Loaf Story

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller responsible for this website is:

2. Data We Collect

We collect and process the following personal data:

  • Account data — name and email address when you register
  • Session data — IP address and user agent, stored with your session for security purposes
  • Recipe content — recipes you create, including text and uploaded images
  • OpenAI API key — if you use AI features, your self-provided API key is stored in a secure, HTTP-only browser cookie
  • Preferences — settings such as sidebar state and selected AI model

3. Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — to provide the service you signed up for
  • Legitimate interest (Art. 6(1)(f)) — to maintain security and improve the service

4. Cookies

We use only functional cookies required for the service to operate. No tracking or advertising cookies are used.

  • Session cookies — required for authentication and login (essential)
  • OpenAI API key — stores your self-provided API key in a secure, HTTP-only browser cookie, expires after 400 days (functional)
  • Sidebar state — remembers your sidebar preference, expires after 30 days (functional)

5. Third-Party Services

We use the following third-party services to operate LoafStory:

Cloudflare (Workers, D1, R2)

Our application is hosted on Cloudflare Workers. User data is stored in Cloudflare D1 (database) and recipe images are stored in Cloudflare R2 (object storage). Your data may be processed at Cloudflare edge locations internationally. Cloudflare Privacy Policy.

OpenAI

When you use AI features to parse or generate recipes, your recipe text and/or images are sent to the OpenAI API. You provide your own API key for this purpose. No other personal data is shared with OpenAI. OpenAI Privacy Policy.

Amazon Web Services (SES)

We use AWS Simple Email Service to send transactional emails, such as login verification codes and feedback notifications. Your email address is shared with AWS for this purpose. AWS Privacy Policy.

OAuth Login Providers

If you choose to log in via a social account, your profile information (name, email) is shared by the respective provider. We support Google, Facebook, Discord, and Reddit. Only the data necessary for account creation is stored. Please refer to each provider's privacy policy for details on their data handling.

6. Data Storage & Retention

Your data is stored on Cloudflare infrastructure. While Cloudflare operates globally, data at rest is primarily stored in the region where the database was created. We retain your data for as long as your account is active. Upon account deletion, your data will be removed within 30 days.

7. Your Rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Request erasure (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

8. Contact & Complaints

If you have concerns about data processing, contact us at the address above. You also have the right to lodge a complaint with the Austrian data protection authority:

Österreichische Datenschutzbehörde

Barichgasse 40–42, 1030 Wien

www.dsb.gv.at