Privacy Policy — Radar

Last updated: 3 June 2026 Effective date: [EFFECTIVE DATE]

This Privacy Policy explains how Fallen Crown BV ("Radar", "we", "us", "our") collects, uses, shares, and protects your personal data when you use the Radar application and website (the "Service"). We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

Fill in before publishing: [COMPANY ADDRESS], Chamber of Commerce (KVK) no. [KVK NUMBER], contact: [CONTACT EMAIL]. Replace [EFFECTIVE DATE] and confirm the sub-processor list and hosting regions below.

1. Who we are

Radar is operated by Fallen Crown BV, a company registered in the Netherlands.

• Postal address: [COMPANY ADDRESS]
• KVK (Chamber of Commerce) number: [KVK NUMBER]
• Privacy contact: [CONTACT EMAIL]

You can contact us at any time using the details above for any question about this policy or your personal data.

2. What this policy covers

This policy covers the Radar web application, mobile application, and related websites. It does not cover third-party services we link to (for example, articles we recommend, which open in your browser), which are governed by their own policies.

3. The data we collect

We collect only what we need to generate your briefings.

a) Account & identity data (from Google when you sign in)

• Your name, email address, and Google account identifier.
• A profile picture, if your Google account provides one.

b) Google Calendar data (read-only, only with your consent)

• Event titles, descriptions, dates and times, locations, and meeting links.
• Attendee names and email addresses contained in your events.
• The names of the calendars the events belong to.

We request the https://www.googleapis.com/auth/calendar.readonly scope. We have read-only access — we never create, edit, or delete your calendar events.

b2) Gmail data (read-only, only with your consent)

• Unread messages in your Primary inbox from the last 30 days, including sender, subject, date, and message body.
• We request the https://www.googleapis.com/auth/gmail.readonly scope. Access is read-only — we never send, modify, label, or delete your email.
• Email bodies are processed server-side by the AI to surface action items. Raw message bodies are never stored in our database and are never sent to your browser — only the AI-distilled action items (suggested next step, drafted reply) are persisted alongside your briefing.

c) Data you create in the Service

• Generated briefings and their archive.
• Action items, event preferences (e.g. priority and location overrides), and feedback/"corrective rules" you submit to tune your results.

d) Technical & diagnostic data

• Crash and error reports, which may include an error message, the app screen involved, your browser/device type (user agent), and a technical component trace. These may be collected even before you sign in, to help us fix faults.

We do not intentionally collect special categories of data (health, religion, etc.). Because briefings are generated from your calendar, please be aware that any such information you place in event titles or notes will be processed as part of the Service.

4. How we use your data and our legal basis

| Purpose | Data used | Legal basis (GDPR Art. 6) | |---|---|---| | Authenticate you and run the Service | Account & identity data | Contract (Art. 6(1)(b)) | | Read your calendar to generate briefings | Google Calendar data | Consent (Art. 6(1)(a)) | | Read unread Primary inbox email to surface action items and draft replies | Gmail data | Consent (Art. 6(1)(a)) | | Generate, store, and display your briefings and recommended reading | Calendar data, Gmail-derived action items, data you create | Contract (Art. 6(1)(b)) | | Diagnose crashes and keep the Service reliable and secure | Technical & diagnostic data | Legitimate interests (Art. 6(1)(f)) |

You may withdraw your consent to calendar or Gmail access at any time (see Section 9), without affecting processing that already took place.

5. AI processing — important disclosure

To generate your briefings and reading suggestions, the content of your upcoming calendar events (titles, descriptions, times, locations, and attendee names/emails) and — for the daily brief — the sender, subject, date, and body of unread Primary inbox messages from the last 30 days is sent to a large language model — Google Gemini — accessed through the Lovable AI Gateway. This processing happens when you generate a briefing.

• The model uses your event and email data to produce that briefing and nothing else.
• Raw email bodies are never stored in our database — only the AI-distilled action items (suggested next step, drafted reply) are saved alongside the briefing. Raw email content is also never sent to your browser.
• We do not use your data to train AI models, and we do not permit our AI sub-processors to use your content to train their general models.
• The generated briefing is stored in your private archive in our database until you delete it.

6. Google API Services — Limited Use disclosure

Radar's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:

• We only use Google Calendar data (calendar.readonly scope) and Gmail data (gmail.readonly scope) to provide and improve the user-facing features of Radar (generating your briefings and surfacing email action items).
• We do not transfer or sell this data to third parties for advertising, marketing, or any other purpose.
• We do not use this data for advertising.
• We do not use Gmail or Calendar data to train AI or machine-learning models, and we do not permit our AI sub-processors to do so.
• We do not allow humans to read this data, except: (a) with your explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised.

7. Who we share data with (sub-processors)

We do not sell your personal data. We share it only with the service providers that power Radar, acting as our processors under data processing agreements:

| Sub-processor | Purpose | |---|---| | Google LLC / Google Ireland | Sign-in (OAuth), Calendar API source, and the Gemini AI model | | Lovable | Application hosting and the AI Gateway that routes requests to Gemini | | Supabase | Database and authentication (where your account and briefings are stored) | | Cloudflare | Edge hosting and content delivery |

Verify before publishing: confirm this list matches your live deployment and that you have a data processing agreement (DPA) in place with each provider.

We may also disclose data where required by law, to enforce our Terms, or to protect the rights, safety, and security of our users and the Service.

8. International data transfers

Some of our sub-processors process data outside the European Economic Area (EEA), including in the United States. Where this happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or an applicable adequacy decision. You can request a copy of the relevant safeguards using the contact details in Section 1.

9. Your rights, and how to exercise them

Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time.

You can exercise the main rights directly in the app:

• Export your data: Settings → "Export my data" (downloads your briefings and related data as a file).
• Delete your account and all associated data: Settings → "Delete my account".
• Revoke Radar's Google access (Calendar and Gmail) at any time at myaccount.google.com/permissions.

For any other request, contact us at [CONTACT EMAIL]. We will respond within one month. You also have the right to lodge a complaint with your local supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

10. How long we keep your data

• Briefings and data you create: kept until you delete them or close your account.
• Account data: kept while your account is active; deleted when you delete your account.
• Crash and diagnostic logs: kept for a maximum of 30 days, then automatically deleted.

When you delete your account, we permanently delete your personal data from our active systems, except where we must retain limited information to comply with a legal obligation.

11. Security

We protect your data with industry-standard measures, including encryption in transit (HTTPS/TLS), row-level access controls that isolate each user's data, and storing sensitive credentials (such as Google refresh tokens) only on our servers, never in your browser. No system is perfectly secure, but we work to protect your data and to notify you and the relevant authority of any breach as required by law.

12. Automated decision-making

Radar uses AI to generate informational briefings. These briefings are advisory only. We do not make decisions that produce legal or similarly significant effects about you solely by automated means (GDPR Art. 22). You are always responsible for any actions you take based on a briefing.

13. Children

Radar is not intended for anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. We will post the new version here and update the "Last updated" date. If the changes are significant, we will notify you in the app.

15. Contact

Questions or requests about your data: [CONTACT EMAIL] Fallen Crown BV, [COMPANY ADDRESS], KVK [KVK NUMBER].