Privacy
Policy.
Protecting your personal data matters to us. Here you'll learn what data we collect, how we use it, and what rights you have.
- 01Controller
- 02Processing & legal bases
- 03Hosting & infrastructure
- 04Analytics · PostHog
- 05Newsletter · Brevo
- 06Bot protection · Cloudflare Turnstile
- 07Cookies & similar technologies
- 08Consent management
- 09Mobile apps · iOS & Android
- 10Data retention
- 11Your rights
- 12Withdrawal & complaint
- 13Data security
- 14Changes to this policy
- 15On-site translation
- 16Sign-in · Google & Apple
- 17Age requirement
- 18Profile photo & banner
Who's in charge of the data.
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:
Only what the app needs.
We only process personal data to the extent necessary to provide our app and our content and services.
Legal bases
- Consent (Art. 6(1)(a) GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR)
- Legal obligation (Art. 6(1)(c) GDPR)
- Legitimate interest (Art. 6(1)(f) GDPR)
Servers & infrastructure.
Our app is operated through external service providers to ensure secure and reliable availability. All data remains within the European Union.
Netcup GmbH (VPS infrastructure)
Our web application (Next.js frontend bakeqee, Expo web build app.bakeqee.com and associated internal services) runs on a virtual private server (VPS) located in Nuremberg, Germany. When you use bakeqee, your data (including IP address, browser information and any data you submit) passes through this server infrastructure.
Further information: netcup.de/kontakt/datenschutzerklaerung.php
PostHog, when you allow it.
We use PostHog to understand how our app is used. This helps us improve features and identify issues more quickly.
What is processed
- Usage events (e.g. visited pages or features)
- Technical device information (operating system, device type)
- Truncated or anonymized IP address
No directly personal data such as name or email address is processed. Processing only takes place with your explicit consent. The provider is PostHog Inc. (USA); hosting takes place on the EU cloud (Frankfurt). Insofar as personal data is transferred to the USA, the transfer relies on the EU Standard Contractual Clauses (Art. 46 GDPR).
Brevo, when you sign up.
For our newsletter (double opt-in), for transactional emails (e.g. magic-link sign-in) and for delivering messages from our contact form we use Brevo.
What is processed
- Email address (required)
- Timestamp and confirmation of sign-up (DOI token)
- Delivery metadata (deliverability, bounce status)
- When using the contact form: name, email address and message content (to handle your request; legal basis Art. 6(1)(b) resp. (f) GDPR). The message is delivered via Brevo to our email mailbox hosted at Google (Gmail); the provider is Google Ireland Ltd. Any transfer to the USA relies on the EU Standard Contractual Clauses.
Cloudflare Turnstile.
On public forms (newsletter, Founding-Member application, contact form) we use Cloudflare Turnstile as bot protection. Turnstile works without tracking cookies and without user profiling.
Legal basis: § 25(2)(2) TDDDG (technically necessary bot verification) and Art. 6(1)(f) GDPR (legitimate interest: protection from spam and abuse).
Cookies & similar technologies.
We use technologies such as cookies or local storage to store or access information on your device.
Legal basis: § 25 TDDDG and Art. 6 GDPR. Non-essential technologies are only used with your consent.
Cookies & storage in use
- bakeqee-consent · stores your cookie consent · up to 1 year · necessary
- bakeqee-theme · remembers your light/dark theme choice · up to 1 year · necessary
- NEXT_LOCALE · remembers your language choice (DE/EN) · up to 1 year · necessary
- sb-… (Supabase) · keeps your login session active, only when signed in · session duration · necessary
- Cloudflare Turnstile · short-lived security token for bot verification on forms · a few minutes · necessary
- PostHog (ph_… or local storage) · usage statistics, only with granted statistics consent · up to 1 year · statistics
You decide. Logged.
Through our Consent Manager you decide which data may be processed.
- Consents are logged (timestamp, selection, version)
- Consents can be withdrawn or changed at any time
- Changes apply for the future
iOS & Android.
We currently offer bakeqee as a web application. Native mobile apps for iOS and Android are planned for a future release. When we launch native mobile apps, additional system permissions may be required, which we will disclose at that time.
iOS (planned)
Should we introduce cross-app tracking in our future iOS app, we will first obtain your consent via Apple's App Tracking Transparency (ATT) framework. No such tracking currently takes place.
Android (planned)
Processing in a future Android app will be based on your consent via the Consent Manager.
Only as long as needed.
We retain personal data only as long as necessary for the respective purposes or as required by legal retention obligations. Concrete retention periods:
After expiry, data is permanently deleted or anonymized.
Your GDPR rights.
You have the following rights regarding your personal data:
You can contact us at any time to exercise your rights.
Data export in practice
You can export all your personal data in JSON or CSV format at any time through your account settings. The export includes:
- Your profile information
- All BakeRuns and recipes
- Comments and feedback posts
- Notes attached to BakeRuns
Photos are exported as URLs to the original files. You can request the photos as a separate download package by emailing us.
Should we discontinue bakeqee, we will provide all users with notice in advance and an automated way to export their data before shutdown.
Revocable anytime.
You can withdraw your consent at any time with effect for the future. Use the cookie settings above (§ 08).
You have the right to lodge a complaint with a data protection supervisory authority.
Technically & organizationally protected.
We implement technical and organizational measures to protect your data against loss, misuse, or unauthorized access.
When something changes.
We reserve the right to adapt this Privacy Policy to reflect changes in legal requirements or new features.
On-site translation of user content.
To translate your feedback posts and comments into the other platform language (DE↔EN), we use LibreTranslate, an open-source translation engine that we run on our own infrastructure.
There is no external data flow: no third party sees your texts, no DeepL/Google/Microsoft data-processing agreement is needed. Processing happens on the same server as the app itself.
Translations are cached (table content_translations) so we don't re-translate on every read. When you delete a post, the corresponding translations are removed as well.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest: making a German-language platform linguistically accessible to international members).
Sign-in via Google & Apple.
You can optionally sign in via Google or Apple (single sign-on) instead of an email magic link. If you choose this option, a connection to the respective provider is established for authentication; the email address stored there and an identification token are transmitted to us in order to create your account or sign you in.
The providers are Google Ireland Ltd. and Apple Inc. respectively. This may involve a transfer to third countries (in particular the USA); the providers rely on the EU Standard Contractual Clauses for this. Use is voluntary. You can sign in via email magic link instead at any time.
16 and above.
bakeqee is intended for users aged 16 and above (in line with Art. 8 GDPR). By registering and accepting our Terms of Service, you confirm that you meet this age requirement. No separate confirmation step is required. We do not knowingly process personal data of children under 16. Should we become aware that a user is below this age, we will delete the account and associated data without delay.
Profile photo & banner.
When you upload a profile photo (avatar) or a banner, we store these images to display your profile within the app. Uploading is optional — without an image we show a placeholder.
Uploading creates a publicly retrievable URL with a random, non-guessable file name. Images are shown only within the app to other signed-in members — never on publicly indexed marketing pages. The legal basis is performance of the contract (displaying your profile, Art. 6(1)(b) GDPR) and our legitimate interest in a recognizable community (Art. 6(1)(f) GDPR).
An ordinary profile photo is not biometric data within the meaning of Art. 9 GDPR. A special category of personal data would only arise if an image were specifically processed by technical means for the purpose of uniquely identifying a person — which we do not do.
Profile images remain stored for as long as your account exists. You can replace or remove them at any time; replacing an image deletes the previous file. On account deletion the files are deleted along with it (Art. 17 GDPR). Profile images are unrelated to cookies or tracking.