Legal
Privacy Policy
Last updated: June 2026
This is the English translation of the German Datenschutzerklärung. The German version is authoritative.
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
[PLACEHOLDER: First and last name or company name]
[PLACEHOLDER: Address]
Email: [PLACEHOLDER: Data protection contact email]
2. General
We process personal data only to the extent necessary for the operation of this website and its functions. We do not share data with third parties for advertising purposes. This website does not use tracking or advertising cookies and does not embed content from third-party servers (e.g. Google Fonts or CDNs) — all fonts and scripts are served from our own server.
3. Hosting and server logs
This website is hosted on servers of Contabo GmbH (Aschauer Straße 32a, 81549 Munich, Germany). When you access the website, the server processes technically necessary connection data (in particular the IP address) in memory in order to deliver the content and ensure operational security. Persistent storage of visitors' IP addresses in log files does not currently take place; technical error logs may in individual cases contain personal data and are retained briefly for troubleshooting purposes. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website).
4. Cookies
We use only technically necessary cookies (§ 25(2)(2) TDDDG). A consent banner is therefore not required. In detail:
| Cookie | Purpose | Duration |
|---|---|---|
| sessionid | Login session | 2 weeks |
| csrftoken | Protection against cross-site request forgery | approx. 1 year |
| django_language | Selected language | Session |
5. Registration and user account
Registration is currently by invitation only. When sending an invitation, we process the email address of the invited person to send the invitation link. When you register and use your account, we process your username, email address and your password in encrypted form (hash), as well as the content you create (e.g. recipes, meal plans, shopping lists). For published recipes, your username is visible to other users. The legal basis is Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures). If you activate the optional two-factor authentication, we store a TOTP secret and recovery codes in encrypted or hashed form; this data is used solely to secure your account (Art. 32 GDPR) and is deleted together with the account. For passkeys, biometric characteristics remain exclusively on your device and are not transmitted to us.
6. Email delivery
We send transactional emails (e.g. registration confirmation, password reset, invitations) via the service provider Brevo GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. In doing so, the email address and the content of each message are processed. A data processing agreement pursuant to Art. 28 GDPR is or will be concluded with Brevo [PLACEHOLDER: Check/conclude data processing agreement (DPA) with Brevo]. The legal basis is Art. 6(1)(b) GDPR.
7. Error diagnostics (Sentry)
To detect and fix technical errors, we use the Sentry service provided by Functional Software, Inc., 45 Fremont Street, San Francisco, CA 94105, USA. When a technical error occurs, error messages and technical metadata of the request are transmitted. The transmission of personal data (IP address, cookies, user data) is disabled in our configuration. Functional Software, Inc. is certified under the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in error-free operation).
8. Backups
To protect against data loss, we regularly create encrypted backups of the database and uploaded files. These are stored on storage systems of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany; storage locations Germany/Finland). Backups are client-side encrypted; Hetzner has no access to the contents. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the availability and integrity of the data).
9. Your rights
You have the right to request access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object to processing based on Art. 6(1)(f) GDPR (Art. 21). Please contact the address above. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
10. Storage duration
We store personal data only for as long as necessary for the purposes stated above. Account data is stored for the duration of membership. Backup copies are automatically deleted according to a fixed rotation schedule.
11. Audience measurement (Umami)
To improve the service we collect anonymous usage statistics with the self-hosted software Umami (umami.seasonizer.com, running on our own server in Germany). Umami sets no cookies and stores no IP addresses; visits are evaluated only in aggregated, non-personal form (e.g. pages viewed, browser type, approximate region). The data is never linked to your user account. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in developing the website according to actual use).
12. Changes
We update this privacy policy when the data processing on this website changes. The version currently published here applies.