Privacy Policy

Protecting your personal data matters to us. This policy informs you in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) which data we process when you use Liebling, for what purpose, and what rights you have.

1. Controller

Represented by Managing Director Nathalie Acker. Registered in the commercial register: Amtsgericht Ludwigshafen am Rhein, HRB 68275.

2. Categories of personal data

• Account data: email address, name, hashed password.
• Content: child profiles, diary entries, photos, videos, milestones, growth data, people entries, shared links you create.
• Subscription and payment metadata: subscription status, plan, customer ID at our payment provider (payment instruments themselves are stored by Paddle only, never by us).
• Usage and log data: IP address, user agent, timestamps, accessed routes — used for diagnostics and abuse prevention.
• Support correspondence: emails you send us.

3. Purposes and legal bases

• Providing the service (account, storing your memories, sharing) — Art. 6(1)(b) GDPR (contract performance).
• Payment processing via Paddle as Merchant of Record — Art. 6(1)(b) GDPR.
• Security, abuse and fraud prevention, logs — Art. 6(1)(f) GDPR (legitimate interest).
• Compliance with legal obligations (e.g. invoice retention) — Art. 6(1)(c) GDPR.
• Transactional emails (registration, password reset, subscription notifications) — Art. 6(1)(b) GDPR.

4. Recipients and sub-processors

We rely on carefully selected service providers under data processing agreements (Art. 28 GDPR):

• Supabase (database, authentication, file storage) — EU region.
• Paddle.com Market Limited, Judd House, 18-29 Mora Street, London EC1V 8BT, UK — as Merchant of Record for billing, tax compliance, refunds and invoicing. Transfers to the UK take place on the basis of the EU Commission's adequacy decision or the EU Standard Contractual Clauses (SCCs).
• Cloudflare — hosting of the web application and edge functions, DDoS protection.
• Email delivery for transactional messages (confirmation and service emails).
• Lovable AI Gateway, where you use AI-powered features in the app.

5. Retention

• Account and content data: as long as your account exists. After deletion, content is removed from production systems within 30 days; backups expire on rotation.
• Invoices and payment records: 10 years (German tax law).
• Server logs: up to 30 days.

6. Your rights

You have the right at any time to:

• access (Art. 15 GDPR)
• rectification (Art. 16 GDPR)
• erasure (Art. 17 GDPR)
• restriction of processing (Art. 18 GDPR)
• data portability (Art. 20 GDPR)
• object to processing based on legitimate interest (Art. 21 GDPR)
• withdraw consent with effect for the future (Art. 7(3) GDPR)

Contact hallo@liebling.io to exercise any of these rights. You also have the right to lodge a complaint with a supervisory authority — the one competent for us is the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate, Mainz, Germany.

7. Cookies

We only use technically necessary cookies / local storage to keep you signed in (session token). These are required to operate the application (Art. 6(1)(b) GDPR / § 25(2)(2) TDDDG) and do not require consent. We do not set marketing or tracking cookies.

8. Security

All transfers are TLS-encrypted. Databases and file storage are hosted in the EU; access is limited to a small group of people and is logged.

9. International data transfers

Processing happens primarily within the EU. Transfers to third countries (in particular the UK to Paddle) take place on the basis of adequacy decisions or EU Standard Contractual Clauses (SCCs).

10. Changes to this policy

We update this policy when the service or legal landscape changes. The latest version is always available on this page.