GDPR & Data Protection

Last Updated: December 25, 2025

            🇪🇺 Your Data Rights: If you're in the European Economic Area (EEA), UK, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR). This page explains those rights and how we protect your data.
        

Overview

Chronos AI ("Chronos", "we", "us", or "our") is committed to protecting your privacy and complying with data protection laws, including the EU General Data Protection Regulation (GDPR). This page supplements our Privacy Policy and provides specific information for users in the EEA, UK, and Switzerland.

Data Controller

The data controller responsible for your personal data is:

Entity: Chronos AI (Individual developer project)
Location: United Arab Emirates
Contact: chronosai.feedback@gmail.com

What Data We Process

Good news: Chronos does not store your personal data on our servers.

Website (chronosai.org):

No email collection: We removed the waitlist feature after product launch
Server logs: Anonymous analytics (page views, referrers) - no personal data stored

Chrome Extension:

Calendar data: Stored locally on your device only, never sent to our servers
Text/voice input: Sent to OpenAI API for real-time processing (not stored by us)
OAuth tokens: Stored securely in Chrome's encrypted storage on your device
Preferences: Stored locally in your browser using Chrome's storage API

✓ Privacy by Design: Chronos does not store your data on our servers. All your calendar events, preferences, and personal information stay on your device. We cannot access your data because we never receive it.

Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal grounds:

Data Type	Legal Basis	Purpose
Calendar access	Consent (Article 6(1)(a))	You explicitly authorize Chronos to access your Google/Outlook calendar
AI processing (text/voice)	Contract Performance (Article 6(1)(b))	Necessary to provide the calendar assistant service you requested
Website analytics (anonymous)	Legitimate Interest (Article 6(1)(f))	Understanding traffic patterns, preventing abuse, improving service
Local storage (on your device)	Not applicable	Data stays on your device - we don't process it

Your Rights Under GDPR

As a data subject in the EEA, UK, or Switzerland, you have the following rights:

1. Right to Access (Article 15)

Status: We don't store your personal data on our servers, so there's nothing to access.

Your data is on your device: All your calendar events and preferences are stored locally in your browser. You can view them anytime using Chrome DevTools (chrome://extensions → Chronos → Inspect views).

2. Right to Rectification (Article 16)

Status: Not applicable - we don't store your data to correct.

How to correct data: Simply edit your calendar events directly in Google Calendar or Outlook Calendar.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

How to exercise: Uninstall the Chronos extension. All locally stored data (preferences, draft events) is automatically deleted when you uninstall.

Steps:

Go to chrome://extensions
Find "Chronos - Natural Calendar Assistant"
Click "Remove"
All local data is immediately deleted

4. Right to Data Portability (Article 20)

Status: Not applicable - we don't hold your data.

Your calendar data: Managed by Google or Microsoft. You can export it using their tools:

Google Calendar: Settings → Import & Export
Outlook Calendar: File → Save Calendar

5. Right to Object (Article 21)

How to exercise: You can revoke Chronos's access to your calendar at any time:

Google: myaccount.google.com → Security → Third-party apps → Remove Chronos
Microsoft: account.microsoft.com → Privacy → Apps & services → Remove Chronos

6. Right to Restrict Processing (Article 18)

How to exercise: You control all processing by using or not using the extension. There's no background processing when you're not actively using Chronos.

7. Right to Withdraw Consent (Article 7)

How to exercise: Revoke calendar access (see "Right to Object" above) or uninstall the extension. You can withdraw consent at any time without affecting prior lawful processing.

⚖️ Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we've violated your data protection rights. For a list of EU supervisory authorities, visit edpb.europa.eu.

Data Retention

Simple answer: We don't store your data on our servers, so there's nothing to retain.

Calendar events: Stored locally on your device. Deleted automatically when you uninstall the extension.
OAuth tokens: Stored locally in Chrome's encrypted storage. Deleted when you uninstall or revoke access.
Preferences: Stored locally in your browser. Deleted when you uninstall the extension.
Website analytics: Anonymous server logs (no personal data) retained for 12 months for abuse prevention, then deleted.

Important: Your calendar data is managed by Google or Microsoft, not us. Their retention policies apply to your calendar events.

International Data Transfers

When you use Chronos, your calendar event text is sent to third-party APIs located in the United States:

Data Transfers to the US:

OpenAI API (US): Your text/voice input is sent to OpenAI's GPT-4o-mini API for natural language processing
Google Calendar API (US): Your calendar events are sent to Google's servers to create/manage events
Microsoft Graph API (US): Your calendar events are sent to Microsoft's servers for Outlook integration

Legal Basis for Transfers:

These data transfers are necessary to provide the service you requested (GDPR Article 49(1)(b)). Without sending your calendar event data to these APIs, Chronos cannot function.

Safeguards:

Standard Contractual Clauses (SCCs): OpenAI, Google, and Microsoft use EU-approved SCCs for data transfers
GDPR Compliance: All three providers have comprehensive GDPR compliance programs
Your Control: You explicitly authorize these transfers when you connect your calendar
Transparency: We clearly disclose where your data goes in our Privacy Policy

Important: We do not transfer your data to our own servers. All transfers are directly to the third-party services that provide the functionality you're using.

Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption: All data transmissions use HTTPS/TLS encryption
Access controls: Administrative access to servers is password-protected and limited
Minimal collection: We only collect data that is necessary for providing the service
Regular review: We regularly review our data practices and security measures

Automated Decision-Making

Chronos uses AI (OpenAI GPT-4o-mini) to parse natural language input and create calendar events. However:

You always review and confirm events before they're created
No automated decisions with legal or significant effects are made
You maintain full control over your calendar events

Children's Data

Chronos is not directed to children under 13 (or 16 in some EU countries). We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately.

Changes to This Policy

We will notify you of material changes to this GDPR policy by updating the "Last Updated" date. For significant changes affecting your rights, we may provide additional notice via email (if we have your email address).

DPO (Data Protection Officer)

As a small operation, we are not required to appoint a formal Data Protection Officer under GDPR Article 37. However, for all data protection inquiries, please contact:

Email: chronosai.feedback@gmail.com
Subject line: "GDPR Request" or "Data Protection Inquiry"