Privacy Policy
Legally binding version is the German one. This English text is a convenience translation; in case of doubt the German privacy policy prevails.
1. Controller
The controller within the meaning of the GDPR is the natural person
reachable at the following address, who operates this website privately
and without any intent to make a profit as a family hub:
Email: kontakt@diefamiliekramer.de
Name and summonable postal address are provided on request via the email address above — see also the legal notice.
2. General information on data processing
We generally process our users' personal data only to the extent necessary to provide a functional website along with our content and services. Processing regularly takes place only with the user's consent (Art. 6 (1) lit. a GDPR) or on the basis of legitimate interests (Art. 6 (1) lit. f GDPR).
3. Members area (Authentik / OIDC)
To log in to the members area we use our own authentication service
Authentik, operated in the Kramer Family homelab. During
sign-in the following data is processed: OIDC subject (sub),
display name, email address and an optional avatar. This data is used
exclusively for session management and display within the members area.
Legal basis: Art. 6 (1) lit. b GDPR (contract/membership).
4. Session cookies
After a successful login we set an essential session cookie
(HttpOnly, Secure, SameSite=Lax)
valid for 7 days. This cookie is technically required and is not subject to
the consent requirement (§ 25 (2) no. 2 TTDSG). On logout the cookie is
deleted immediately.
5. Contact form & bot protection (Cloudflare Turnstile)
The contact form is protected against automated requests by Cloudflare Turnstile. In the process, technical data (IP address, browser properties, embedded JavaScript from Cloudflare, Inc.) is transmitted to Cloudflare in the USA. The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in spam protection). The data transfer to the USA takes place on the basis of the EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Cloudflare is DPF-certified).
6. Form relay backend
Entries from the contact form are validated on the server and forwarded by email to kontakt@diefamiliekramer.de. We do not store the entries permanently in a database. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in answering enquiries).
7. Telegram bot (appointments & family workflows)
For selected workflows (e.g. appointment confirmations) we use a Telegram bot. In the process, names, appointments and any further details needed for the workflow are transmitted to Telegram Messenger Inc. (servers outside the EU). This requires that the person concerned has a Telegram account of their own and actively contacts the bot. Legal basis: Art. 6 (1) lit. a GDPR (consent through active use).
8. Forgejo OAuth (admin area)
The admin area (/admin/) is secured via OAuth against our own
Forgejo instance (homelab). Only the username, email
address and Forgejo user ID are processed in order to check access rights.
9. External resources / CDNs
The website generally loads all assets from its own server. Only the
JavaScript for Cloudflare Turnstile (see above) is loaded
directly from challenges.cloudflare.com. The Sveltia CMS for
the admin area has been self-hosted since Audit v4 (no external CDN any
longer).
10. Server location & hosting
The website is operated primarily in our homelab in Germany. As a backup we use servers at netcup GmbH (Germany). A data transfer to third countries only takes place in the exceptional cases described above (Turnstile, Telegram).
11. Storage period
- Member profile data: until deletion by the operator or on request of the person concerned.
- Server logs (HTTP access logs, errors): 14 days, then automatic rotation.
- Session cookies: 7 days after the last login, then automatic expiry.
12. Data-subject rights
Under Art. 15-21 GDPR you have the right to:
- Access to the processed data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (Art. 17, "right to be forgotten")
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
Please direct requests to kontakt@diefamiliekramer.de.
13. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR). The competent authority is generally the data protection supervisory authority of the federal state of the controller — we will name the specific authority on request via the email address stated under "1. Controller".
14. Status of this privacy policy
Status: 2026-05-12