Privacy Policy

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

2. Overview

Loafy is a sourdough guidance application that helps you bake better bread. We believe in privacy by design and collect only the data necessary to provide you with a great baking experience. This privacy policy explains what data we collect, how we use it, and your rights regarding your personal information.

3. Data We Collect

3.1 Without an Account

You can use Loafy's guided baking journeys without creating an account. In this case, we collect:

• Session data: Technical cookies required for the app to function
• Local storage: Your journey progress is stored locally in your browser

3.2 With an Account

When you create an account, we collect and store the following personal data:

• Name: Your display name for personalization
• Email address: For account management, login, and optional communications
• Password: Stored securely using industry-standard hashing (never in plain text)
• Marketing preference: Whether you opted in to receive baking tips and updates
• Language preference: Your preferred language setting
• Timezone: For displaying times correctly
• Terms acceptance: Timestamp of when you accepted the terms of service

3.3 Baking Data

When you use the Bake Journal feature, we store:

• Bake logs: Your baking records including recipe parameters, ratings, and notes
• Photos: Images you upload of your bakes
• Journey completions: Records of guided journeys you've completed
• Progress data: Your experience points, streaks, and earned badges

3.4 Session Data

For security purposes, we store information about your login sessions:

• IP address: To detect unauthorized access
• User agent: Browser and device information for security monitoring

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): To provide our service and manage your account
• Consent (Art. 6(1)(a) GDPR): For marketing emails (only if you opted in)
• Legitimate interests (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvement

5. Cookies and Local Storage

We only use technically necessary cookies:

• Session cookie: Keeps you logged in and enables secure use of the application
• CSRF token: Protects against cross-site request forgery attacks

We do not use tracking cookies, analytics cookies, or advertising cookies. Your journey progress (when not logged in) is stored in your browser's local storage, which you can clear at any time.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You can request information about your stored data
• Right to rectification (Art. 16 GDPR): You can correct inaccurate data in your profile settings
• Right to erasure (Art. 17 GDPR): You can delete your account and all associated data
• Right to restriction (Art. 18 GDPR): You can request restriction of processing
• Right to data portability (Art. 20 GDPR): You can request your data in a structured format
• Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3) GDPR): You can withdraw consent at any time (e.g., marketing emails)

To exercise your rights, contact us at: [email protected]

You also have the right to lodge a complaint with a data protection supervisory authority.

7. Third-Party Services

7.1 AI Features (Ask Loafy)

When you use the "Ask Loafy" chat feature, your questions are processed using AI services. Your questions are used solely for generating responses and are not stored permanently or used for training.

7.2 External Links

Loafy contains links to external resources:

• The Sourdough Framework (the-sourdough-framework.com)
• The Bread Code (the-bread-code.io)
• Discord community chat

These third-party services have their own privacy policies.

7.3 Hosting

Our servers are located in the EU and are operated by GDPR-compliant providers.

8. Data Security

We implement comprehensive technical and organizational measures to protect your data:

• Encrypted transmission: All data is transmitted via HTTPS/TLS
• Password hashing: Passwords are hashed using bcrypt
• Access control: Strict access controls for all systems
• Regular updates: Continuous security updates of our systems

9. Data Retention

We retain your data only as long as necessary:

• Account data: Until you delete your account
• Bake logs and photos: Until deleted by you or upon account deletion
• Session data: Until logout or automatic expiration

When you delete your account, all your personal data is permanently deleted.

10. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. The current version is always available on this page. For significant changes, we will notify registered users by email.

11. Contact

For questions about data protection or to exercise your rights, please contact us: