Information on the processing of personal data when using foodiefly.eu and the FoodieFly platform.
We are pleased you are visiting. This policy explains how we process personal data when you use our website and related features (in particular user accounts, licence management and payment processing).
Personal data means any information relating to an identified or identifiable natural person.
The controller under the GDPR is:
Sebastian Wulf
Kisselnallee 1
13589 Berlin
Germany
Email: support@foodiefly.eu
When you access our website, the hosting server automatically collects and briefly processes information including: requested resource, date and time, IP address, browser type and version, operating system, referrer URL and data volume transferred.
The purpose is technical delivery of the site, stability and security, and abuse prevention.
Legal basis: Art. 6 (1) (f) GDPR.
If you contact us by email, we process the data you provide (in particular sender address, message content and technical transmission metadata) to handle your request.
Legal basis: Art. 6 (1) (f) GDPR; where your request concerns a contract, additionally Art. 6 (1) (b) GDPR.
We do not currently offer a separate contact form on the website.
For registration, sign-in and account use we process in particular: email address, password (only as a cryptographic hash), preferred language, and time-limited tokens for email verification and password reset.
In connection with your licence and cloud instance we store e.g.: the assigned subdomain and resulting hostname, the computed licence key, status and deadlines (e.g. trial, paid period), Stripe customer and subscription IDs and price references where applicable, and cloud provisioning status and instance URL.
To prevent abuse we store time-limited records of registration and sign-in activity (including truncated identifiers and IP addresses).
Purposes include contract performance, licence administration, technical operation and abuse prevention.
Legal basis: Art. 6 (1) (b) GDPR; additionally Art. 6 (1) (f) GDPR for security and integrity of the platform.
The licence key links your account to the provisioned cloud instance. Technical processing during provisioning and operations uses secured interfaces between the platform and infrastructure.
Legal basis: Art. 6 (1) (b) GDPR and Art. 6 (1) (f) GDPR.
Paid services are processed via Stripe. The provider includes Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
Payment processing may involve in particular: name, email address, billing and payment data, IP address and transaction data. Processing serves contract performance and payment handling.
Legal basis: Art. 6 (1) (b) GDPR.
Further information: https://stripe.com/privacy
We use a session cookie required for sign-in, form protection (CSRF) and server-side image captcha during registration. A cookie may store your preferred language (up to ~12 months) when you switch language on the site.
Legal basis for technically necessary cookies: Art. 6 (1) (f) GDPR. Language preference is processed to display the site appropriately in line with use of our service (also Art. 6 (1) (f) GDPR).
We do not currently offer a newsletter or send promotional email without separate consent.
We do not currently use embedded web analytics (e.g. Google Analytics, Matomo, Plausible) that would require consent under Art. 6 (1) (a) GDPR.
Our website may contain links to external sites. Only the operators of those sites are responsible for any processing there.
The website and MySQL database are operated at all-inkl.com (KAS, Germany). Access and server log data arise at the provider.
Transactional email (e.g. registration confirmation, password reset) is sent via the all-inkl SMTP mailbox configured for us (technical metadata at the mail server).
Payment processing is via Stripe (see section 6). For automatic cloud instance provisioning we use our own provisioning service on a server we operate (HTTPS, HMAC-signed); only the minimum data required for setup is transmitted (licence ID, subdomain, hostname, technical admin contact details).
Optional services may include: Cloudflare (CDN/WAF, if DNS proxy is active), Sentry (error monitoring, if configured) and an internal Telegram bot for pseudonymised operations alerts without end-customer marketing.
Where processing is carried out on our behalf, we conclude Art. 28 GDPR data processing agreements with providers. Public privacy notices: all-inkl.com, stripe.com/privacy, cloudflare.com and sentry.io where applicable.
To ensure operation and security we may maintain server and application log files (e.g. under storage/logs). We also maintain an audit log of security- and traceability-relevant events (e.g. registration, sign-in), sometimes with IP address and limited accompanying technical information.
Legal basis: Art. 6 (1) (f) GDPR.
We store personal data only as long as necessary for the respective purposes or where statutory retention applies.
Indicative periods: verification and reset tokens up to 48 and 2 hours respectively; login attempts (rate limit) about 2 days; application log files after rotation about 30 days; audit events currently up to 24 months (security/evidence); account data until account deletion.
After account deletion we remove personal data within what is technically feasible; statutory retention (e.g. invoice data at Stripe) may continue at the payment provider.
You have the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction (Art. 18 GDPR), data portability (Art. 20 GDPR) and to withdraw consent (Art. 7 (3) GDPR) where consent was the legal basis.
Logged-in users can download a copy of their data and view consents under “My account” → “Privacy & consents”. Account deletion is available in the account area. Alternatively: support@foodiefly.eu.
You also have the right to object at any time, on grounds relating to your particular situation, to processing based on Art. 6 (1) (f) GDPR (Art. 21 GDPR).
You may lodge a complaint with a supervisory authority (Art. 77 GDPR).
We implement technical and organisational measures appropriate to the risk. The website uses TLS encryption (HTTPS) where supported by your browser and configuration.
We may update this privacy policy when our services, processing activities or legal requirements change. The current version is always available on this page. Material changes may require renewed consent (account area).
all-inkl.com (KAS) — hosting/database, Germany — Art. 28 GDPR
all-inkl SMTP — transactional email — Art. 28 GDPR
Stripe Payments Europe Ltd., Dublin — payments — Art. 28 GDPR, possible US transfer with SCC — https://stripe.com/privacy
Own VPS provisioner — cloud setup — Art. 28 GDPR, EU/DE
Optional: Cloudflare (WAF/CDN), Sentry (errors), Telegram (internal pseudonymised ops alerts)
For your own cloud instance you are generally controller towards your end users; we provide the technical platform.