Skip to content
The Kramer Family

Privacy Policy

Legally binding version is the German one. This English text is a convenience translation; in case of doubt the German privacy policy prevails.

1. Controller

The controller within the meaning of the GDPR is the natural person reachable at the following address, who operates this website privately and without any intent to make a profit as a family hub:
Email: kontakt@diefamiliekramer.de

Name and summonable postal address are provided on request via the email address above — see also the legal notice.

2. General information on data processing

We generally process our users' personal data only to the extent necessary to provide a functional website along with our content and services. Processing regularly takes place only with the user's consent (Art. 6 (1) lit. a GDPR) or on the basis of legitimate interests (Art. 6 (1) lit. f GDPR).

3. Members area (Authentik / OIDC)

To log in to the members area we use our own authentication service Authentik, operated in the Kramer Family homelab. During sign-in the following data is processed: OIDC subject (sub), display name, email address and an optional avatar. This data is used exclusively for session management and display within the members area. Legal basis: Art. 6 (1) lit. b GDPR (contract/membership).

4. Session cookies

After a successful login we set an essential session cookie (HttpOnly, Secure, SameSite=Lax) valid for 7 days. This cookie is technically required and is not subject to the consent requirement (§ 25 (2) no. 2 TTDSG). On logout the cookie is deleted immediately.

5. Contact form & bot protection (Cloudflare Turnstile)

The contact form is protected against automated requests by Cloudflare Turnstile. In the process, technical data (IP address, browser properties, embedded JavaScript from Cloudflare, Inc.) is transmitted to Cloudflare in the USA. The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in spam protection). The data transfer to the USA takes place on the basis of the EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Cloudflare is DPF-certified).

6. Form relay backend

Entries from the contact form are validated on the server and forwarded by email to kontakt@diefamiliekramer.de. We do not store the entries permanently in a database. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in answering enquiries).

7. Telegram bot (appointments & family workflows)

For selected workflows (e.g. appointment confirmations) we use a Telegram bot. In the process, names, appointments and any further details needed for the workflow are transmitted to Telegram Messenger Inc. (servers outside the EU). This requires that the person concerned has a Telegram account of their own and actively contacts the bot. Legal basis: Art. 6 (1) lit. a GDPR (consent through active use).

8. Forgejo OAuth (admin area)

The admin area (/admin/) is secured via OAuth against our own Forgejo instance (homelab). Only the username, email address and Forgejo user ID are processed in order to check access rights.

9. External resources / CDNs

The website generally loads all assets from its own server. Only the JavaScript for Cloudflare Turnstile (see above) is loaded directly from challenges.cloudflare.com. The Sveltia CMS for the admin area has been self-hosted since Audit v4 (no external CDN any longer).

10. Server location & hosting

The website is operated primarily in our homelab in Germany. As a backup we use servers at netcup GmbH (Germany). A data transfer to third countries only takes place in the exceptional cases described above (Turnstile, Telegram).

11. Storage period

12. Data-subject rights

Under Art. 15-21 GDPR you have the right to:

Please direct requests to kontakt@diefamiliekramer.de.

13. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR). The competent authority is generally the data protection supervisory authority of the federal state of the controller — we will name the specific authority on request via the email address stated under "1. Controller".

14. Status of this privacy policy

Status: 2026-05-12