Privacy Policy

Last updated: June 27, 2026

1. Who we are

DishDrift is a recipe-sharing community for expats and travelers. This service is operated by the DishDrift team, based in Germany. We are the data controller for the personal data you provide to us.

Contact: [email protected]

2. What data we collect

  • Account data: email address, display name, home country, current country. Collected when you create an account.
  • Recipe content: titles, ingredients, steps, notes, and photos you voluntarily upload.
  • Recipe attempts (“I made this”): when you mark a recipe as made, any photo and note you add are publicly visible on that recipe alongside your display name and current country. Photos and notes are optional — you can mark a recipe as made without either.
  • Usage data: page views and general usage statistics via Cloudflare Web Analytics. No cookies, no fingerprinting, no personal identifiers are used.
  • Error data: technical error reports via Sentry (EU servers) to help us fix bugs. No personal content is included in error reports.
  • Report submissions: if you report a recipe, we store the selected reason, any additional details you choose to provide, and (if signed in) your account identifier. This data is used solely to review reported content and is not shared publicly.

3. Why we collect it and legal basis

Under GDPR Art. 6, we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): account data and recipe content are necessary to provide the service — showing you recipes, saving your preferences, and sending account emails such as verification, password reset, and notifications when someone saves, cooks, or adapts your recipes. You can turn interaction notifications off at any time in your profile settings.
  • Legitimate interest (Art. 6(1)(f)): anonymised usage statistics and error reports help us improve the app. These involve no personal content and use privacy-preserving tools.

We do not sell your data. We do not use your data for advertising or profiling.

4. Third-party services

We use the following sub-processors, all of which are GDPR-compliant:

  • Supabase (Germany, EU) — database and authentication. Your account and recipe data is stored here.
  • Cloudflare Pages & R2 (USA, EU transfer via SCCs) — app hosting and recipe photo storage.
  • Resend (EU region) — transactional and notification email delivery (verification, password reset, and recipe interaction notifications).
  • Sentry (EU region) — error monitoring. No personal content is sent.
  • Google OAuth (USA, EU transfer via SCCs) — optional sign-in. When you use Google Sign-In, Google shares your email address with us. Google's Privacy Policy applies to their services.
  • Cloudflare Web Analytics (USA, EU transfer via SCCs) — privacy-preserving analytics with no cookies and no personal identifiers.
  • PostHog (EU region, eu.i.posthog.com) — product analytics to understand how users interact with the app. Logged-in users are linked to their account ID; anonymous visitors are tracked by session only.

5. Data retention

We keep your data as long as your account is active. When you delete your account:

  • Your account, recipes, and uploaded photos are permanently deleted immediately.
  • Any report submissions you made are anonymised — your account identifier is removed and cannot be traced back to you.
  • Anonymised usage statistics (no personal identifiers) may be retained for analytics.
  • Residual backups are purged within 30 days.

6. Your rights (GDPR)

If you are in the EU or EEA, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data (via your profile settings).
  • Delete your account and all associated data (via Profile → Delete account).
  • Object to processing or withdraw consent at any time.
  • Lodge a complaint with your national data protection authority (in Germany: the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit).

To exercise any right, contact us at [email protected].

7. Minors

DishDrift is not directed at children under the age of 13. If you believe a child under 13 has created an account, please contact us and we will delete the data promptly.

8. Changes to this policy

If we make significant changes, we will update the "Last updated" date above. For changes that materially affect your rights, we will notify you by email.