MilkStorage · RGPD baseline · v2026-07-01
Privacy notice
MilkStorage processes a small amount of personal data to authenticate your account, manage milk storage records, and deliver optional reminders. This page describes the concrete technical measures currently implemented. It is not a legal certification.
Data controller
MilkStorage is operated through the milkstorage.eu project. Privacy contact: contact@milkstorage.eu.
Operator action required before public launch: add the legal identity and postal address of the data controller on this page.
Data processed
Account data: Google account identifier when Google sign-in is used, email address, display name, profile picture, language, and preferred unit.
Authentication and security data: session cookies, verification tokens, password-reset tokens, and limited technical logs.
Application data: milk storage records, storage locations, timestamps, notes, expiration dates, household memberships, notification preferences, reminder rules, push subscription metadata, and notification jobs.
Purposes and legal bases
Account creation and authentication are processed because they are necessary to provide the service requested by the user.
Milk storage records may reveal health-related information. MilkStorage therefore asks for explicit consent before the first creation of milk-related data.
Security, abuse prevention, and limited debugging rely on legitimate interest in securing and maintaining the service.
Push notifications are optional and only used when the user enables them. Browser permission alone is not treated as consent for every processing activity.
Processors and recipients
Confirmed infrastructure used by the codebase includes Vercel for hosting, Neon/Postgres for the database, and Google when Google authentication is enabled.
If transactional email is enabled, the configured SMTP provider receives only the data needed to send that message.
Web Push delivery also depends on the user’s browser or platform push service. Operator action required: verify provider contracts, regions, and transfer safeguards before launch.
Retention
Account and milk-management data are kept while the account is active.
Deleting the account removes user-owned milk records, push subscriptions, notification preferences, reminder rules, household memberships, and other directly linked application data.
Invalid push subscriptions are removed or revoked. Completed, failed, and cancelled notification jobs are pruned after a limited retention period.
Provider backups may remain for a provider-defined period before rotation. Operator action required: verify those periods in production.
Your rights
You can request access, rectification, deletion, export/portability, withdrawal of sensitive-data consent, restriction, or objection where applicable.
MilkStorage currently provides in-app self-service controls for JSON export, account deletion, and withdrawal of milk-data consent.
Requests may also be sent to contact@milkstorage.eu. They should normally be handled within the legally applicable period.
Cookies, local storage, and optional tracking
MilkStorage uses cookies and browser storage for authentication, language preference, push/PWA operation, and UI convenience features such as the floating add button position.
This RGPD baseline does not add a cosmetic cookie banner. Optional advertising or tracking should remain disabled until the operator implements a proper consent flow for non-essential technologies.
At the time of this implementation, non-essential advertising features are not required for core application use and should be reviewed before being enabled in production.