Privacy Policy
Last updated: 7 April 2026
This privacy policy explains how LetzHaff collects, uses, stores, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Luxembourg data protection legislation.
1. Data Controller
The data controller responsible for your personal data is:
LetzHaff
Luxembourg
Email: [email protected]
2. What Data We Collect
We may collect and process the following categories of personal data:
2.1 Data you provide directly
- Contact form submissions: name, email address, and message content when you use our contact form.
- Account data: name, email address, and password when you create an account.
- Farm profiles: farm name, address, description, photos, and product information submitted by farmer accounts.
- Reviews: review text and ratings you submit about farms.
2.2 Data collected automatically
- Analytics data: pages visited, time spent, referral source, device type, and browser type — collected via Google Analytics (only with your consent).
- Cookie data: your cookie consent preference. See our Cookie Policy for full details.
- Location data: approximate location (municipality level) if you choose to share your location for finding nearby farms. This data is stored locally on your device and is not sent to our servers.
3. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6 GDPR:
- Consent (Art. 6(1)(a)): analytics cookies are only placed with your explicit consent.
- Contract performance (Art. 6(1)(b)): processing account and farm profile data is necessary to provide our platform services.
- Legitimate interest (Art. 6(1)(f)): processing contact form submissions to respond to enquiries; processing necessary cookies to ensure website functionality.
4. Third Parties
We may share your data with the following third parties:
- Google Analytics (Google Ireland Limited) — for website analytics, only with your consent. Google may transfer data to the United States under Standard Contractual Clauses. See Google's Privacy Policy.
- Hosting provider — Hostinger International Ltd, Švitrigailos str. 34, Vilnius, Lithuania — for website hosting and infrastructure.
5. Data Deletion and Right to Erasure
5.1 Account Deletion
You may delete your account at any time from your profile settings. Upon account deletion:
- Personal data (name, email, phone number, avatar) is permanently anonymized.
- Your account becomes inaccessible and cannot be recovered.
- Reviews you have authored will display “Deleted User” as the author.
- Order history is retained in anonymized form for legal and accounting purposes.
- This process is irreversible.
5.2 Farm Deletion
Farmers may delete their farm separately from their account. Upon farm deletion:
- Farm data (name, description, contact information, logo) is permanently anonymized.
- All products, stands, and self-harvest offers associated with the farm are removed.
- Community-suggested stands are unlinked from the farm and returned to the public pool.
- The farmer account is downgraded to a standard consumer account.
- Any pending orders are cancelled.
5.3 GDPR Right to Erasure
In accordance with Article 17 of the GDPR, you have the right to request deletion of your personal data. Deletion requests are processed immediately when using the self-service option in your account settings. Requests submitted via email to [email protected] are processed within 30 days.
6. Data Retention
- Account data: retained for the duration of your account. Upon account deletion, personal data is immediately anonymized as described in section 5.
- Anonymized data: anonymized records (order history, usage statistics) may be retained for up to 3 years for analytics and legal compliance. Anonymized data cannot be linked back to any individual.
- Contact form data: retained for up to 12 months after the enquiry is resolved.
- Analytics data: retained for 14 months (Google Analytics default).
- Cookie consent preference: retained for 12 months.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether your data is being processed and receive a copy.
- Right to rectification (Art. 16): request correction of inaccurate personal data.
- Right to erasure (Art. 17):request deletion of your personal data (“right to be forgotten”).
- Right to restriction (Art. 18): request restriction of processing in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interest.
- Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
8. How to Exercise Your Rights
To exercise any of the rights listed above, please contact us at: [email protected]. We will respond to your request within 30 days.
9. Right to Lodge a Complaint
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Luxembourg supervisory authority:
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux
Phone: (+352) 26 10 60-1
Website: https://cnpd.public.lu
10. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.