Privacy Policy

Last updated: March 2026

1. Data Controller

Jonas Fendel
Körnerstraße 14
64653 Lorsch
E-Mail: contact@hivekraft.com

2. Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of data processed

  • Master data (e.g., names, addresses)
  • Contact data (e.g., email)
  • Content data (e.g., form inputs, beekeeping data)
  • Usage data (e.g., pages visited, access time)
  • Meta/communication data (e.g., device information, IP addresses)

3. Legal Basis

Below you will find an overview of the legal bases of the GDPR on which we process personal data:

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party.
  • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller.

4. User Account / Registration

During registration, we collect the following data: name, email address, password (hashed with bcrypt). Processing is based on Art. 6(1)(b) GDPR for the performance of a contract.

During use of the service, we store the beekeeping data you enter (apiaries, hives, inspections, treatments, harvests, etc.). This data is used exclusively for providing the service.

5. Authentication / Session

We use JSON Web Tokens (JWT) for authentication. Tokens are stored as HTTP-only cookies and are valid for 30 days. No tracking cookies are used.

6. Hosting and Servers

The application is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner. All data processing takes place exclusively on servers in Germany. When accessing our website, information is automatically stored in server log files transmitted by your browser (IP address, browser type, operating system, referrer URL, time of access).

7. Cookies

We use only technically necessary cookies:

  • Session cookie - Contains the encrypted authentication token. Validity: 30 days. Essential for login.

No analytics, tracking, or advertising cookies are used.

8. Data Processors and Third-Party Services

To provide our service, we use the following third-party providers that process personal data on our behalf:

8.1 Payment Processing (Stripe)

For processing payments for paid plans, we use Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA). When subscribing to a paid plan, your payment data (credit card details, billing address) is processed directly by Stripe. We do not store any complete payment data — only a Stripe customer ID and the subscription status. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Stripe is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy.

8.2 Email Delivery (Brevo)

For sending transactional emails (registration confirmation, password reset), we use Brevo (Sendinblue GmbH, Berlin, Germany). Your email address is transmitted to Brevo for this purpose. Brevo processes data on servers within the EU. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). In addition to transactional emails, we send optional service notifications (e.g., reminders, tips). You can disable these in Settings. Brevo Privacy Policy.

8.3 Social Login (Google, Facebook)

You may optionally sign in via Google or Facebook (OAuth 2.0). In doing so, we only receive your name and email address from the respective provider. We do not gain access to your social media profiles or contacts. The use of Social Login is voluntary — registration via email and password is also available. The legal basis is Art. 6(1)(a) GDPR (consent).

Beyond this, personal data is not shared with third parties, sold, or used for advertising purposes. An exception exists only if we are legally obligated to do so.

9. AI-Assisted Processing

Hivekraft uses AI-assisted features to improve beekeeping management. All AI features are optional and require explicit consent. Data is transmitted via OpenRouter (OpenRouter Inc., USA) to Mistral AI (Paris, France). For photo analysis, Google Gemini (USA) is used. EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR apply for third-country transfers to the USA. The legal basis is Art. 6(1)(a) GDPR (consent). Consent can be revoked at any time in the settings.

9.1 Voice Input

Your voice inputs are transcribed via OpenRouter and converted into structured inspection data. Data transmitted includes: audio transcript as text, associated colony metadata (name, type). Processing only occurs when you actively use the voice input feature.

9.2 AI Chat Assistant

The AI chat assistant answers beekeeping questions using your colony data as context. Data transmitted includes: your question, context data about your colonies (current inspections, treatments, harvests, location weather). Chat histories are stored in your database and removed upon account deletion.

9.3 Intelligence Engine

The Intelligence Engine analyzes your inspections, treatments and harvests locally (on our server) to generate recommendations (e.g., swarm risk, health status, treatment timing). This analysis runs without external AI services — your data does not leave our server.

9.4 Design Studio & Brand Generator

The Design Studio can generate AI-powered beekeeper profiles, brand pages, and HTML-based brand websites. Your inputs (name, description, style preferences, color schemes) are transmitted to OpenRouter (Mistral Small). Generated content is stored in your user profile. Processing only occurs when you actively use the Design Studio.

9.5 Label AI (Label Generator)

The Label Generator creates AI-generated honey labels based on your inputs (honey variety, apiary name, design style, colors). Your inputs are transmitted to OpenRouter (Mistral Small). Generated label designs are stored in your user profile. Processing only occurs when you actively use the Label Generator. The legal basis is Art. 6(1)(a) GDPR (consent).

9.6 Photo Analysis

Photos of bee colonies (combs, brood nests, varroa boards) can be submitted for AI-powered analysis to Google Gemini (Google LLC, USA) via OpenRouter. Data transmitted includes: the photo, associated colony metadata. Google is certified under the EU-US Data Privacy Framework (DPF). EU Standard Contractual Clauses (SCCs) apply for the transfer via OpenRouter (USA). Analysis only occurs when you actively use the photo analysis feature. The legal basis is Art. 6(1)(a) GDPR (consent).

9.7 Zero Data Retention (ZDR)

A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with OpenRouter. Additionally, we have activated Zero Data Retention (ZDR) and send the header data_collection: deny. According to OpenRouter, your data is not stored and not used for training AI models. We cannot provide an absolute guarantee, as processing is handled by third-party providers. Voice input audio files are automatically deleted after successful processing (maximum 24 hours).

9.8 Web Speech API (Speech Recognition)

The voice input in the chat uses the browser's Web Speech API. Audio data is transmitted to the browser vendor (Google Chrome: Google LLC, USA; Safari: Apple Inc., USA) for speech recognition. This processing is performed by your browser, not by Hivekraft. We have no control over data processing by the browser vendor. Please refer to your browser's privacy policy.

10. External Data Sources

Hivekraft uses the following external data sources to provide weather and phenology features:

  • German Weather Service (DWD) - Weather data and Growing Degree Sum (GTS) are obtained via the Bright Sky API, which provides open DWD data. Your location coordinates (latitude, longitude) are transmitted to the API service to retrieve location-based weather data. License: GeoNutzV (Source: Deutscher Wetterdienst).
  • OpenStreetMap - Map views use OpenStreetMap tiles. When loading the map, requests are sent to OpenStreetMap tile servers. OpenStreetMap Foundation Privacy Policy.

11. Community Insights & TrachtNetz

Hivekraft offers aggregated community statistics. Your data is only included anonymously in these statistics. Participation is voluntary and is requested during registration (opt-in). You can change your participation at any time in the settings.

12. Usage Analytics

To ensure system stability and detect abuse, we log API accesses (endpoint called, HTTP method, status code, response time). This data is linked to your user ID and automatically deleted after 90 days. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security of the service).

13. Web Analytics (Umami)

We use Umami as a self-hosted, privacy-friendly web analytics solution. Umami does not set cookies and does not store personal data. Only anonymized usage statistics are collected (e.g., page views, time on site, country of origin), which cannot be traced back to individual persons. Umami is operated on our own servers in the EU and is fully GDPR-compliant. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving the service).

14. Storage Duration

The storage duration of your data depends on the respective processing purpose:

  • Account data (name, email, profile): until account deletion
  • Beekeeping data (colonies, inspections, harvests): until account deletion. Upon account deletion, personal data is anonymized; beekeeping data is retained in anonymized form (EU 2019/6 retention requirement).
  • Treatment records: minimum 5 years from treatment date (legal retention requirement per EU 2019/6, Art. 108)
  • Server logs: 90 days
  • JWT cookies: 30 days
  • API usage logs: 90 days

15. Data Protection Officer

The appointment of a Data Protection Officer is not required under Art. 37 GDPR. For data protection inquiries, please contact: contact@hivekraft.com

16. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) - You have the right to obtain information about your stored personal data.
  • Right to rectification (Art. 16 GDPR) - You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) - You may request the deletion of your data. You can delete your account at any time. Treatment records are subject to legal retention requirements (5 years, EU 2019/6) and are retained in anonymized form.
  • Right to restriction (Art. 18 GDPR) - You may request the restriction of processing.
  • Right to data portability (Art. 20 GDPR) - You can export your data in a machine-readable format (JSON export via Settings → Export data).
  • Right to object (Art. 21 GDPR) - You may object to the processing of your data.
  • Right to lodge a complaint - You have the right to lodge a complaint with a data protection supervisory authority.

17. Data Security

We use SSL/TLS encryption for data transmission. Passwords are stored hashed with bcrypt. Access to your data is protected by authentication and restricted to your user account.

18. Changes

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements. The most current version applies to your visit.