Couple's Weekly Check-in
Pricing
FAQ

The German version of this document is legally binding.

Privacy Policy

Last updated: April 28, 2026

1. Introduction

Welcome to Couple’s Weekly Check-in (weeklycheckin.app). Protecting your personal data is very important to us. This privacy policy informs you about what data we collect, how we use it, and what rights you have under the General Data Protection Regulation (GDPR).

The controller within the meaning of the GDPR is:

Jakob Maximilian Pelz
Olenhoffweg 1a
21614 Buxtehude
Germany
Email: weeklycheckinapp@gmail.com

1A. Privacy & security commitments

  • Encryption at rest: check-in responses, calm recaps, weekly agreements, agreement rejections and shared memories are encrypted with AES-256-GCM before being written to the database.
  • Configurable retention: you can enable auto-deletion in Settings and choose any window from 14 to 730 days (two years). Once enabled, older check-ins are permanently removed by a daily job. Off by default; enabling or changing the value requires both partners to agree.
  • Data portability (Art. 20 GDPR): Settings → Download my data exports your full history as a decrypted JSON file at any time, free of charge.
  • No behavioural trackers, no advertising cookies: we do not run Google Analytics, PostHog, Sentry or any other client-side behavioural tracker, and we do not place advertising cookies on your device. To measure the effectiveness of our own Google Ads campaigns we send conversion signals server-to-server only, without cookies (see section 4.4).
  • A small, named set of sub-processors: our application runs on Railway; OpenAI generates the weekly recaps; Resend delivers transactional email. See section 4 for details.
  • See our security overview for the full technical details.

2. Data Collected

We collect and process the following categories of personal data:

2.1 Account Data

  • Name
  • Email address
  • Password (stored with bcrypt encryption) — optional. Users who join via a partner-invite link may create their account without setting a password initially; they can set a password later from their account settings.
  • Email verification status
  • Marketing consent status and timestamp
  • Account creation date
  • Two-factor authentication settings, including (where applicable) an encrypted TOTP authenticator-app secret, short-lived hashed sign-in challenge tokens, and — where you have opted in via the “Trust this device” checkbox — hashed trusted-device tokens with a 30-day expiry that you can revoke at any time from your account settings

2.2 Check-in Data

  • Weekly responses (appreciations, friction points, needs)
  • “Risk to watch” entries (private, never shared with your partner)

2.3 Couple Data

  • Couple space name
  • Partner invitations
  • Shared memories

2.4 AI-Generated Data

  • Weekly summaries
  • Suggested agreements

2.5 Technical Data

  • Session cookies (NextAuth.js)
  • Language preference

2.6 Ad attribution data

If you arrive via an ad or a tagged link and give your consent on the banner shown on your first visit, we capture the following URL parameters and store them alongside your account so we can measure the effectiveness of our own advertising. The legal basis is your consent under Art. 6(1)(a) GDPR, which you may withdraw at any time (see section 4.4).

  • Google Ads click identifiers (gclid, gbraid, wbraid)
  • UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term)
  • The first page path you landed on
  • Timestamps of capture and of events reported to Google

3. Use of Data

We use your data for the following purposes:

  • Providing and operating the Couple’s Weekly Check-in service
  • Authentication and account management
  • Conducting weekly check-ins between partners
  • Generating AI-powered summaries of your check-in responses
  • Sending email notifications (verification, check-in reminders, partner invitations, invite follow-up reminders to inviters and invitees on a cadence of 1, 3 and 7 days then weekly through day 35, space-setup reminders, password reset)
  • Sending marketing communications (product updates, tips, promotional emails) – only with your explicit consent (Art. 6(1)(a) GDPR). You may withdraw this consent at any time.
  • Measuring the effectiveness of our own Google Ads campaigns (see section 4.4)
  • Improving and developing the service
  • Fulfilling legal obligations

4. Third-Party Services

We use the following third-party services to provide our offering:

4.1 OpenAI

Check-in responses (appreciations, friction points, needs) are sent to OpenAI to generate AI summaries. Private “Risk to watch” entries are not sent to OpenAI.

4.2 Resend

We use Resend for sending transactional emails (email verification, sign-in codes for two-factor authentication, check-in reminders, partner invitations, partner-invite follow-up reminders to inviters and invitees on a cadence of 1, 3 and 7 days then weekly through day 35, space-setup reminders during onboarding, password reset) and, if you have given your consent, marketing communications. Buttons that share the invite link via WhatsApp, SMS or your email client open your own client on your device only; we do not transmit content or recipient details server-side to those services.

4.3 Railway

Our application and PostgreSQL database are hosted on Railway (Railway Corp., USA). When we enable paid subscriptions we will additionally engage a payment provider and name it here.

4.4 Google Ireland Limited (Google Ads)

If you arrive on our site via a Google ad, your browser appends a click identifier (gclid, gbraid or wbraid) to the destination URL. We only read or store that identifier after you have given your consent via the banner shown on your first visit. If consent has been given, then on email verification and when you create a check-in space, we send — server-to-server — the identifier, or as a fallback a SHA-256 hash of your verified email address under Google’s “Enhanced Conversions for Leads” programme, to Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) so Google can attribute your sign-up to the originating ad.

No cookies are set for this purpose and no client-side advertising tag is executed; the transfer is strictly server-to-server. Google may move the data it receives within its infrastructure, including to third countries such as the USA; see Google’s own data processing terms for details. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

You may withdraw your consent at any time under Art. 7(3) GDPR — without affecting the lawfulness of processing before the withdrawal — by opening the consent banner via the "Privacy choices" link in the site footer and choosing "Reject," or by emailing weeklycheckinapp@gmail.com. In either case we will remove the stored identifier from your account so that no further conversion events are reported to Google. You retain your separate right to object under Art. 21 GDPR for any processing that was carried out under a legitimate-interest basis before the consent model took effect.

5. Data Sharing Within the Couple

Visible to your partner

  • Appreciations, friction points, and needs
  • AI summaries
  • Agreements
  • Shared memories

Never shared

  • “Risk to watch” entries (only visible to the author)
  • Password
  • Session information

6. Cookies and Tracking

6.1 Technically necessary cookies

These cookies are required for the service to function and are set without your consent on the basis of § 25(2) TDDDG:

  • Authentication cookie (NextAuth.js)required for login and session management
  • Language preference cookie (next-intl)required for storing your preferred language
  • Trusted-device cookie (tf_trust)set only if you tick “Trust this device for 30 days” during two-factor verification; lets you skip the email code on this browser for 30 days. The cookie value is stored hashed server-side and is revocable at any time from your account settings. Legal basis: Art. 6(1)(a) GDPR (consent given via the checkbox at the moment of sign-in).

6.2 Marketing and analytics tracking

We set no marketing, advertising or analytics cookies and run no client-side tracking code. For our server-side ad measurement (see section 4.4) we show a consent banner on your first visit; your choice (accept or reject) is stored in your browser's localStorage under the key wci-cookie-consent-v1 — this is a technical record of your own preference, not a tracking signal, and is never shared with third parties.

If you accept on the banner, we additionally store the first-touch attribution parameters from the URL on which you arrived (the Google Ads click identifier — gclid, gbraid or wbraid — and, if present, the marketing UTM parameters) in your browser's localStorage under the key wci-attr-v1 for up to 90 days. This is a first-party technical record kept solely so we can attribute a later signup to your originating ad click; it is never shared with third parties or sent anywhere except as part of the server-to-server conversion signal described in section 4.4 (and only if you remain consented at that time). It is cleared automatically when you click Reject on the consent banner or via the “Privacy choices” link in the site footer.

To measure the effectiveness of our own advertising, and only if you have given consent via the banner, after an email verification or the creation of a couple space we send a conversion signal server-to-server to Google Ireland Limited (see section 4.4). This happens without cookies and independently of your browser. The legal basis is your consent under Art. 6(1)(a) GDPR; you may withdraw it at any time via the "Privacy choices" link in the site footer.

7. Data Storage

Your data is retained as long as your account is active. Upon account deletion, all personal data is permanently and irreversibly removed, except for the pseudonymized data described below.

Deleting individual check-ins as well as the couple space requires the consent of both partners, as results and agreements are irreversibly lost.

In line with the principle of data minimization (Art. 5(1)(c) GDPR), we automatically delete abandoned accounts and inform users by email before deletion:

  • Accounts whose email address has not been verified are deleted 7 days after registration. A warning email is sent approximately 3 days before deletion.
  • Verified accounts that have not created or joined a couple space within 30 days of registration are deleted. A warning email is sent approximately 15 days before deletion.

To prevent abuse of the free trial, we store a keyed cryptographic hash (HMAC-SHA-256) of your email address alongside a usage counter when a check-in is completed. This pseudonymized record is retained after account deletion. Without access to the server-side secret key, recovering your email address from the hash is practically infeasible; it is used solely to track the number of completed check-ins. The legal basis is our legitimate interest in preventing abuse pursuant to Art. 6(1)(f) GDPR.

8. Your Rights Under the GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15 GDPR)You have the right to obtain information about your stored personal data.
  • Right to rectification (Art. 16 GDPR)You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR)You may request the deletion of your data. This can also be done via account settings.
  • Right to restriction of processing (Art. 18 GDPR)You may request the restriction of processing of your data.
  • Right to data portability (Art. 20 GDPR)You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR)You may object to the processing of your personal data.
  • Right to withdraw consent (Art. 7(3) GDPR)You may withdraw a given consent at any time.

To exercise your rights, contact us at: weeklycheckinapp@gmail.com

9. Data Security

We implement the following technical measures to protect your data:

  • Data transmission encryption via HTTPS/TLS
  • Secure password storage using bcrypt hashing
  • Session-based tokens with automatic expiry
  • Email verification to confirm identity
  • Two-factor authentication on every email-and-password sign-in (a 6-digit code sent to your email by default, or a TOTP code from an authenticator app you have enrolled), unless you have explicitly marked the current browser as trusted for 30 days via the “Trust this device” checkbox

10. International Data Transfers

Your data may be transferred to countries outside the European Economic Area (EEA), in particular to the USA (for processing by OpenAI and for hosting on Railway). Google Ireland Limited is our European contracting party for Google Ads; Google may move the conversion data it receives within its own infrastructure, including to third countries such as the USA. In such cases, we ensure that appropriate safeguards are in place, in particular through EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

11. Children and Minors

Our service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that data has been collected from persons under 16, it will be deleted immediately.

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed. Changes will be published with a new “Last updated” date on this page. We recommend that you visit this page regularly.

13. Contact

If you have any questions about data protection, you can contact us at any time:

Jakob Maximilian Pelz
Olenhoffweg 1a
21614 Buxtehude
Germany

Email: weeklycheckinapp@gmail.com