Skip to main content

Privacy Policy

Last updated: February 2026

1. Data Controller

Jonas Fendel
Körnerstraße 14
64653 Lorsch
E-Mail: contact@hivekraft.com

2. Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of data processed

  • Master data (e.g., names, addresses)
  • Contact data (e.g., email)
  • Content data (e.g., form inputs, beekeeping data)
  • Usage data (e.g., pages visited, access time)
  • Meta/communication data (e.g., device information, IP addresses)

3. Legal Basis

Below you will find an overview of the legal bases of the GDPR on which we process personal data:

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party.
  • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller.

4. User Account / Registration

During registration, we collect the following data: name, email address, password (hashed with bcrypt). Processing is based on Art. 6(1)(b) GDPR for the performance of a contract.

During use of the service, we store the beekeeping data you enter (apiaries, hives, inspections, treatments, harvests, etc.). This data is used exclusively for providing the service.

5. Authentication / Session

We use JSON Web Tokens (JWT) for authentication. Tokens are stored as HTTP-only cookies and are valid for 30 days. No tracking cookies are used.

6. Hosting and Servers

The application is hosted on servers in Germany / the EU. When accessing our website, information is automatically stored in server log files transmitted by your browser (IP address, browser type, operating system, referrer URL, time of access).

7. Cookies

We use only technically necessary cookies:

  • Session cookie - Contains the encrypted authentication token. Validity: 30 days. Essential for login.

No analytics, tracking, or advertising cookies are used.

8. Data Processors and Third-Party Services

To provide our service, we use the following third-party providers that process personal data on our behalf:

8.1 Payment Processing (Stripe)

For processing payments for paid plans, we use Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA). When subscribing to a paid plan, your payment data (credit card details, billing address) is processed directly by Stripe. We do not store any complete payment data — only a Stripe customer ID and the subscription status. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Stripe is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy.

8.2 Email Delivery (Brevo)

For sending transactional emails (registration confirmation, password reset), we use Brevo (Sendinblue GmbH, Berlin, Germany). Your email address is transmitted to Brevo for this purpose. Brevo processes data on servers within the EU. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). No marketing emails are sent. Brevo Privacy Policy.

8.3 Social Login (Google, Facebook)

You may optionally sign in via Google or Facebook (OAuth 2.0). In doing so, we only receive your name and email address from the respective provider. We do not gain access to your social media profiles or contacts. The use of Social Login is voluntary — registration via email and password is also available. The legal basis is Art. 6(1)(a) GDPR (consent).

Beyond this, personal data is not shared with third parties, sold, or used for advertising purposes. An exception exists only if we are legally obligated to do so.

9. AI-Assisted Processing

Hivekraft optionally offers AI-assisted voice input. Your voice inputs are processed via an external AI service (OpenRouter). Usage is voluntary. The transmitted data is not used for training AI models.

10. External Data Sources

Hivekraft uses the following external data sources to provide weather and phenology features:

  • German Weather Service (DWD) - Weather data and Growing Degree Sum (GTS) are obtained via the Bright Sky API, which provides open DWD data. Your location coordinates (latitude, longitude) are transmitted to the API service to retrieve location-based weather data. License: GeoNutzV (Source: Deutscher Wetterdienst).
  • OpenStreetMap - Map views use OpenStreetMap tiles. When loading the map, requests are sent to OpenStreetMap tile servers. OpenStreetMap Foundation Privacy Policy.

11. Community Insights & TrachtNetz

Hivekraft offers aggregated community statistics. Your data is only included anonymously in these statistics. Participation is voluntary and is requested during registration (opt-in). You can change your participation at any time in the settings.

12. Usage Analytics

To ensure system stability and detect abuse, we log API accesses (endpoint called, HTTP method, status code, response time). This data is linked to your user ID and automatically deleted after 90 days. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security of the service).

13. Web Analytics (Umami)

We use Umami as a self-hosted, privacy-friendly web analytics solution. Umami does not set cookies and does not store personal data. Only anonymized usage statistics are collected (e.g., page views, time on site, country of origin), which cannot be traced back to individual persons. Umami is operated on our own servers in the EU and is fully GDPR-compliant. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in improving the service).

14. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) - You have the right to obtain information about your stored personal data.
  • Right to rectification (Art. 16 GDPR) - You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) - You may request the deletion of your data. You can delete your account at any time.
  • Right to restriction (Art. 18 GDPR) - You may request the restriction of processing.
  • Right to data portability (Art. 20 GDPR) - You can export your data in a machine-readable format (JSON export via Settings → Export data).
  • Right to object (Art. 21 GDPR) - You may object to the processing of your data.
  • Right to lodge a complaint - You have the right to lodge a complaint with a data protection supervisory authority.

15. Data Security

We use SSL/TLS encryption for data transmission. Passwords are stored hashed with bcrypt. Access to your data is protected by authentication and restricted to your user account.

16. Changes

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements. The most current version applies to your visit.