AlpacaKeep
Get early access
Legal

Privacy policy

AlpacaKeep is operated by Devid Demetz, a natural person based in South Tyrol, Italy. This notice explains what personal data we collect when you use the service or our marketing site, why we collect it, and the rights you have under EU data-protection law.

Last updated: 29 April 2026

1. Data controller

The data controller within the meaning of the GDPR is:

A Data Protection Officer has not been appointed. Under GDPR Art. 37 designation is mandatory only for public authorities, organisations whose core activities involve large-scale systematic monitoring of data subjects, or large-scale processing of special-category data - none of which applies here. For visitors resident in Germany, BDSG §38(1) sentence 1 additionally requires a DPO when at least 20 persons are constantly engaged in automated processing of personal data; the operator is well below that threshold (sole proprietor, no employees). Data-protection questions can be addressed directly to the controller using the contact details above.

2. Data we collect

We collect the following categories of personal data:

  • Account data: Email address, name, locale preference, and hashed password - provided at registration.
  • Farm data: Animals, events, breeding records, photos, financial entries, and any other content you enter into the service.
  • Newsletter signups: Email address, IP address, browser user-agent, and timestamp - collected as proof of consent pursuant to GDPR Art. 7(1).
  • Technical and log data: IP address, user-agent string, and request timestamps - collected for security monitoring and abuse prevention.
  • Cookies: Essential authentication and session cookies only, set by Supabase Auth - see Section 12 for details.

3. How and where data is processed

All personal data is encrypted in transit (TLS) and at rest. Data is stored in the EU on Supabase infrastructure in the Frankfurt region and is accessed only by the controller and the named sub-processors listed in Section 6.

We implement reasonable technical and organisational measures to protect personal data in accordance with GDPR Art. 32. No security system can guarantee complete protection against all possible threats.

4. Purposes of processing

We process personal data for the following purposes:

  • Providing the service - managing accounts, farm records, and sharing within a farm workspace.
  • Communicating with users about the service - transactional emails and support replies.
  • Newsletter and launch updates - sent only to subscribers who have given explicit consent; opt-out available at any time.
  • Security, fraud and abuse prevention, and compliance with legal obligations.

5. Legal basis (GDPR Art. 6)

We rely on the following legal bases for processing:

  • Contract (Art. 6(1)(b)) - Processing is necessary to provide the service you have requested.
  • Consent (Art. 6(1)(a)) - Newsletter subscription. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interest (Art. 6(1)(f)) - Security monitoring, abuse prevention, and ensuring the integrity of the service.

6. Recipients and sub-processors

Personal data is shared only with the sub-processors below, each acting as a data processor under GDPR Art. 28.

  • Supabase Inc. - Database, authentication, and file storage. Region: Frankfurt, Germany (EU). No personal data leaves the EEA via this processor. Data Processing Agreement
  • Vercel Inc. - Application hosting, CDN, Web Analytics, and Speed Insights. Edge functions are pinned to fra1 (Frankfurt). Web Analytics and Speed Insights operate in cookieless mode (no device storage; see Section 12). Some platform telemetry may be processed in the United States under EU Standard Contractual Clauses. Data Processing Agreement
  • Cloudflare Inc. - DNS resolution. No application data stored; processes only DNS queries to alpacakeep.com. Data Processing Agreement
  • Mailbox.org (Heinlein Hosting GmbH) - Email hosting for the @alpacakeep.com mailbox. Provider: Heinlein Hosting GmbH, Berlin, Germany (EU). Privacy policy

If we add or change a sub-processor, we update this list and notify users with active accounts in advance.

7. International transfers

All primary personal data is stored within the European Economic Area (Supabase, Frankfurt). Any incidental transfer of platform telemetry to the United States (Vercel) is governed by the EU Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with GDPR Art. 5(1)(e):

  • Account data: Retained while the account is active and for 30 days after deletion, after which it is irreversibly removed - except where billing audit traces must be preserved.
  • Newsletter data: Retained until unsubscription; the consent log is retained for 24 months thereafter.
  • Activity log: Operational action logs are retained for 24 months. Security, billing, and livestock-register logs are retained indefinitely or in accordance with Italian fiscal law.
  • Financial records: Retained for 10 years after the last transaction in accordance with Italian tax retention requirements - applicable once paid plans go live.

9. Your rights

Under GDPR Arts. 15–22, you have the following rights:

  • Access (Art. 15) - request a copy of the personal data we hold about you.
  • Rectification (Art. 16) - request correction of inaccurate data.
  • Erasure (Art. 17) - request deletion of your data (the 'right to be forgotten').
  • Restriction (Art. 18) - request that we pause processing in certain circumstances.
  • Portability (Art. 20) - receive your data in a machine-readable format; JSON and CSV export are available directly in the product.
  • Objection (Art. 21) - object to processing carried out on the basis of legitimate interest.
  • Withdraw consent (Art. 7(3)) - applicable to anything processed on the basis of consent (e.g., newsletter); withdrawal does not affect the lawfulness of prior processing.

10. How to exercise your rights

To exercise any of these rights, email privacy@alpacakeep.com. We respond within one month as required by GDPR Art. 12(3); for complex requests we may extend by two further months and will notify you of the extension.

11. Right to lodge a complaint

If you believe your data is being processed unlawfully, you may lodge a complaint with the Italian supervisory authority, the Garante per la Protezione dei Dati Personali, at garanteprivacy.it. Under GDPR Art. 77(1) you may also lodge your complaint with the supervisory authority of your member state of habitual residence; for visitors resident in Germany, that is the Datenschutzaufsichtsbehörde of the relevant Bundesland.

12. Cookies and analytics

This site uses only essential cookies - authentication and session cookies set by Supabase Auth - that are strictly necessary to deliver the service within the meaning of ePrivacy Directive Art. 5(3), the Italian Garante's Linee Guida of 10 June 2021, and German TTDSG §25(2) Nr. 2. No consent banner is required for these cookies.

We also enable Vercel Web Analytics and Vercel Speed Insights on every page. Both operate in cookieless mode: visitors are identified by a server-side hash derived from the incoming request, no cookies are set on your device, and no localStorage or other persistent identifier is written. Aggregated session data is discarded after 24 hours. Because no information is stored on your device, this processing falls outside the consent requirements of TTDSG §25 / ePrivacy Art. 5(3); the underlying personal data (IP address at the edge, user-agent, requested URL) is processed under our legitimate interest (GDPR Art. 6(1)(f)) in measuring site performance and traffic patterns.

No advertising or third-party tracking cookies are used, and no behavioural profiles are built. If we ever introduce a tool that writes to your device or builds a cross-site identifier, a consent banner will be implemented in advance, in accordance with the Garante's guidelines and TTDSG §25.

13. Changes to this policy

We may update this policy as the service evolves. The 'last updated' date at the top reflects the most recent change. Material changes - such as a new sub-processor or a new processing purpose - will be communicated by email to users with active accounts.

Privacy questions: privacy@alpacakeep.com