Privacy Policy
Effective date: 1 May 2025
1. Who we are
15 Minutes Food (the "Service") is operated by Luminok Brand, a sole‑proprietorship registered at Calle Estels Xapats 4, 07141 Marratxí, Mallorca, Spain. For data‑protection purposes we are the Data Controller. Contact us at admin@luminokbrand.com.
2. What personal data we collect and why
| Category | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Account data – e‑mail address, hashed password | Create and secure your account; sign‑in via magic link | Contract (Art. 6 (1)(b)) | Deleted immediately when you delete your account |
| Usage data – favourites, search history, recipe filters | Provide personalised recipe lists | Contract | Same as above |
| Log data & IP address (generated by our servers & Simple Analytics) | Detect errors, compile anonymised traffic statistics | Legitimate interest (Art. 6 (1)(f)) | 14 days (raw logs), then only aggregated |
| Payment identifiers (tokenised by Stripe) | Process subscription payments, fraud prevention | Contract; legal obligation (tax) | 10 years (Spanish accounting rules) |
| User‑generated content – recipes, comments, photos | Publish on the Service at your request | Consent (Art. 6 (1)(a)) | Until you delete the content or your account |
We do not collect any special‑category data (health, ethnicity etc.).
3. How we use cookies
We only set essential cookies:
| Cookie | Purpose | Duration |
|---|---|---|
sb-access-token (Supabase) | Keeps you logged in | Session |
__stripe_sid, __stripe_mid | Prevent fraud during checkout | ≤ 1 year |
| Simple Analytics | Sets no cookies by design | – |
A banner is shown for transparency, but no opt‑in is required because only essential cookies are used.
4. Analytics
We use Simple Analytics (EU‑based, cookie‑free, fully anonymised). No personal identifiers are stored.
5. Payments
Card data never touches our servers; it is handled by Stripe Payments UK. Stripe may transfer data to the U.S. under Standard Contractual Clauses.
6. Your rights (GDPR)
- Access, rectification, erasure, restriction, data portability
- Withdraw consent at any time
- Lodge a complaint with the Spanish Data Protection Authority (AEPD)
To exercise any right, e‑mail admin@luminokbrand.com.
7. International transfers
When partners (e.g. Stripe) operate outside the EEA, transfers are protected by EU‑approved Standard Contractual Clauses.
8. Security
Supabase stores data inside the EU; we use TLS 1.2+, bcrypt‑hashed passwords, and least‑privilege access controls.
9. Data deletion
On account deletion all personal data is immediately and irreversibly wiped from production databases; backups are overwritten within 30 days.
10. Changes to this policy
Material changes will be notified by e‑mail at least 14 days in advance.