Privacy Policy
Last updated: June 25, 2026
This policy explains what data Online Alarm ("we", "us", "the service") collects when you use online-alarm.com, why we collect it, who we share it with, and the rights you have over it. We try to keep it plain so you do not need a lawyer to read it. If anything here is unclear, write to support at online-alarm dot com.
Who We Are
Online Alarm is the operator of online-alarm.com and the related browser tools: alarm clock, stopwatch, timer, clock, world clock, meeting planner, study timer, chess clock, do-nothing timer, time-until countdown, date calculator, hour calculator, timezone converter, and the holiday countdown pages (Christmas, New Year, Halloween, Easter, custom). For questions about this policy or to exercise your rights described below, contact us at support at online-alarm dot com. The operator entity and address are listed at the bottom of this policy.
Data We Collect
We collect three categories of data. (1) Account data: if you sign up, we store your email address, a hashed password (we never see the password itself), the date you created the account, your preferred language and timezone, your email-verified status, a two-letter country code derived from your network connection (see Country Detection below), and a single UI preference flag (whether you have collapsed the navigation sidebar). If you sign in with Google, we store a record linking your Google account id to your account so you can return without re-authenticating; we do not persist the OAuth access or refresh tokens Google returns (we use them transiently during the sign-in handshake to verify your email, then discard them). We do not import your Google display name or profile picture. (2) Tool data synced to the server when signed in: only three tools sync: alarms (label, time, ringtone, timezone, and the two-letter country code at the moment of creation), world-clock cities, and meeting-planner locations. For signed-in users we also log a small set of alarm events (when an alarm rings, when you dismiss it, and when you delay it); see "Usage Analytics and Research" below. (3) Tool data that stays local: the stopwatch, timer, study timer, chess clock, do-nothing timer, time-until countdown, and all standalone countdown pages save their state to your browser's local storage only. They never reach our servers, signed in or not. Lap times, timer presets, study-timer routines, chess-clock time controls, and similar are device-local.
Cookies and Local Storage
We use a small number of essential cookies. The session cookie keeps you signed in. The CSRF and XSRF-TOKEN cookies protect forms from cross-site abuse. A `sidebar_collapsed` cookie remembers whether you have collapsed the navigation sidebar (value `0` or `1` only, no personal data, no tracking value). Cloudflare, which proxies our traffic, may set its own bot-management cookie (commonly named __cf_bm) and a Turnstile challenge cookie on sign-up and sign-in forms; these are used to tell humans apart from automated traffic and are not used for tracking or advertising. We do not use advertising or marketing cookies. We use Ahrefs Web Analytics, which is cookieless by design: it counts pageviews and referrers via short-lived device fingerprints derived from your IP address and user agent, and does not set a tracking cookie or build a cross-site profile. Tool state for anonymous visitors is held in your browser's local storage, which is data on your device that we cannot read.
Server Logs
Our servers and our infrastructure provider (Cloudflare) automatically record basic request information: the IP address of the request, the user-agent string sent by your browser, the page or API path you asked for, the response status, and a timestamp. We use logs to debug errors, investigate abuse, and keep the service running. We retain logs for up to 365 days, after which they are rotated and discarded. A longer window than the more common 30 days is kept because abuse and security investigations often surface only after the request that caused them; a one-year window covers seasonal patterns and a full cycle of repeat-offender behaviour.
Country Detection
When you sign up and when you create an alarm, we record a two-letter ISO country code derived from the CF-IPCountry header that Cloudflare adds to incoming requests. We use it for service operation (default language guess, abuse investigation, and aggregated country-level usage stats), not for advertising or tracking. We do not store your IP address alongside your account or alarms; we store only the two-letter code.
Usage Analytics and Research
For signed-in users we log a small set of alarm events: when an alarm rings, when you dismiss it, and when you delay (snooze) it. Each event records the event type, the scheduled time, your timezone, and the two-letter country code described above, with a timestamp. We do not log the alarm label or any other free text. We use this data for two purposes: internal analytics to understand how the tools are used so we can improve them, and to produce aggregate, anonymized statistics about alarm usage, for example the average wake-up time or the snooze rate in a country. Any statistic we publish is aggregated so it cannot reasonably be traced back to you, we do not publish a figure for any group small enough to single an individual out, and we commit never to attempt to re-identify anyone from published data. Under the GDPR our legal basis is legitimate interest (Article 6(1)(f)) in operating and improving the service and in understanding usage; genuinely aggregated and anonymized statistics are no longer personal data. You can object to this processing, and remove the underlying events, at any time by deleting your account from your profile page, or by writing to support at online-alarm dot com. We do not use this data for advertising and we do not sell it.
Third Parties That Process Your Data
We use a small set of vendors to operate the service. Cloudflare proxies our traffic and provides bot protection (Turnstile) on sign-up and sign-in forms; Cloudflare may see your IP and basic request metadata. Resend sends transactional email (account verification, password reset); to send these emails we share your email address with Resend. Google handles authentication when you choose "Continue with Google"; Google may share your name, profile picture, and verified email with us, subject to Google's own policies. Ahrefs Web Analytics receives pageview pings and referrer URLs from your browser so we can see which pages people visit and where they come from; the integration is cookieless and Ahrefs does not build a cross-site profile from our traffic. We do not sell your personal data to anyone. We do not share it with marketing networks.
Advertising
The site does not show ads today. If we add ads in the future, the most likely provider is Google AdSense. When that happens, Google and its partners may use cookies and device identifiers to show personalized or non-personalized ads, and this policy will be updated to describe how to opt out. You can read Google's advertising practices at policies.google.com/technologies/ads, and adjust your ad personalization at adssettings.google.com.
How We Use Your Data
We use account data to identify you when you sign in, sync your saved tool data across devices, and send you account-related email (verification, password reset). We use tool data to provide the tools themselves (an alarm with no time would not be useful). We use server logs to keep the service running and investigate problems. Under the GDPR, our legal bases are: contract (running the account you asked for), legitimate interest (keeping the service secure and operational), and consent (where the law requires it, such as marketing email, which we currently do not send).
How Long We Keep It
Account data and saved tool data are kept as long as your account exists. Server logs are kept for up to 365 days (see "Server Logs" above for the reasoning). Alarm event logs (see "Usage Analytics and Research") are kept while your account exists and are deleted with it; aggregate, anonymized statistics derived from them may be kept indefinitely, since those no longer identify you. Anonymous local-storage data stays on your device until you clear it (we cannot delete it for you). When you delete your account, we remove your data within 30 days, except for the minimum required to defend against fraud or comply with legal requests.
Your Rights
If you are in the EU/EEA, the UK, Turkey (under KVKK), or another region with similar privacy law, you have the right to ask us for a copy of your data, to correct it, to delete it, to restrict or object to certain processing, and to take it elsewhere (data portability). Your profile page already lets you export everything tied to your account as a JSON download, and delete your account (after re-entering your password). For anything those buttons do not cover, write to support at online-alarm dot com and we will respond within 30 days. You also have the right to complain to your local data protection authority (in Turkey, the KVKK; in the EU, your national supervisory authority; in the UK, the ICO).
Children
The service is not directed at children. We do not knowingly collect data from anyone under 13 (the minimum under US COPPA and Turkish KVKK), or under the higher minimum digital-consent age that applies in their country (under GDPR Article 8 some EU/EEA member states set this at 14, 15, or 16). If you believe a child below the applicable age has created an account, write to support at online-alarm dot com and we will delete it.
International Data Transfers
The operator is based in Turkey (see the bottom of this policy for the address). Our infrastructure providers (notably Cloudflare, Resend, Google, and Ahrefs Analytics) are based in the United States and operate globally; using the service inherently involves data flowing to and from those providers. Each of those providers publishes its own data-transfer safeguards (the European Commission's standard contractual clauses, the UK addendum, and similar mechanisms) which we benefit from when we use their services. If you would like more detail about a specific provider's safeguards, write to support at online-alarm dot com.
Security
Connections to the site are encrypted with HTTPS. Passwords are stored as bcrypt hashes, not in plain text. We follow standard practices to keep the service secure, but no system on the internet can be guaranteed perfectly secure. If you believe your account has been compromised, change your password and write to support at online-alarm dot com.
Changes to This Policy
We may update this policy when we add new features, work with new processors, or to reflect changes in the law. The "Last updated" date at the top of this page changes whenever we do. For material changes that affect what we collect or how we use it, we will tell you by email at the address on your account (if you have one) before the change takes effect.
Operator and Contact
The service is operated from Fethiye, Turkey. Privacy questions, data requests, or anything else covered by this policy: support at online-alarm dot com. We aim to respond within 30 days.