contact
For data protection inquiries:
12. Sub-processor Change Notification
CommonTime shall notify users of any changes to the Sub-processor list with at least 30 days prior notice. Users may object to the change within 15 days of notification. If the objection is not resolved, the user may terminate the Service.
We use cookies to improve CommonTime. No advertising cookies, no third-party tracking. Privacy Policy