Privacy Policy (Datenschutzerklärung)

Last updated: 2026-03-20 — Effective date: [EFFECTIVE_DATE] — Version 1.1-draft — English (this version prevails in case of any discrepancy between language versions)

---

1. Who Is Responsible for Your Data (Controller)

The controller responsible for processing your personal data on this platform is:

Farmlovers UG (haftungsbeschränkt)
Framheinstrasse 19
22083 Hamburg
Germany

Email: legal@farmlovers.org
Managing Director: Silvia Pavic Jovic

Commercial register: Handelsregister B des Amtsgerichts Hamburg, HRB 196298

When we say "Farmlovers", "we", "us", or "our" in this policy, we mean this company.

Legal basis for identification obligation: GDPR Art. 13(1)(a); DDG § 5.

---

2. Data Protection Officer

We have not appointed a Data Protection Officer (DPO). Under German law (BDSG § 38), a DPO is only required where 20 or more employees are regularly involved in the automated processing of personal data. We do not meet this threshold.

For all data protection questions, requests, or concerns, please contact us directly:

Email: legal@farmlovers.org
Post: Framheinstrasse 19, 22083 Hamburg, Germany

We will respond to data protection enquiries within 30 days in accordance with GDPR Art. 12(3).

Legal basis: GDPR Art. 13(1)(b); BDSG § 38.

---

3. Overview of Processing Activities

The following table gives you a quick overview of all personal data we process, why we process it, and how long we keep it. Each activity is described in detail in the sections that follow.

Legal basis: GDPR Art. 13(1)(c).

---

4. Legal Bases for Processing

We process personal data only where we have a valid legal basis under GDPR Art. 6. The legal bases we rely on are:

Art. 6(1)(a) — Consent: You have given your clear, informed, and voluntary agreement to a specific processing purpose. You can withdraw consent at any time without affecting the lawfulness of processing that took place before withdrawal. We use this for: WhatsApp notifications.

Art. 6(1)(b) — Contract performance: Processing is necessary to perform a contract with you, or to take steps you have requested before entering into a contract. We use this for: creating and managing your account, delivering platform services, organization and product data, transactional notifications, Google OAuth login, terms acceptance records.

Art. 6(1)(c) — Legal obligation: Processing is necessary to comply with a legal obligation under EU or German law. We use this for: cookie consent logging, financial records.

Art. 6(1)(f) — Legitimate interests: Processing is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your interests or fundamental rights. We use this for: server security logs, web analytics (Plausible), engagement analytics (anonymized), organization invitations, platform notifications, contact handling, and retaining records of terms acceptance for legal defence purposes. See Section 5 for our specific legitimate interests.

Legal basis: GDPR Art. 13(1)(c).

---

5. Our Legitimate Interests

Where we rely on Art. 6(1)(f), our specific legitimate interests are:

• Platform security and fraud prevention: Identifying and responding to suspicious activity, unauthorized access, and technical attacks through server logs and access records.
• Platform reliability and improvement: Understanding how the platform is used (through anonymized engagement data) to fix problems and improve features, without identifying individual users.
• Enabling organizational collaboration: When an organization administrator invites someone to join their team, we process the invitee's email address to send that invitation. This is in the legitimate interest of the inviting organization and is a minimal, expected use of the data.
• Operational communication: Sending you relevant platform notifications (such as when your content is published, or when a subscription is about to expire) that are a reasonable part of providing the platform service.
• Responding to enquiries: Processing your name, email, and message when you contact us directly.
• Legal defence: Retaining records of the version of the Terms & Conditions you accepted and the timestamp of acceptance, so we can demonstrate which terms governed our relationship if this is ever contested.

Before relying on legitimate interests, we conduct a balancing test to ensure our interests do not override your rights. If you have questions about this test for any specific processing, contact us at legal@farmlovers.org.

Legal basis: GDPR Art. 13(1)(d).

---

6. Recipients and Processors

Your data may be shared with the following categories of recipients:

Hosting provider: Our platform is hosted by [HOSTING_PROVIDER_NAME_AND_COUNTRY]. Your data is stored on their servers. We have a data processing agreement (DPA) in place with this provider as required by GDPR Art. 28.

Email service provider: Transactional and notification emails are sent via [EMAIL_SERVICE_PROVIDER]. We have a data processing agreement in place. The provider processes your email address and the email content only to the extent necessary to deliver the message. (See also Sections 18 and 20 for how this provider is used for invitations and notifications.)

Google LLC (USA): When you sign in with Google (OAuth), Google processes your login authentication. See Section 16. Google's privacy policy is available at https://policies.google.com/privacy.

Plausible Insights OÜ (Estonia, EU): We use Plausible Analytics for privacy-friendly web analytics. Plausible does not use cookies, does not collect personal data, and does not track individual visitors. All data is stored on EU servers. Plausible's data policy is available at https://plausible.io/data-policy. See Section 23.

Twilio Inc. (USA): If your organization has opted into WhatsApp notifications, we use Twilio to send those messages. Twilio processes your WhatsApp phone number. Twilio's privacy policy is available at https://www.twilio.com/en-us/legal/privacy.

No other third-party data sharing: We do not sell your personal data. We do not share your data with advertising networks, data brokers, or other third parties not listed here.

Buyer-seller contact: When you use the platform to contact a seller (or a seller contacts a buyer), that communication goes directly between you and the other party. Farmlovers is not a party to those communications and does not process their content.

Legal basis: GDPR Art. 13(1)(e); GDPR Art. 28.

---

7. International Data Transfers

Both Google LLC and Twilio Inc. are based in the United States. Transferring personal data to the US requires an appropriate safeguard under GDPR Chapter V.

Google and Twilio are both certified under the EU-US Data Privacy Framework (DPF), which the European Commission has recognized as providing an adequate level of data protection (adequacy decision of 10 July 2023). You can verify their certifications at https://www.dataprivacyframework.gov/.

If the EU-US Data Privacy Framework were to be invalidated or suspended (as happened with its predecessors, Safe Harbor and Privacy Shield), we would rely on the European Commission's Standard Contractual Clauses (SCCs) as the alternative safeguard for these transfers.

For our hosting provider and email service provider, transfers (if any) outside the EU/EEA are covered by the data processing agreements and, where applicable, by SCCs or other appropriate mechanisms specified in those agreements.

No other transfers to third countries take place.

Legal basis: GDPR Art. 13(1)(f); GDPR Art. 44 et seq.

---

8. How Long We Keep Your Data

We only keep personal data for as long as necessary for the purpose for which it was collected, or as required by law. Specific retention periods by data category:

User accounts:
Data associated with your account is kept for as long as your account is active. If you delete your account, your personal data (name, email, phone, bio, avatar) is anonymized within 30 days. Some information may be retained in anonymized, non-identifiable form for statistical purposes.

Organization and product data:
Kept for as long as the organization is active on the platform. On deletion, personal data within organization profiles is anonymized within 30 days.

Soft-deleted records:
Any record placed in a "soft-deleted" state (account, organization, product) is permanently deleted or anonymized within 30 days of deletion.

Organization invitations:
Invitation records (including the invitee's email address) are retained for 90 days from the date of creation, after which they expire and are no longer processed.

Notifications:
Notification records (including any personal data they reference) are automatically pruned after 90 days.

Cookie consent logs:
Records of your consent decisions are kept for 3 years. This matches the standard limitation period under German law (§ 195 BGB) and allows us to demonstrate that processing was lawful if challenged.

Terms acceptance records:
Records of when you accepted the Terms & Conditions and which version you accepted are kept for 3 years. We retain these to administer your account (Art. 6(1)(b)) and to be able to demonstrate which version of the terms governed our relationship in the event of a dispute (Art. 6(1)(f)).

Financial and subscription records:
Records related to paid subscriptions are kept for 10 years as required by German tax law (§ 147 AO) and commercial law (§ 257 HGB).

Server logs:
IP addresses in server logs are stored for up to 30 days for security purposes and then deleted.

Web analytics data (Plausible):
Plausible does not store personal data. Aggregate statistics (page views, referrers, device types, countries) are retained according to Plausible's data retention policy. Since no personal data is collected, GDPR data retention limits do not apply to this data.

Engagement tracking data:
Anonymized viewer hash data (SHA256 of IP + user agent) and country information: [TBD — raw event retention to be defined before publication. Candidate value: 90 days for raw events; aggregated statistics retained indefinitely as they are not personal data.]

Legal basis: GDPR Art. 13(2)(a).

---

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at legal@farmlovers.org. We will respond within one month of receiving your request. In complex cases, we may extend this to three months — we will inform you if we do.

You do not need to give a reason for exercising your rights. We will not charge a fee unless your request is manifestly unfounded or excessive.

Right of access (Art. 15): You have the right to obtain confirmation of whether we process data about you, and to receive a copy of that data along with information about how it is processed. For registered users, most of your personal data is visible directly in your profile settings.

Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected without undue delay. For registered users, you can update most of your data directly in your profile settings. For data you cannot update yourself, contact us.

Right to erasure ("right to be forgotten") (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent (and no other legal basis applies), or where processing is unlawful. Registered users can delete their account directly from their profile settings. Account deletion triggers anonymization of personal data within 30 days. Note: some data must be retained to comply with legal obligations (e.g., financial records) and cannot be erased on request during the applicable retention period.

Right to restriction of processing (Art. 18): You have the right to request that we restrict (limit) the processing of your data in certain circumstances — for example, while we verify the accuracy of data you have contested, or while you wait for us to respond to an objection. While processing is restricted, we may still store your data but will not process it for other purposes.

Technical note: Restriction of processing is not yet fully automated on the platform. Requests will be handled manually. Please contact us at legal@farmlovers.org.

Right to data portability (Art. 20): Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.

Technical note: Automated data export is not yet implemented on the platform. Requests will be handled manually. Please contact us at legal@farmlovers.org.

Right to object (Art. 21): Where processing is based on legitimate interests (Art. 6(1)(f)), you have the right to object to that processing at any time. We must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is for the establishment, exercise, or defence of legal claims. You always have the right to object to processing for direct marketing purposes, without needing to give a reason.

Technical note: Right to object is not yet fully automated on the platform. Requests will be handled manually. Please contact us at legal@farmlovers.org.

Legal basis: GDPR Art. 13(2)(b)-(d); Arts. 15-21.

---

10. How to Withdraw Your Consent

Where we process your data based on your consent (Art. 6(1)(a)), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.

Web analytics (Plausible): Our web analytics do not use consent — they are based on legitimate interest (Art. 6(1)(f)) and collect no personal data. If you still wish to prevent analytics, you can use a browser-based script blocker. See Section 23.

To withdraw consent for WhatsApp notifications: Remove your WhatsApp phone number from your organization settings, or contact us at legal@farmlovers.org.

For other consent-based processing: Contact us at legal@farmlovers.org and tell us what you are withdrawing consent for.

Legal basis: GDPR Art. 13(2)(c); GDPR Art. 7(3).

---

11. Right to Lodge a Complaint

If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for Farmlovers is:

Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22
20459 Hamburg
Germany
Website: https://www.datenschutz-hamburg.de/
Email: mailbox@datenschutz.hamburg.de

You may also lodge a complaint with the supervisory authority in the EU member state where you live, work, or where the alleged violation occurred.

We would always welcome the opportunity to address your concerns directly first — please contact us at legal@farmlovers.org before lodging a formal complaint.

Legal basis: GDPR Art. 13(2)(d); GDPR Art. 77.

---

12. Whether Providing Your Data Is Required

For registration: To create an account, you must provide your name and email address. Without these, we cannot create your account and you cannot use the platform's authenticated features. These are the minimum fields required to perform the contract with you (Art. 6(1)(b)).

Optional fields: Phone number, biography, city, state, district, and avatar are optional. Not providing them will not prevent you from using the platform, but your profile may be less complete.

For organization profiles: The information you enter about your organization (name, address, contact details, products) is necessary to use the platform's core service of connecting producers with buyers. Without a reasonably complete profile, other users cannot find or contact you.

No legal obligation: There is no statutory obligation requiring you to provide personal data to us. Your obligation to provide data is purely contractual — you provide it to receive the service.

Legal basis: GDPR Art. 13(2)(e).

---

13. Automated Decision-Making

Farmlovers does not currently use automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. Ranking and visibility features influence how content is displayed on the platform, but do not by themselves determine legal rights or contractual status.

Legal basis: GDPR Art. 13(2)(f).

---

14. Website Hosting and Server Logs

When you visit farmlovers.org, our servers automatically record certain technical information ("server logs"). This happens for every visitor, including those without an account.

Data collected:

• Your IP address (used to deliver the page to your browser; stored in server logs for up to 30 days and then deleted)
• Browser type and version
• Operating system
• Referring URL (the page you came from)
• Date, time, and the specific page or resource requested
• HTTP status code (whether the request succeeded)

Why we collect this: Server logs are essential for operating a secure platform. We use them to detect and respond to attacks, diagnose technical errors, and maintain service availability.

How long we keep it: IP addresses are stored in server logs for up to 30 days and then deleted. No IP address data is retained beyond this period.

Legal basis: Art. 6(1)(f) — legitimate interests in platform security and reliable operation.

Processor: [HOSTING_PROVIDER_NAME_AND_COUNTRY]

---

15. User Registration and Account Data

To create an account on Farmlovers, you register using an email address and password, or via Google OAuth (see Section 16).

Data collected at registration:

• Full name
• Email address
• Password (stored as a secure cryptographic hash — we never store your plain-text password)
• Terms & Conditions version accepted and timestamp of acceptance

Additional profile data (optional, added later):

• Phone number
• Biography / short description
• City, state, district, country
• Profile avatar (photo)

Why we collect this: To create and manage your account, authenticate you when you log in, and provide the platform services you have requested.

How long we keep it: For the lifetime of your account. On account deletion, personal data is anonymized within 30 days. Terms acceptance records are retained for 3 years. See Section 8 for full retention periods.

Legal basis: Art. 6(1)(b) — performance of the contract (your account agreement with us). Terms acceptance records are also retained on the basis of Art. 6(1)(b) (account administration) and Art. 6(1)(f) (our legitimate interest in being able to demonstrate which version of the Terms & Conditions a user accepted, in case this is ever disputed).

---

16. Google OAuth Login

You have the option to sign in or register using your Google account ("Sign in with Google"). If you use this feature, Google authenticates you and shares certain data with us.

Data received from Google:

• Your name
• Your email address
• Your Google user ID (a persistent identifier assigned by Google)
• Your profile picture (URL)

What we do NOT receive or store: We do not receive your Google password or access to any other Google services. Farmlovers stores only your Google user ID for future login recognition. No Google access token, refresh token, or password is stored. During the initial sign-in flow, your name and email are held temporarily in the session and deleted once your account is created.

How long we keep it: For the lifetime of your account. Your Google user ID is linked to your Farmlovers account and allows you to sign in again. On account deletion, this data is anonymized within 30 days.

Legal basis: Art. 6(1)(b) — you initiate this login to access your Farmlovers account; processing is necessary to perform that service.

Google's own processing: When you use Google OAuth, Google processes your data according to its own privacy policy (see Google Privacy Policy). Farmlovers has no control over Google's processing of your data on Google's systems.

International transfer: Google LLC is based in the USA. See Section 7 for the safeguards that apply.

---

17. Organization Profiles and Product Listings

If you create or join an organization on Farmlovers, you can publish an organization profile and product listings that are visible to all platform visitors.

Data collected for organization profiles:

• Organization name, description, founding year, and type (farm, cooperative, store, processor, etc.)
• Address (street, city, state, district, postal code, country)
• Contact details: email address, phone number, website
• Social media links: Facebook, Instagram, Twitter/X, LinkedIn, YouTube, WhatsApp Business
• Profile logo and banner images

Data collected for product listings:

• Product name, description, category, and tags
• Price or price range (optional)
• Product images
• Availability status

This data is publicly visible: Organization profiles and listings are intended for public display and may be indexed by search engines. Users should include only information they are entitled to publish and should avoid uploading personal data of third parties unless they have a valid legal basis to do so.

Why we collect this: To provide the platform's core marketplace service — connecting producers with buyers.

How long we keep it: For as long as the organization is active. On deletion, personal data within the organization profile is anonymized within 30 days. Product listings associated with a deleted organization are also deleted.

Legal basis: Art. 6(1)(b) — performance of the service contract.

---

18. Organization Invitations

Organization administrators can invite other users (by email address) to join their organization on the platform.

Data involved in the invitation process:

• Inviter's data: The name and user ID of the inviting administrator, already held on the platform as part of their account.
• Invitee's email address: Provided by the inviter specifically for the purpose of sending the invitation. If the invitee is not yet a Farmlovers user, we store their email address only for the duration of the invitation.
• Invitation token: A unique, time-limited token generated by the platform and included in the invitation email, used to verify that the correct person is accepting the invitation.

How the invitation email is sent: The invitation email is sent to the invitee's email address via our email service provider ([EMAIL_SERVICE_PROVIDER]) — see Section 6 (Recipients) for further details about this provider.

What if the person is not yet a Farmlovers user? We store their email address only for the purpose of the invitation. If the invitation expires without being accepted, the email address is deleted.

How long we keep it: Invitations expire 90 days after creation. After expiry, invitation records (including the invitee's email) are no longer processed for invitation purposes and are retained only as expired records.

Legal basis: Art. 6(1)(f) — legitimate interests of the organization in inviting team members. The invitee's interest in not receiving an unexpected email is outweighed by the fact that the email comes from a known person (their potential colleague) and they can simply ignore it if unwanted.

---

19. Contacting Us

When you contact us directly — for example, by emailing legal@farmlovers.org — we process the personal data you include in your message.

Data collected:

• Your name (if you include it)
• Your email address
• The content of your message

Why we collect this: To respond to your enquiry.

How long we keep it: For as long as necessary to resolve the matter you raised, plus a reasonable period in case of follow-up questions. We do not retain contact messages beyond what is necessary.

Legal basis: Art. 6(1)(b) where your enquiry relates to your account or our services (pre-contractual or contractual); Art. 6(1)(f) (legitimate interest in handling general enquiries) for all other cases.

---

20. Email Notifications

We send emails to your registered email address in connection with the platform. Notifications fall into two categories:

Transactional notifications (always sent — cannot be disabled):
These emails are necessary for the functioning of the service or required by law:

• Password reset
• Email address verification
• Welcome email after registration
• Organization approval or rejection notification
• Invitation to join an organization

These emails cannot be unsubscribed from because they are a necessary part of the service.

Platform notifications (can be disabled):
These inform you about platform activity relevant to you:

• New product published by an organization you follow
• Product approval or rejection by administrators
• Organization profile updates
• Grace period reminders (subscription nearing expiry)
• Membership expiry notifications
• Products moved to draft status (when subscription expires)

You can manage your notification preferences in your account settings. Each notification email contains a one-click unsubscribe link in the footer. Clicking that link turns off all optional email notifications immediately, without requiring you to log in.

How long we keep it: Notification records are retained for 90 days, then automatically deleted.

Email service provider: We use [EMAIL_SERVICE_PROVIDER] to send emails. This provider processes your email address only to deliver the message. See Section 6 and the relevant DPA.

Legal basis: Art. 6(1)(b) for transactional notifications (necessary to perform the service contract). Art. 6(1)(f) for optional platform notifications (legitimate interest in keeping you informed about activity relevant to your account).

---

21. WhatsApp Notifications (via Twilio)

Organizations may optionally provide a WhatsApp phone number to receive platform notifications via WhatsApp. This is separate from the public WhatsApp Business link that may appear on your organization's public profile.

This feature is entirely optional. If you do not provide a WhatsApp number for notifications, no WhatsApp messages are sent.

Data collected:

• WhatsApp phone number (belongs to the organization, not to individual users)

Confirmation requirement: The WhatsApp number must be confirmed before any notifications are sent to it.

How it works: When you enable WhatsApp notifications and provide a confirmed phone number, we share that number with Twilio Inc. (USA) to send platform notifications via their messaging infrastructure.

Twilio's processing: Twilio processes your phone number to route and deliver the message. See Twilio's privacy policy at Twilio Privacy Policy.

International transfer: Twilio Inc. is based in the USA. See Section 7 for the safeguards that apply.

How long we keep it: For as long as your organization has this feature enabled. Removing the phone number from your organization settings stops further WhatsApp notifications. On organization deletion, the number is deleted as part of the profile data.

Legal basis: Art. 6(1)(a) — consent. You provide the number and confirm it specifically to receive notifications via WhatsApp. You can withdraw consent at any time by removing the number from your organization settings.

---

22. Cookies and Consent Management

We use cookies and similar technologies on this platform. This section provides a summary. For full details, please read our Cookie Policy.

What is a cookie? A cookie is a small text file that a website stores on your device. Cookies allow the website to remember information about your visit (such as whether you are logged in) so you do not have to re-enter it on every page.

What cookies do we use?

Strictly necessary cookies: These are required for the website to function. They include your login session cookie, a CSRF security token, and your language/country preference. You cannot opt out of these cookies — they are essential for the website to work. No consent is required for strictly necessary cookies under TDDDG § 25(2).

Web analytics (no cookies): We use Plausible Analytics to understand how visitors use our platform. Plausible does not set any cookies, does not use localStorage, and does not fingerprint visitors. No consent is required for Plausible under TDDDG § 25 because no information is stored on or accessed from your device. See Section 23 for details.

Consent logging: When you make a choice on the cookie consent banner, your choice is recorded in our database. We store: an anonymized hash of your IP address, the categories you accepted, the consent version, and the timestamp. This record is kept for 3 years as evidence of your consent.

Withdrawing consent: You can change your cookie preferences at any time using the "Cookie Settings" link in our footer.

Legal basis: TDDDG § 25 for the requirement to obtain consent before placing non-essential cookies (our analytics tool does not place cookies and therefore does not require consent). Consent logs are kept under Art. 6(1)(c) (legal obligation to demonstrate consent under GDPR Art. 7(1)).

---

23. Web Analytics (Plausible)

We use Plausible Analytics to understand how visitors use our platform. Plausible is a privacy-friendly, open-source web analytics service operated by Plausible Insights OÜ, based in Estonia (EU).

What Plausible collects:

• Page URL and referral source
• Browser type and operating system
• Device type (desktop, mobile, tablet)
• Country (derived from IP address, which is discarded immediately and never stored)

What Plausible does NOT do:

• Set cookies or use localStorage
• Collect or store your IP address
• Use fingerprinting or any cross-site tracking
• Collect your name, email, or any personally identifying information
• Track individual visitors across sessions

All data is stored on EU servers. No data is transferred to the United States or any other third country.

Legal basis: Art. 6(1)(f) — legitimate interest. Our legitimate interest is understanding aggregate traffic patterns to improve the platform. Because Plausible does not store personal data, does not set cookies, and does not access any information on your device, no consent is required under TDDDG § 25.

Processor: Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia. Data policy: https://plausible.io/data-policy.

Opting out: Because Plausible does not use cookies or track individuals, there is no consent to withdraw. If you wish to prevent the Plausible script from loading, you can use a browser-based content blocker or ad blocker.

---

24. Engagement Tracking (Anonymized View Counts)

We count how many times organization profiles and product listings are viewed. This helps producers understand how much interest their listings receive.

How it works: When a page is viewed, we generate a temporary identifier — a SHA256 hash of the visitor's IP address combined with their browser's user agent string. We store this hash alongside the country of the visitor (derived from their IP address at the moment of the visit). We do not store the raw IP address.

This system is designed so that we can count unique daily views without storing any directly identifying information. The same visitor viewing the same page multiple times in a day counts as one view.

What is stored: A hashed identifier (viewer_hash), the country code, and a reference to the page viewed. No name, email address, or raw IP address is stored.

Why we collect this: To provide meaningful engagement statistics to organization owners (how many unique visitors viewed their profile or products). This is in our legitimate interest as a marketplace platform and in the legitimate interest of sellers in understanding their audience.

How long we keep it: [TBD — raw engagement event retention period to be defined before publication. Candidate: 90 days for raw hashed events; aggregated statistics retained indefinitely as non-personal data.]

Legal basis: Art. 6(1)(f) — legitimate interests in providing a useful platform service.

---

25. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. This can happen when:

• We add new features that involve processing personal data
• Applicable law changes
• We change our processors or data flows
• We correct errors or improve clarity

How we notify you: If we make a material change — meaning a change that significantly affects how we process your data or your rights — we will notify you by email or via a prominent notice on the platform at least 30 days before the change takes effect. The updated version will apply from the stated effective date shown at the top of this page.

Minor changes (corrections, clarifications, updated provider names) do not require advance notice but will always be reflected in the version number and update date at the top of this page.

This Privacy Policy is an information notice, not a contract. We do not ask for your "acceptance" of it. If you disagree with material changes, you may delete your account before the new version takes effect.

The current version number and effective date are shown at the top of this page.

See our Terms & Conditions, Section 23, for information about changes to the Terms of Service.

Legal basis: GDPR Art. 12.

---

Summary of Key Contacts

---

Back to top

Farmlovers UG (haftungsbeschränkt) — Privacy Policy v1.1-draft — Effective: [EFFECTIVE_DATE]
This Privacy Policy is provided in English. In the event of any discrepancy between language versions, the English version prevails. German data protection law (DSGVO, BDSG, TDDDG) applies.