Privacy policy

timeuntil.today ("the Service", operated by Sulaiman Alsinawi) is anonymous-first by design. We collect the minimum data needed to make countdowns work and we explain all of it below. This policy is written in plain language. If a section is unclear, email support@lvlup.om and we'll fix it.

1. What we collect

When you visit, your browser tells our servers your IP address, user-agent string, and which page you requested. These are kept in standard server logs for up to 30 days for security and abuse-prevention purposes only. When you create a countdown we store the title, target time and timezone, optional description and cover image, and your stable account ID (issued by Firebase Authentication; anonymous accounts get a random ID). When you comment or react we store the same account ID alongside your text or reaction type. When you sign in with Google we additionally store your Google display name and (if you have one) your profile picture. We use these only to render your name on countdowns and comments you create — never for ads, never sold, never combined with data from other services.

2. Cookies and similar storage

We use a very small number of cookies and equivalent browser storage: • Functional (always on): a NEXT_LOCALE cookie remembering your language pick, a session cookie used by our hosting layer, and Firebase's IndexedDB store holding your anonymous sign-in token so you don't lose your countdowns when you reload. • Analytics (off by default; on only after you accept the banner): Firebase Analytics cookies (_ga, _gid) which help us see which countdowns are visited most. We never use them for ads. • We do not use third-party advertising or social-media tracking pixels. You can clear analytics consent any time by clearing site data or returning to the banner.

3. How we use this data

• To run the Service: render your countdowns, show your comments, let you follow events, send the push notifications you opted into. • To prevent abuse: rate-limit hammering of our APIs, block clearly malicious traffic. • To improve the product: aggregate analytics (only if you opted in) tells us which features people use. We do not sell or rent personal data to anyone. We do not run automated decisions or profiling that produce legal or similarly significant effects.

4. Who we share it with

• Google LLC (Firebase Authentication, Firestore, Hosting, Cloud Functions, Cloud Messaging, Analytics) — our backend provider, processing data on our instructions under Google's Data Processing Terms (https://cloud.google.com/terms/data-processing-addendum). • Resend (Sweden Resend Inc.) — sends transactional email (e.g., feedback you submit to us, push-notification fallbacks) on our behalf. • Public visitors — your public countdowns and the display name you chose are visible to anyone with the link. That's it. No advertisers, no data brokers, no analytics resellers.

5. Your rights (GDPR / UK GDPR / CCPA / LGPD)

If you're in the EU/UK, California, or Brazil — and we honour the same rights for everyone, everywhere: • Right to access: email support@lvlup.om and we'll send you everything we hold about you within 30 days. • Right to deletion ("right to be forgotten"): use the "Delete my account" button on your dashboard, or email us. This wipes your auth record, every countdown you created, every comment you posted, every follow relation. It is permanent. • Right to rectification: edit titles, descriptions, comments directly. Email us if anything else needs correcting. • Right to data portability: email us for a JSON export of your data. • Right to object / restrict processing: email us; we'll comply. • Right to withdraw consent: hit "Necessary only" on the cookie banner, or clear site data. Analytics stops immediately. • Right to lodge a complaint with a supervisory authority (e.g., your country's data-protection regulator). We never charge for these requests. We don't require account verification for deletion — your authenticated session is enough.

6. Data retention, security, transfers, contact

Retention: countdowns stay visible until 72 hours after their target time, then are deleted unless they meet the archive threshold (significant views/comments/reactions). Server access logs: 30 days. Authentication records and content you create: until you delete them. Security: data in transit is TLS 1.2+. Data at rest is encrypted by Google Cloud. Access to admin tooling is gated by a Firebase custom claim and 2FA on the owner's Google account. International transfers: data is processed primarily in us-central1 (Iowa, USA) by Google Cloud. Google's Data Processing Addendum and Standard Contractual Clauses cover EU→US transfers. Children: the Service is not directed at children under 13 (or under 16 in the EU). We don't knowingly collect their data; if you believe we have, email support@lvlup.om and we'll delete it. Contact: support@lvlup.om for any request. Operator: Sulaiman Alsinawi. Changes to this policy will be announced via the cookie banner re-prompt with the new "Last updated" date above.