Legal
Data Protection Notice
Last updated: 3 June 2026
This page explains how FrootAI(“we”, “us”) processes personal data when you visit frootai.dev. We are committed to the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the German Telecommunications-Telemedia Data Protection Act (TTDSG / TDDDG, §25), and the ePrivacy Directive (2002/58/EC).
1. Controller
The data controller within the meaning of Art. 4(7) GDPR is named in the Impressum. Contact: [email protected].
2. What we collect and why
2.1 Server logs (essential, no consent required)
Our hosting provider (Cloudflare Pages, EU/global edge) automatically records technical access data whenever you load a page: IP address, user agent, referrer, requested URL, timestamp, HTTP status, bytes transferred. Logs are kept for at most 30 days for security and abuse prevention.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, stable service).
- Retention: up to 30 days, then deleted or anonymised.
2.2 Cookies & local storage
We use the minimum necessary set. You control optional categories via the cookie banner. Your choice is stored in localStorage under fai-cookie-consent-v2 for 12 months, after which we ask again.
| Category | Purpose | Legal basis | Lifetime |
|---|---|---|---|
| Strictly necessary | Session, CSRF protection, this consent choice. | Art. 6(1)(f) GDPR · TTDSG §25(2) | Session – 12 months |
| Analytics (opt-in) | Plausible Analytics — cookieless, EU-hosted, aggregate page views. | Art. 6(1)(a) GDPR · TTDSG §25(1) | No cookies; in-memory only |
| Marketing (opt-in) | Microsoft Clarity heatmaps (only if you opt in and we have wired it). | Art. 6(1)(a) GDPR · TTDSG §25(1) | Up to 12 months |
2.3 Analytics — Plausible
We use Plausible Analytics, a privacy-first analytics service hosted in the EU (Germany / Netherlands). Plausible does not use cookies, does not collect personal data, does not create user profiles or track you across sites. Even though Plausible is widely considered consent-exempt in the EU, we still load it only after explicit opt-in to give you maximum transparency.
- Processor: Plausible Insights OÜ (Estonia).
- Data transferred: URL, referrer, viewport, anonymised device hash (rotated daily).
- No personal data, no cookies, no cross-site tracking.
2.4 Heatmaps — Microsoft Clarity (only with marketing consent)
If, and only if, you opt into the “Marketing” category, we load Microsoft Clarity to capture anonymised heatmaps and session replays that help us improve the UI. Microsoft is the controller for Clarity data. Sub-processor and transfer details: clarity.microsoft.com/terms.
3. Third-party services
- Cloudflare Pages — hosting / CDN. Standard Contractual Clauses in place. Data Processing Addendum: Cloudflare DPA.
- GitHub — links to public repositories; loading a repo page is governed by GitHub’s privacy statement.
- Plausible Analytics — see §2.3.
- Microsoft Clarity — see §2.4 (only with consent).
4. Your rights under GDPR
You always have the right to:
- Access (Art. 15) — request a copy of personal data we hold about you.
- Rectification (Art. 16) — have inaccurate data corrected.
- Erasure / “right to be forgotten” (Art. 17).
- Restriction (Art. 18) of processing.
- Data portability (Art. 20).
- Object (Art. 21) to processing based on legitimate interest.
- Withdraw consent at any time (Art. 7(3)) — clearing your cookie choice re-opens the banner.
- Lodge a complaint with a supervisory authority (Art. 77). For Germany, the federal authority is the BfDI (bfdi.bund.de); a list of EU state authorities is at edpb.europa.eu.
To exercise any right, email [email protected].
5. International data transfers
Wherever feasible we use EU-hosted services. Where transfer outside the EU/EEA is unavoidable (e.g. parts of Cloudflare’s global edge), the transfer is covered by Standard Contractual Clauses (SCCs, Commission Decision 2021/914) and supplementary technical measures (TLS in transit, encryption at rest).
6. Security
The site is served exclusively over TLS 1.3. We apply HSTS, a strict Content-Security-Policy, Subresource-Integrity for third-party scripts, and the principle of data minimisation.
7. Children
This site is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.
8. Changes to this notice
We may update this notice as our processing evolves. Material changes are highlighted with a new “Last updated” date and, where significant, re-trigger the consent banner.
This document is provided in good faith and reflects our processing on the “Last updated” date. It is not legal advice. See also the Impressum.