Version 1.0-draft · Last updated: [DATE]
1. Controller
[COMPANY NAME], [Street and number], [Postal code City], Germany
Email: [privacy@example.com]
2. What data we process
- Subscription application: group name, member names, email addresses, optional phone numbers, weekly allocation amounts, pickup location and delivery slot preferences.
- Account data: login credentials (managed by Supabase Auth), display name, password change status.
- Orders: weekly menu selections, totals, overage amounts, lock and consent timestamps.
- Technical data: session cookies required to keep you logged in; server logs from hosting (IP address, request metadata) may be processed by our host.
3. Purposes and legal bases (GDPR Art. 6)
- Handling your subscription application — Art. 6(1)(b) (steps at your request before a contract) and Art. 6(1)(a) (your consent at signup).
- Account management and weekly ordering — Art. 6(1)(b) (performance of the subscription once the offline agreement is signed).
- Transactional emails (welcome message, login details, operational notices) — Art. 6(1)(b).
- Invoicing records — Art. 6(1)(b) and Art. 6(1)(c) (legal obligations).
The binding subscription contract is concluded offline when you sign and return the agreement sent by email — not when you submit the online application form.
4. Recipients and processors
- Supabase — authentication, database hosting. Configure production in an EU region (e.g. Frankfurt).
- Resend — transactional email delivery. May involve processing in the United States under Standard Contractual Clauses.
- Vercel — website hosting and scheduled jobs (cron). Region configured as EU where available.
We use data processing agreements (Art. 28 GDPR) with these providers where required.
5. Cookies
We use strictly necessary session cookies to keep you logged in (Supabase Auth). These cookies do not require consent under the German Telecommunications-Digital Services Data Protection Act (TDDDG § 25) because they are essential for the service you request.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token (and related) | Supabase | Authentication session | Session / as configured |
If we add analytics or marketing tools later, we will ask for your consent before setting non-essential cookies.
6. Retention
[Specify retention periods — e.g. application records, order history, invoice data, deletion requests. Consult your lawyer and tax advisor.]
7. Your rights
You have the following rights under the GDPR:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdraw consent at any time (Art. 7(3)) — without affecting prior processing
Logged-in members can download their data and request deletion from Account → Privacy. You may also contact [privacy@example.com].
You have the right to lodge a complaint with a supervisory authority, e.g. [State data protection authority].
8. Security
We use HTTPS, access controls (row-level security in the database), and password authentication. Temporary login credentials are sent by email — we recommend changing your password on first login.