Privacy notice
Protecting your personal data matters. This page informs you in accordance with Art. 13 GDPR about the nature, scope and purpose of data processing on ChefKopf.
Controller
The controller within the meaning of the GDPR is the site operator (contact details: see Imprint).
Cookies
ChefKopf only sets strictly-necessary first-party cookies. No tracking, analytics or third-party cookies are used. Strictly-necessary cookies do not require consent under § 25 (2) no. 2 TTDSG.
| Cookie | Purpose | Duration |
|---|---|---|
chefkopf_device | Random device UUID — links your mixes, upvotes and shelf to this device without registration. | 1 year |
chefkopf_lang | Language preference (de/en). | 1 year |
chefkopf_theme | Colour scheme preference (light/dark/auto). | 1 year |
chefkopf_recent | IDs of recently viewed mixes. | 1 year |
chefkopf_recent_searches | Recent search terms. | 1 year |
chefkopf_pwa_hint | Whether the app-install prompt has been dismissed. | 1 year |
chefkopf_bowls_lit | Count of live-coached bowls (local only). | 1 year |
chefkopf_last_visit | Timestamp of your last visit (for "new since last visit" badge). | 1 year |
chefkopf_shelf_hint | Whether the shelf-setup callout has been dismissed. | 1 year |
chefkopf_comment_rl | Anti-spam token for the comment rate limiter (short-lived). | Short-lived (session / a few minutes) |
Data we process
Anonymous use (default)
ChefKopf can be used entirely without signing in. Only the device UUID cookie is stored — no personal data.
Optional email login (magic link)
If you choose to sign in, you provide an email address. It is stored solely to permanently link your device to your account. No password is stored. Legal basis: Art. 6 (1)(b) GDPR (contract performance). The email address is deleted when you delete your account.
User-generated content
Mixes, upvotes, comments, shelf items and collections are linked to your device UUID (or account, if signed in). Published mixes are public; comments appear under a pseudonym. On account deletion, mixes are anonymised and all other data is erased. Legal basis: Art. 6 (1)(b) GDPR.
Server access logs (fly.io)
Our hosting provider fly.io records technical access logs (IP address, timestamp, HTTP status). ChefKopf itself does not store IP addresses. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in secure operation).
Data processors
- fly.io (Superfly, Inc., San Francisco, USA) — server hosting, EU infrastructure only (Frankfurt). Data processing agreement in place under Art. 28 GDPR.
- Resend, Inc. — email dispatch service. Receives your email address only to deliver the magic-link email. Used only when email login is configured. Data processing agreement in place.
Retention periods
- Magic-link tokens expire after 15 minutes and are automatically deleted.
- Email addresses are stored until account deletion.
- Browser cookies expire after up to 1 year.
- User-generated content is kept until explicitly deleted.
Your rights
Access (Art. 15 GDPR) · Rectification (Art. 16) · Erasure (Art. 17) · Restriction of processing (Art. 18) · Portability (Art. 20) · Objection (Art. 21)
Account deletion is available directly under Settings → "Delete my account" and removes all personal data immediately.
For all other requests (access, rectification, restriction) contact the operator by email (see Imprint).
Right to lodge a complaint
You have the right to lodge a complaint with the competent data protection supervisory authority at any time:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)Lautenschlagerstraße 20, 70173 Stuttgart, Germany
https://www.baden-wuerttemberg.datenschutz.de
Last updated: June 2026