Privacy Policy

Last updated: 2026-04-25

Draft for review. This document is an initial good-faith template and has not yet been reviewed by counsel. Some fields (legal entity name, registered address, contact email) are placeholders that must be filled before this is treated as final.

This Privacy Policy describes how [Operator legal name TBD] ("we", "us") processes personal data in connection with WorldClockTools at worldclocktools.com (the "Service"). It is written to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR / Data Protection Act 2018, the California Consumer Privacy Act / CPRA, the Digital Personal Data Protection Act, 2023 (India), Brazil's LGPD, and the ePrivacy Directive 2002/58/EC.

1. Who is the controller

Controller: [Operator legal name TBD], [Registered address TBD], [Country TBD]. Email: privacy@worldclocktools.com.

EU representative under GDPR Art. 27: [EU representative TBD if needed]. UK representative: [UK representative TBD if needed]. India Grievance Officer (DPDP Act §13): [Grievance Officer name TBD], grievance@worldclocktools.com.

2. What data we process

The Service is a static, mostly anonymous tool. We process:

Connection data (IP address, user-agent, referer). Logged at the edge for security and abuse prevention. Retained for up to 30 days.
Analytics events (page URL, viewport, approximate country) via Google Analytics 4 and PostHog — only with your consent. We do not run advertising or social-media pixels.
Local preferences (theme, watchlist, meeting-planner state, cookie-consent record). Stored in your browser's localStorage and never transmitted to us.
Country/region inference from your IP at the edge, used solely to decide whether to show an opt-in or opt-out cookie banner. Not retained.

3. Purposes and legal bases

Operating the Service — legitimate interest (GDPR Art. 6(1)(f)). Without minimal connection logs we cannot run a public website safely.
Analytics — your consent (GDPR Art. 6(1)(a) / ePrivacy Art. 5(3)). Withdrawable at any time via the link in the footer.
Compliance with law — GDPR Art. 6(1)(c).

4. Recipients and processors

Google LLC (Google Analytics 4) — analytics processor, US, with EU-US Data Privacy Framework certification and Standard Contractual Clauses.
PostHog Inc. — product-analytics processor, US, under SCCs.
Amazon Web Services / our hosting provider — hosting and CDN.
worldtimeapi.org — only invoked when you press the "Atomic Clock Check" button on the homepage demo. Your IP is sent to that endpoint.

5. International transfers

Some processors are based in the United States. Transfers rely on Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework. For India, we rely on contractual commitments equivalent to those required under DPDP Act §16 pending publication of the negative list.

6. Retention

Edge connection logs: up to 30 days.
Google Analytics: 14 months (lowest available retention setting).
PostHog event data: 12 months for raw events; aggregated data may be retained longer.
Local preferences: until you clear them in your browser.
Consent records: 12 months from the date of consent (then re-prompted).

7. Your rights

Under GDPR / UK GDPR you may:

Access your personal data (Art. 15).
Have inaccurate data corrected (Art. 16).
Have data erased (Art. 17).
Restrict processing (Art. 18).
Receive your data in a portable form (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time (Art. 7(3)).
Lodge a complaint with a supervisory authority — for example, your national DPA in the EEA, the ICO in the UK, the CNIL in France, the Garante in Italy.

Under CCPA/CPRA (California), you may also: request access, request deletion, request correction, opt out of "sale" or "sharing" of personal information, limit use of sensitive personal information, and not be discriminated against for exercising these rights. We honour the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing.

Under the DPDP Act (India) you may: access information about your personal data, request correction or erasure, nominate another person in case of death/incapacity, and file a grievance with our Grievance Officer (above). We will respond within a reasonable time.

To exercise any of these rights, see our Contact page.

8. Cookies and similar technologies

See our Cookie Policy for the full list of cookies and what they do.

9. Children

The Service is not directed to children under 13 (United States), 16 (European Economic Area), or 18 (India under DPDP). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

10. Automated decision-making

We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).

11. Security

We use TLS in transit, reputable hosting, and minimum-privilege access for our processors. We will notify the relevant supervisory authority and affected users of any personal-data breach within 72 hours where required (GDPR Art. 33–34).

12. Changes

We may update this policy. Material changes will be highlighted on this page and reflected in the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

Privacy enquiries: privacy@worldclocktools.com. Postal: [Registered address TBD].

1. Who is the controller

Controller: [Operator legal name TBD], [Registered address TBD], [Country TBD]. Email: privacy@worldclocktools.com.

2. What data we process

The Service is a static, mostly anonymous tool. We process:

Connection data (IP address, user-agent, referer). Logged at the edge for security and abuse prevention. Retained for up to 30 days.

Analytics events (page URL, viewport, approximate country) via Google Analytics 4 and PostHog — only with your consent. We do not run advertising or social-media pixels.

Local preferences (theme, watchlist, meeting-planner state, cookie-consent record). Stored in your browser's localStorage and never transmitted to us.

Country/region inference from your IP at the edge, used solely to decide whether to show an opt-in or opt-out cookie banner. Not retained.

3. Purposes and legal bases

Operating the Service — legitimate interest (GDPR Art. 6(1)(f)). Without minimal connection logs we cannot run a public website safely.

Analytics — your consent (GDPR Art. 6(1)(a) / ePrivacy Art. 5(3)). Withdrawable at any time via the link in the footer.

Compliance with law — GDPR Art. 6(1)(c).

4. Recipients and processors

Google LLC (Google Analytics 4) — analytics processor, US, with EU-US Data Privacy Framework certification and Standard Contractual Clauses.

PostHog Inc. — product-analytics processor, US, under SCCs.

Amazon Web Services / our hosting provider — hosting and CDN.

worldtimeapi.org — only invoked when you press the "Atomic Clock Check" button on the homepage demo. Your IP is sent to that endpoint.

6. Retention

Edge connection logs: up to 30 days.

Google Analytics: 14 months (lowest available retention setting).

PostHog event data: 12 months for raw events; aggregated data may be retained longer.

Local preferences: until you clear them in your browser.

Consent records: 12 months from the date of consent (then re-prompted).

7. Your rights

Under GDPR / UK GDPR you may:

Access your personal data (Art. 15).

Have inaccurate data corrected (Art. 16).

Have data erased (Art. 17).

Restrict processing (Art. 18).

Receive your data in a portable form (Art. 20).

Object to processing based on legitimate interest (Art. 21).

Withdraw consent at any time (Art. 7(3)).

Lodge a complaint with a supervisory authority — for example, your national DPA in the EEA, the ICO in the UK, the CNIL in France, the Garante in Italy.

To exercise any of these rights, see our Contact page.