BuyMeACroissant

Privacy Policy

Last updated: April 2026

1. Controller

BuyMeACroissant UG (haftungsbeschränkt) (in Gründung), [Address], Germany. E-mail: hello@buymeacroissant.eu.

2. Data we collect and why

  • Creator account data — name, email, address, VAT-ID, date of birth (if individual). Legal basis: contract performance + DAC7 legal obligation (Art. 6(1)(b)(c) GDPR).
  • Buyer email + locale — for sending transaction receipts. Legal basis: contract performance (Art. 6(1)(b) GDPR). Retained for 24 months after the last transaction, then purged.
  • Hashed buyer IP — SHA-256(IP + salt) for rate-limiting. Never stored in raw form. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Transaction data — amounts, timestamps, payment method, buyer country. Legal basis: legal obligation (DAC7, tax record-keeping).

3. Data residency & sub-processors

  • Supabase — database and auth. EU region: Frankfurt (eu-central-1). Privacy policy.
  • Mollie B.V. — payment processing. Amsterdam, Netherlands. Privacy policy.
  • Resend — transactional email. EU sending region. Privacy policy.
  • Railway — hosting. EU region (Amsterdam). Privacy policy.

No data is transferred outside the EEA. Where a sub-processor is not established in the EU, Standard Contractual Clauses (SCCs) are in place.

4. Your rights (GDPR)

You have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. Creators can export their data as JSON/CSV and delete their account from the dashboard. Submit requests to hello@buymeacroissant.eu.

5. Retention

Buyer emails are purged 24 months after the last transaction. Creator data is retained for the duration of the account and for 7 years after account deletion for tax-record obligations.

6. Complaints

You have the right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragte für den Datenschutz (BfDI).