Privacy policy

1. Who we are (controller)

Larderlab is the editorial brand operating larderlab.com. The data controller for the purposes of Article 4(7) GDPR is the operator named in our /impressum (German visitors) and /contact pages. For privacy questions, write to privacy@larderlab.com.

2. Data we collect

We deliberately collect the minimum data required to run an editorial site.

• Information you provide: email address (newsletter signup), any message body you send via the contact form, optional name when you submit a correction.
• Information collected automatically: pages visited, referring URL, approximate location at country / region level, device type, browser, anonymised session identifier.
• Cookies and local storage: a session cookie, an analytics cookie (only with consent), and a localStorage entry recording your cookie-consent choice. See our /cookies page for the full inventory.
• We do not collect: precise GPS location, your name unless you give it to us, payment information, government IDs, or any special-category data under Article 9 GDPR.

3. Legal basis for processing (Article 6 GDPR)

Each processing activity has one of the following legal bases.

• Consent (Art. 6(1)(a)), analytics and marketing cookies, optional newsletter subscription.
• Contract (Art. 6(1)(b)), delivering the newsletter once you have subscribed.
• Legal obligation (Art. 6(1)(c)), keeping records required by tax, accounting, and consumer-protection law.
• Legitimate interest (Art. 6(1)(f)), strictly necessary cookies, security logging, fraud prevention, defending legal claims. We have completed a legitimate-interest assessment and document it on request.

4. Purposes

We process personal data for these specific purposes, and no others.

• Operating the site and the newsletter.
• Understanding which content readers find useful (anonymised analytics only).
• Responding to corrections, editorial feedback, and contact-form messages.
• Complying with our legal obligations (tax, accounting, consumer protection).
• Defending against fraud, abuse, and legal claims.

5. Retention

We do not keep data longer than we need it.

• Newsletter subscribers: until you unsubscribe, plus 30 days for unsubscribe-confirmation purposes.
• Anonymised analytics: 26 months.
• Contact-form correspondence: up to 3 years.
• Cookie-consent record (localStorage in your browser): 13 months, after which we ask again.
• Records required by law: as long as the relevant statute requires (typically 6–10 years for tax records).

6. Recipients and processors

We share personal data only with the processors listed below, each bound by a written data-processing agreement under Article 28 GDPR. We do not sell or rent personal data and we do not run programmatic advertising.

• Vercel Inc., hosting, content delivery (US, with EU data-transfer Standard Contractual Clauses).
• Beehiiv Inc., newsletter delivery (US, SCCs).
• Neon, Inc., analytics database, anonymised traffic only (EU region where available).
• Supabase Inc., asset storage (EU region).
• Google Search Console / Bing Webmaster Tools, aggregated SEO performance data, no individual identifiers.

7. International transfers (Articles 44–49 GDPR)

Where a processor is based outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework. We document the supplementary measures used to ensure an essentially equivalent level of protection. A summary is available on request from privacy@larderlab.com.

8. Your rights as a data subject (Articles 15–22 GDPR)

You have the following rights, free of charge, exercisable by writing to privacy@larderlab.com. We respond within one calendar month under Article 12(3) GDPR.

• Right of access (Art. 15), receive a copy of the personal data we hold about you.
• Right to rectification (Art. 16), correct inaccurate or incomplete data.
• Right to erasure (Art. 17), request deletion when one of the listed grounds applies.
• Right to restriction (Art. 18), pause processing in defined circumstances.
• Right to data portability (Art. 20), receive your data in a structured, machine-readable format.
• Right to object (Art. 21), object to processing based on legitimate interest, including direct marketing.
• Rights related to automated decision-making (Art. 22), we do not run automated decision-making with legal effects.
• Right to withdraw consent at any time, without affecting prior lawful processing.
• Right to lodge a complaint with a supervisory authority (Art. 77), see the list below.

9. Supervisory authorities

If you are not satisfied with our response, you may lodge a complaint with your national data-protection authority. The principal authorities for our EU readership are: Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (https://www.bfdi.bund.de); France: Commission nationale de l'informatique et des libertés (CNIL) (https://www.cnil.fr); Italy: Garante per la protezione dei dati personali (https://www.garanteprivacy.it); Spain: Agencia Española de Protección de Datos (AEPD) (https://www.aepd.es); Netherlands: Autoriteit Persoonsgegevens (AP) (https://www.autoriteitpersoonsgegevens.nl); Poland: Urząd Ochrony Danych Osobowych (UODO) (https://www.uodo.gov.pl); Sweden: Integritetsskyddsmyndigheten (IMY) (https://www.imy.se); Portugal: Comissão Nacional de Proteção de Dados (CNPD) (https://www.cnpd.pt); Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (https://www.dataprotection.ro); Czech Republic: Úřad pro ochranu osobních údajů (ÚOOÚ) (https://www.uoou.cz); Norway: Datatilsynet (https://www.datatilsynet.no). UK readers may complain to the Information Commissioner's Office (ICO) at https://ico.org.uk.

10. Cookies summary

Strictly-necessary cookies are set on first visit. Analytics and marketing cookies are set only after you give consent via the cookie banner. You can change your choice at any time by clicking 'Cookie preferences' in the footer. The full inventory, name, category, purpose, duration, provider, is on our /cookies page.

11. Affiliate links

Some product links on this site may be affiliate links. When that is the case, the link will carry a country-appropriate disclosure label (Sponsored / Werbung / Publicité / etc.) immediately adjacent to the link. The affiliate network may receive transaction data, we never receive your name, address, or payment information. See /affiliate-disclosure for the full framework.

12. Children

Larderlab is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, write to privacy@larderlab.com and we will delete it.

13. Security

We protect personal data with HTTPS in transit, access controls on databases, least-privilege access for staff, and regular review of processor compliance. No system is perfectly secure, if a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by Articles 33–34 GDPR.

14. Changes to this policy

We may update this policy from time to time. Material changes will be summarised at the top of this page with a new 'Last updated' date. Continued use of the site after a change constitutes acknowledgement.

15. Contact

Privacy questions, data-subject requests, or breach notifications: privacy@larderlab.com. We respond within one calendar month under Article 12(3) GDPR.