Privacy Policy

1. Who We Are

Query OÜ ("Query OÜ," "EasyRoutine," "we," "our," or "us") operates EasyRoutine, a personal productivity application that lets you build daily routines, define activities, and log completions manually or with your device camera. The Service is available as a mobile application for iOS and Android.

For the personal data described in this Privacy Policy, Query OÜ is the data controller.

• Company: Query OÜ.
• Registered address: Teeveere tee 11, Vääna-Jõesuu küla, 76909 Harku vald, Harju maakond, Estonia.
• Contact email: info@easyroutineapp.com.

2. Scope

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you install or use the EasyRoutine mobile app, create an account, use the Service, or contact us.

EasyRoutine is designed as a personal-use tool. Routines and activities you create are private to your account and are not shared with or visible to other users by default.

3. Personal Data We Collect

4. Why We Use Personal Data and Our Legal Bases

Under GDPR, we must have a lawful basis for processing personal data. The main legal bases we rely on are performance of a contract, legitimate interests, and legal obligation.

• Account creation, login, authentication, and account administration: processed under Article 6(1)(b) GDPR (performance of a contract).
• Storing and syncing your routines, activities, and completion logs: processed under Article 6(1)(b) GDPR (performance of a contract).
• Sending transactional emails such as one-time sign-in codes and service notices: processed under Article 6(1)(b) GDPR where necessary to provide the Service.
• Security monitoring, abuse prevention, and infrastructure logging: processed under Article 6(1)(f) GDPR (our legitimate interest in securing the Service and protecting our users). We have balanced this interest against your rights and freedoms. Log data is limited in scope, retained for only 14 days, and is not used for marketing or profiling.
• Retention of compliance records and responses to lawful authority requests: processed under Article 6(1)(c) GDPR (legal obligation).

We do not currently use profiling that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

5. Sharing of Personal Data

6. International Data Transfers

Our servers are located in Helsinki, Finland, within the European Union. Aside from the camera image processing and authentication described below, we do not routinely transfer personal data outside the EEA. Where we rely on a transfer outside the EEA, we use an approved transfer mechanism such as the European Commission's Standard Contractual Clauses where one is required.

When you use the camera features, the image processing described in Section 5.1 is carried out by Google's Gemma model. Today the request is routed through OpenRouter, a provider based in the United States, and we may in the future call Google, also based in the United States, directly. In either case a copy of the image is processed in the United States, outside the EEA, for the limited purpose of returning a label or activity match.

Apple and Google may process authentication data in countries outside the EEA. These companies participate in appropriate data transfer frameworks and publish details in their own privacy policies.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy.

You can delete your account and all associated data at any time from within the app (Settings → Delete account) or by following the instructions at easyroutineapp.com/delete-account.

• Account and contact data is retained while your account is active and for up to 30 days after account deletion or a verified deletion request, unless a longer retention period is required by law.
• Routines, activities, and completion logs are retained while your account is active and deleted within 30 days after account deletion.
• Rolling backups are retained for up to 30 days and are used solely for disaster recovery purposes. Backups are not actively processed or queried. Deleted data will not be actively restored from backups except to recover from a system failure; once the relevant backup cycle expires, the data is permanently removed.
• Server access logs are rotated and retained for 14 days.
• Support and privacy correspondence is retained as long as reasonably necessary to handle the request and establish, exercise, or defend legal claims.
• Accounting and billing records are retained for up to 7 years where required by the Estonian Accounting Act or other applicable law.

8. Your Rights Under GDPR

If GDPR applies to you, you have the right to request access to, correction of, deletion of, restriction of, objection to, or portability of your personal data, subject to applicable legal exceptions.

• Right of access: ask for a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your personal data where there is no overriding reason to keep it.
• Right to restriction: ask us to limit processing in certain circumstances.
• Right to data portability: ask for certain data in a structured, machine-readable format.
• Right to object: object to processing based on our legitimate interests.
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time.
• Right to lodge a complaint: complain to your local supervisory authority, including the Estonian Data Protection Inspectorate.

To exercise your rights, email info@easyroutineapp.com with the subject line "GDPR Rights Request". We may ask you to verify your identity before responding. We aim to respond within one month, extendable by up to two months for complex requests.

Estonian supervisory authority: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, Estonia. Website: www.aki.ee.

9. Security Measures

We use appropriate technical and organisational measures to protect personal data, including:

• TLS/HTTPS encryption for all data in transit.
• Secure authentication architecture with token-based sessions.
• Access controls designed to limit internal access to authorised personnel.
• Regular backups and infrastructure monitoring.
• Hosting within Hetzner's certified EU data centre in Helsinki.

No system is completely secure. We cannot guarantee absolute security, but we will handle personal data breaches in accordance with applicable law, including GDPR Articles 33 and 34.

10. Children's Privacy

EasyRoutine is not directed to children under 16. You must be at least 16 years old to create an account. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact us and we will investigate and delete it where appropriate.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. When we do, we will update the "Last updated" date on this page. If changes are material, we will provide additional notice such as by email or in-app notification where required.

12. Contact

Query OÜ has not appointed a Data Protection Officer. Privacy inquiries, GDPR rights requests, and account deletion requests may be directed to our general contact address below.

For privacy questions, GDPR rights requests, or account deletion requests, contact Query OÜ at:

• Email: info@easyroutineapp.com.
• Postal address: Teeveere tee 11, Vääna-Jõesuu küla, 76909 Harku vald, Harju maakond, Estonia.
• Suggested subject lines: "Privacy Policy Inquiry," "GDPR Rights Request," or "Account Deletion Request."