Privacy Policy

Last updated: 12 May 2026

1. Controller

Zenit Week is an open-source project operated by Petr Burian, a self-employed individual based in the Czech Republic (EU).

Contact for any privacy matter: petr@petrburian.com. Postal correspondence is available on request through the same email.

No Data Protection Officer (DPO) is appointed; the scale and nature of processing do not require one under Article 37 GDPR.

2. What data we process and where it lives

Zenit Week has no servers of its own. Your planning data is never transmitted to or stored by us. The only data involved is processed in the locations listed below.

2.1 In your browser (always)

The app uses your browser's local storage (localStorage and IndexedDB) to keep:

• Planning data — your weekly mind maps, branches, activities, counters, daily logs.
• Preferences — theme (light/dark), language (en/cs), branch colors, layout settings.
• Sync state — internal flags such as a per-device reset token used to avoid overwriting newer data on other devices.
• Google OAuth refresh token (only if you sign in with Google) — a long-lived credential issued by Google that allows the app to refresh its access to your own Drive without prompting you again. It grants access only to the app-specific Drive folder described in §4. You can revoke it at any time (see §10).

This data never leaves your device unless you explicitly enable Google Drive sync.

2.2 In your own Google Drive (only if you sign in)

If you choose to sign in with Google, the app stores a copy of your planning data inside your own Google Drive, in a private app-specific folder, using the drive.appdata scope. This folder is invisible to other apps and to us. We never read, copy, or process your Drive data on any server.

2.3 Transient network data (during page loads)

When you open the website, our hosting provider Vercel processes your IP address and standard HTTP request metadata (user agent, referrer, timestamps) for the time strictly necessary to serve the page and operate the OAuth token-exchange endpoint at /api/token. Vercel does not share this with us in identifiable form. See §4 (Service providers) for details.

3. Cookies and analytics

Zenit Week sets no cookies and uses no advertising or behavioural-tracking technologies. We do not profile users, do not track you across other websites, and do not use any persistent identifier stored on your device for analytics.

To understand basic, aggregate usage of the site (number of visits, number of page views, and the country a request comes from) we use Vercel Web Analytics, a privacy-first, cookieless analytics product provided by our hosting provider Vercel. It runs on:

• the English homepage at /;
• the Czech homepage at /cs;
• the application page at /app.

Vercel Web Analytics works without cookies and without writing anything to localStorage, IndexedDB, or any other client-side storage. To approximate a "unique visitor" for the current day, Vercel derives a short, salted hash from the visitor's IP address and user agent; the salt is rotated daily, so the hash cannot be used to recognise the same visitor across days or correlate visits with any other site. The country is derived from the IP address at request time; the raw IP is discarded after this lookup and is not stored alongside the visit. No URL parameters, form contents, or page content are collected.

Because no information is stored on or read from the user's device for this purpose, this processing is not subject to the consent requirement of Article 5(3) of the ePrivacy Directive ("cookie law"), and Zenit Week therefore does not show a cookie banner. The processing of the transient IP address by Vercel is necessary to deliver the site and to produce the aggregate count, and relies on the legal basis of legitimate interest under Article 6(1)(f) GDPR (interest: understanding aggregate use of a free, open-source tool in order to maintain and improve it). You can object to this processing at any time — see §10.

The marketing pages (homepage in EN and CS, privacy, terms) load no other third-party scripts. The app page (/app) additionally loads Google's official JavaScript client library (apis.google.com/js/api.js) so that Google Drive sync can work if you choose to sign in. That library does not transmit any data to Google until you initiate sign-in.

4. Service providers (sub-processors)

We rely on the following providers strictly to deliver the service:

• Vercel Inc. — static-site hosting, the OAuth token-exchange Edge Function (/api/token), and cookieless aggregate analytics via Vercel Web Analytics (see §3). Processes IP addresses and HTTP request metadata in transit. See Vercel's Privacy Policy and their Data Processing Agreement.
• Google LLC — Google Identity Services and Google Drive APIs, used only when you sign in. Data is stored in your own Drive account, governed by your Google Account terms. See Google's Privacy Policy.

5. Google API scopes

When you sign in with Google, the app requests one scope only:

• https://www.googleapis.com/auth/drive.appdata — read and write files in the hidden app-data folder of your Google Drive. No access to any other files in your Drive, no access to your Gmail, Calendar, profile photo, or any other Google service.

Zenit Week's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not transfer it to third parties except as necessary to provide the service, do not allow humans to read it, and do not use it to develop, improve, or train generalized AI/ML models.

6. International data transfers

Vercel and Google operate globally and may process data in the United States or other jurisdictions outside the EU/EEA. Both providers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework as transfer mechanisms. We do not initiate any additional international transfers ourselves.

7. Legal basis (GDPR Article 6)

• Article 6(1)(a) — Consent. Google Drive sign-in and Drive sync are strictly opt-in. You can withdraw consent at any time by signing out in the app or revoking access in your Google Account settings; withdrawal does not affect the lawfulness of processing before withdrawal.
• Article 6(1)(f) — Legitimate interest. Storing your plans in your browser is necessary to provide the core functionality of the app on your device. Vercel's transient processing of IP/request metadata is necessary to deliver the website and prevent abuse, and to produce the aggregate, cookieless usage statistics described in §3 so we can understand how this free, open-source tool is used and maintained.

8. Retention and deletion

• Local browser data — retained until you clear your browser's site data, use the in-app sign-out (which removes the OAuth refresh token), or uninstall/reset your browser.
• Drive data — retained in your Google Drive until you delete it directly or revoke the app's access. We hold no copies.
• Vercel request logs — handled per Vercel's standard retention (typically up to 30 days for operational logs).
• Vercel Web Analytics — only aggregate counts (visits, page views, country) are retained, per Vercel's analytics retention policy. The raw IP address used to derive the daily salted hash and the country is not stored alongside the aggregated record.

9. Data sharing

We do not sell, rent, share, or disclose your data to any third party for any purpose. The only external services involved are the sub-processors listed in §4, and the only data that ever touches them is described in §2.

10. Your rights under GDPR

As an EU/EEA resident you have the right to:

• Access the personal data we process about you (Art. 15);
• Have inaccurate data rectified (Art. 16);
• Have your data erased (Art. 17);
• Restrict or object to processing (Arts. 18, 21);
• Receive your data in a portable format (Art. 20) — the app's Settings → Export feature does this directly;
• Withdraw any previously given consent (Art. 7).

Because we hold no data ourselves, most rights are exercised directly:

• Local data — clear your browser's site data, or use Settings → Reset in the app.
• Drive data — manage in your Google Drive; revoke our access in your Google Account permissions.

For any question or formal request, write to petr@petrburian.com. We respond within 30 days at no charge, in line with Article 12 GDPR.

You have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů — ÚOOÚ) or with the supervisory authority in your EU country of residence.

11. Children

Zenit Week is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has used the app and you are their guardian, contact us and we will help you remove any associated data from your devices and your Google Drive (we cannot delete it ourselves because we hold no copies).

12. Automated decision-making and profiling

The app does not perform profiling and does not subject users to any automated decision-making within the meaning of Article 22 GDPR. There is no AI/ML processing of your data.

13. Security

The website is served over HTTPS only. The OAuth flow uses PKCE and a CSRF state parameter. The Google client secret is held server-side in the Vercel Edge Function and never reaches the browser. The OAuth refresh token stored in your browser grants access only to the app-specific Drive folder (§5) and can be revoked at any time.

14. Changes to this policy

Material changes will be reflected by an updated "Last updated" date above and, when warranted, by a notice in the app. Continued use of the app after changes constitutes acceptance.