Privacy
Privacy policy
This is a template based on the requirements of Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection. Replace
[BRACKETED]placeholders before publishing. Have a Spanish lawyer or DPO review the final version. This policy covers data we process about you as a customer of crumbless.eu. It does not cover what your visitors generate when you run Crumbless on your own server — that’s covered by your own privacy policy, since you’re the data controller for that data.
Last updated: 2026-05-07
1. Who we are
The data controller responsible for the processing of personal data described in this policy is:
- NEXTGENWEBS, S.L.
- Registered office: Pol. Ind. Fuente del Jarro, Plaza Gerardo Salvador, No. 1, Offices 17–19, 46988 Paterna – Valencia, Spain
- Tax ID: B97380067
- Privacy contact: privacy@crumbless.eu
We are not legally required to appoint a Data Protection Officer (DPO) under GDPR Article 37, given the scale and nature of our processing. If our circumstances change, this section will be updated.
2. Plain summary
Before the legal text, in plain language:
- We process the minimum personal data needed to operate our business: your account email, your purchase information, and basic technical data needed to run a website and a license server.
- We never sell your personal data to anyone.
- We use a small number of carefully chosen processors — primarily Lemon Squeezy for payments and Hetzner Online GmbH for hosting. We don’t use third-party advertising trackers anywhere.
- The product itself, Crumbless, is designed so that your visitors’ data never reaches us. That data lives only on your server.
- You can exercise your GDPR rights by emailing privacy@crumbless.eu. We respond within 30 days.
The sections below are the formal version.
3. What personal data we process and why
3.1 When you visit crumbless.eu (marketing site or docs)
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Aggregated visit statistics (via Crumbless itself: anonymised visitor hash, pageviews, country, browser, referrer) | Understand which content is useful, improve the site | Legitimate interest (Art. 6(1)(f)) — minimal-impact analytics that does not identify visitors | Aggregates kept indefinitely; raw events 30 days |
| Server access logs (IP address, timestamp, requested URL, user agent) | Site security, abuse detection, debugging | Legitimate interest (Art. 6(1)(f)) | 14 days |
We do not use cookies, third-party analytics, advertising pixels, social media trackers, or any fingerprinting techniques on the marketing site or documentation.
3.2 When you create an account or purchase Crumbless Pro/Lifetime
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Account identification, sending license keys, transactional notifications | Contract performance (Art. 6(1)(b)) | Duration of account + 6 years (Spanish commercial law) |
| Password (bcrypt hash, never plaintext) | Account authentication | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Optional: name, country, VAT number, language preference | Issuing invoices, applying correct VAT | Legal obligation (Art. 6(1)(c)) + contract (Art. 6(1)(b)) | 6 years (tax law) |
| Lemon Squeezy customer ID, order ID, subscription ID | Linking your purchases to your account | Contract performance (Art. 6(1)(b)) | Duration of account + 6 years |
| TOTP secret (if you enable two-factor authentication) | Account security | Contract performance + your consent (Art. 6(1)(b) + (a)) | Until you disable 2FA or delete your account |
We do not receive or store your full payment card details. Lemon Squeezy processes payments and only sends us a tokenised reference. See section 5 for more on Lemon Squeezy.
3.3 When your Crumbless installation contacts our license server
When the Crumbless software you have installed on your own server contacts our license verification API, we receive the following data about your installation:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| License key (hashed for storage) | Verifying entitlement to Pro features | Contract performance (Art. 6(1)(b)) | Duration of license |
| Installation ID (a random identifier generated by your install) | Detecting license abuse and offering support | Legitimate interest (Art. 6(1)(f)) | Duration of license |
| Primary domain you have configured | Same as above | Legitimate interest (Art. 6(1)(f)) | Duration of license |
| Crumbless version installed | Knowing whether to alert you about updates | Legitimate interest (Art. 6(1)(f)) | Duration of license |
| Server IP address (at time of verification only) | Fraud detection, abuse prevention | Legitimate interest (Art. 6(1)(f)) | 90 days |
These data points relate to your server, not to your website’s visitors. We never receive any data about your visitors via the license server, and the Crumbless product is technically designed not to send any.
3.4 When you write to support, fill in a form, or otherwise contact us
We process your email address and the contents of your message for the purpose of replying to you and resolving your enquiry. Legal basis: legitimate interest (Art. 6(1)(f)) and, where you have consented to ongoing contact, your consent (Art. 6(1)(a)). We retain support correspondence for 3 years for quality and reference purposes.
3.5 When you sign up for our newsletter
If you opt in to our newsletter, we process your email address and (optionally) your name to send you product updates. Legal basis: your consent (Art. 6(1)(a)). You can unsubscribe via the link in every newsletter or by emailing privacy@crumbless.eu. Retention: until you unsubscribe.
3.6 If you join our affiliate programme
We process your name, email, payment details, and tracked referral activity for the purpose of administering the affiliate programme and paying commissions. Legal basis: contract (Art. 6(1)(b)). Retention: duration of participation + 6 years (tax law).
4. We do not perform automated decision-making
We do not subject you to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or significantly affect you (GDPR Art. 22).
5. Who else processes your data (sub-processors)
We use the following carefully selected service providers (“processors”) to operate our service. Each is bound by a Data Processing Agreement compliant with GDPR Art. 28.
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Lemon Squeezy, LLC | Payments and merchant of record | United States | Standard Contractual Clauses + supplementary measures |
| [HOSTING PROVIDER, e.g. Hetzner Online GmbH] | Server hosting | Germany / Finland (EU) | Within EEA, no transfer mechanism required |
| [CDN PROVIDER, e.g. Bunny.net] | Content delivery and DDoS protection | EU | Within EEA |
| [EMAIL PROVIDER, e.g. Postmark / AWS SES] | Transactional email delivery | Falkenstein, Germany | [SCC if non-EEA] |
| [ERROR TRACKING, e.g. Sentry, self-hosted or paid] | Error monitoring | Falkenstein, Germany | [As applicable] |
We will update this list when we add or change processors. Material changes will be notified to active customers in advance.
6. International transfers
Where personal data is transferred outside the European Economic Area (notably to Lemon Squeezy in the United States), we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) as the transfer mechanism, supplemented where appropriate by additional technical and organisational measures. You may request a copy of the safeguards by emailing privacy@crumbless.eu.
7. Your rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of it
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion in specified circumstances
- Right to restriction (Art. 18): limit how we process your data in specified circumstances
- Right to data portability (Art. 20): receive your data in a machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests
- Right to withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of prior processing
- Right not to be subject to automated decision-making (Art. 22) — not applicable here, as we do not perform such decision-making
To exercise any of these rights, email privacy@crumbless.eu. We will respond within one month, and may extend that period by up to two further months for complex requests.
You also have the right to lodge a complaint with a supervisory authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you reside in another EU member state, you may file with your local supervisory authority instead.
8. How we secure your data
We apply appropriate technical and organisational measures including:
- TLS encryption for all traffic to and from our services
- Bcrypt password hashing
- Encrypted backups
- Principle of least privilege for staff access; multi-factor authentication required for all admin access
- Regular software updates and dependency monitoring
- Append-only audit logs of admin actions
- Annual review of all sub-processors and security posture
No system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and notify you as required by Art. 34 GDPR.
9. Children
Crumbless services are not directed at children under the age of 16. We do not knowingly process personal data of children. If you believe we have inadvertently received such data, please contact privacy@crumbless.eu and we will delete it.
10. About the Crumbless product on your own server
The Crumbless software, when you install it on your own hosting, is designed to process website visitor data in a way that does not constitute personal data under GDPR:
- No cookies, no localStorage, no fingerprinting
- IP addresses are used at the moment of a hit and not written to disk
- Visitor identification uses a 24-hour rotating salted hash that cannot be reversed and is not linkable across days
To the extent that any data processed by the product could be considered personal data in your specific implementation, you are the data controller for that data. The Crumbless software runs on your infrastructure, processes data into your database, and is governed by your privacy policy. We provide a Data Processing Agreement template for B2B customers who require it for their own compliance, but our role is closer to that of a software vendor than a processor in this context.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to active customers at least 30 days before taking effect. Non-material changes (clarifications, formatting, additions of new sub-processors that don’t change the nature of processing) will be reflected by an updated revision date at the top of this page.
12. Contact
For any privacy-related question, request, or complaint:
NEXTGENWEBS, S.L., Industriestr. 25, 91710 Gunzenhausen, Germany, Valencia, Spain