Essentials.Fitness

Privacy Policy

1. General Information

Protecting your personal data is very important to us. This privacy policy explains which data is collected on this website and how it is used.

2. Controller

The responsible party for data processing on this website is:

Dominik Baumann
c/o COCENTER
Koppoldstr. 1
86551 Aichach
Germany

3. Data Collected, Purposes and Legal Bases

Using this website is generally possible without providing personal data. The following functions, however, process data. For each processing activity we inform you about purpose, legal basis and storage period:

  • Contact form: When used, your name, email address, subject and message are processed to respond to your inquiry. Legal bases are Art. 6 (1) lit. b GDPR (pre-contractual communication) and our legitimate interest in efficient handling pursuant to Art. 6 (1) lit. f GDPR. We store these data for up to six months after the conversation has ended unless statutory retention duties require otherwise.
  • Product and access data via Supabase: When retrieving product information, access data (e.g. IP address) are processed to provide the content and maintain system security. Legal basis is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Log files are usually deleted automatically after 30 days.
  • Language preference: Your selected language is stored in your browser's local storage so the website appears in that language on your next visit. Legal basis is your consent according to Art. 6 (1) lit. a GDPR, which you can withdraw at any time by deleting the data in your browser. Storage continues until you clear your local storage.
  • Tools & calculators: Inputs in features like the protein calculator, ideal weight calculator, weekly planner or other tools are transmitted to Supabase and processed there to calculate results. Legal bases are Art. 6 (1) lit. b GDPR for providing the requested functionality and Art. 6 (1) lit. f GDPR for troubleshooting. Supabase logs access data and provided values for error analysis, which are generally deleted after 30 days. Export and PDF functions still run locally.
  • Vercel Analytics: For anonymous reach measurement we record page views without the use of cookies. In addition, we transmit anonymous interaction events that allow us to measure how effective the site is (e.g. clicking an Amazon affiliate link, adding a product to the comparison, applying a filter, completing a calculator). Only structural attributes are sent — product slug, product category, and the UI component the action originated from — no personal data and no calculator inputs. Legal basis is our legitimate interest in statistical evaluation pursuant to Art. 6 (1) lit. f GDPR. The data are aggregated and typically anonymised after 30 days.
  • Comments on blog posts and recipes: When publishing a comment, the name you enter, the comment text, and an anonymous editor token (UUID) generated in your browser are stored. The token’s only purpose is to let you edit or delete your own comment later; it does not identify you and is never returned to other visitors. No email address is collected. IP addresses are processed only briefly in memory for rate-limiting and are never persisted. Legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in a spam-free discussion). You can delete your comment yourself using the “Delete” button at any time, or request deletion via the contact form.
  • Recipe ratings: When you submit a rating, the star value (1–5) and a random token (UUID) generated in your browser are stored. The token is used solely to prevent duplicate ratings per browser; it does not identify you. The same token is also stored in your local storage; clearing local storage breaks the link. Legal basis is Art. 6 (1) lit. f GDPR.
  • Cloudflare Turnstile (bot protection): When you visit the product overview page or submit a comment or rating, Cloudflare Turnstile checks whether the request originates from a real browser. Technical browser data is transmitted to Cloudflare Inc., 101 Townsend St, San Francisco, CA, USA. Legal basis is our legitimate interest in spam and abuse protection pursuant to Art. 6 (1) lit. f GDPR. EU Standard Contractual Clauses ensure an adequate data protection level.

4. Hosting and Services

This website uses the following external services:

  • Vercel for hosting and Vercel Analytics. Provider is Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. An adequate data protection level is ensured by EU Standard Contractual Clauses and the choice of EU data centers. Vercel stores access data (e.g. IP addresses) temporarily and usually deletes them after 30 days. Privacy Policy
  • Supabase (Supabase, 970 Toa Payoh North, #07-04, Singapore 318992) for providing product and food data and processing inputs in our tools. Data are processed in the AWS region eu-central-1 (Frankfurt, Germany). Supabase temporarily stores access data and submitted values for error analysis and relies on EU Standard Contractual Clauses for safeguards. Privacy Policy
  • Resend (Resend Ireland Limited, 7 Grand Canal Street Lower, Dublin, D02 KW81, Ireland) for sending messages from the contact form. Resend also uses infrastructure of Resend Inc., USA. EU Standard Contractual Clauses ensure an adequate protection level. Privacy Policy

5. Cookies, Consent and Google Consent Mode

This website only uses cookies with your explicit consent.

Consent Management

On your first visit, a cookie banner will be displayed where you can grant or deny consent for analytics cookies. Your decision is stored in your browser and respected on future visits.

Google Consent Mode v2

This website implements Google Consent Mode v2. This means:

  • Without your consent, neither Google Tag Manager nor Google Analytics is loaded – no cookies are set and no data (not even cookieless pings) is transmitted to Google
  • Google Analytics automatically respects your cookie preferences
  • You can change your consent at any time via the cookie banner that reappears

Necessary Storage

Your language preference is stored in your browser's local storage. This is technically necessary and does not require separate consent.

Region/marketplace: On your first visit we determine the appropriate Amazon marketplace and currency from your approximate origin (the country code from our CDN providers Cloudflare or Vercel) and/or your browser language, and store this selection in a cookie named marketplace (lifetime 12 months). No precise location data is stored, only the country/marketplace code. This storage is strictly necessary for the correct, country-specific display of the site (§ 25 (2) no. 2 TDDDG / GDPR Art. 6 (1) (f)) and does not require separate consent. You can change the selection at any time via the region switcher in the page header.

Meal planner: When you use the meal planner at /tools/mahlzeitenplaner, the meals, portions, notes and daily targets you enter are stored in your browser's local storage (key essentials.mealPlan.v1) so your plan persists across sessions. No data is transmitted to our server or any third party; only you can access it via your own browser. This storage is strictly necessary for the explicitly requested functionality of the tool (§ 25 (2) no. 2 TDDDG / GDPR Art. 6 (1) (f)). You can disable this storage at any time using the “Save plan in browser” toggle directly inside the tool — stored data is then removed immediately. You can also clear it via your browser settings.

Analytics Cookies (with consent)

With your consent, Google Analytics sets cookies for reach measurement. You can withdraw your consent at any time by accessing the cookie banner again or deleting cookies in your browser settings.

6. Google Analytics and Google Tag Manager

This website uses Google Analytics 4 and Google Tag Manager, services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Tag Manager

Google Tag Manager is a tool that allows us to manage tracking and analytics tags centrally. The Tag Manager itself does not set cookies and does not collect personal data. However, it triggers other tags that may collect data. Google Tag Manager and Google Analytics are only loaded after you have consented to the statistics category in the cookie banner – without consent, no Google script is loaded.

Google Analytics 4

Google Analytics uses cookies and similar technologies to analyse user behaviour on this website. The following data may be processed:

  • IP address (anonymised through IP masking)
  • Pages visited and time spent
  • Technical information (browser, operating system, screen resolution)
  • Referrer URL (where you came from)
  • Approximate location (country/city level)
  • Anonymous interaction events for funnel analysis: clicking an Amazon affiliate link, adding/removing a product in the comparison, applying a filter on the product list, completing a calculator. Only structural attributes are sent — product slug, product category, tool name and the UI component — no calculator inputs.

Legal Basis

Processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR. Without your consent, no analytics cookies are set and no tracking data is collected.

Data Transfer

Google may transfer data to the USA. An adequate level of data protection is ensured by EU Standard Contractual Clauses and Google's certification under the EU-US Data Privacy Framework.

Further Information

7. Sentry (Error Tracking)

We use Sentry by Functional Software, Inc. ("Sentry"), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA, to record and analyse errors on the website. When an error occurs in the browser, Sentry transmits the technical stack trace, IP address, browser and device information and the URL accessed to servers in the EU (region de.sentry.io).

No Session Replay

Sentry's Session Replay feature, which visually reconstructs browser sessions, is fully disabled in our configuration. No keystrokes or DOM snapshots are captured; only the technical stack trace described above is collected when an error occurs.

Legal Basis

Processing is based on our legitimate interest in a stable and secure website pursuant to Art. 6 (1) lit. f GDPR. Sentry is also active without cookie consent because it is solely used for technical error diagnostics.

Data transfer to the USA

Even though Sentry events are routed to the EU region, the parent company in the USA may receive access to the data. An adequate level of data protection is ensured through EU Standard Contractual Clauses and certification under the EU-US Data Privacy Framework.

More information: Sentry Privacy Policy.

8. Microsoft Clarity (Heatmaps and Session Recordings)

With your consent, we use Microsoft Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Clarity creates aggregated heatmaps (which areas are clicked, how far visitors scroll) and may record sessions of your mouse/touch interactions to help us improve the usability of the website.

Data processed

  • Device and browser information, screen resolution
  • Click, scroll and mouse-movement data (anonymously aggregated)
  • Pages visited and time spent
  • IP address (anonymised by Microsoft)
  • A pseudonymous visitor identifier (UUID) which we store, after your consent, in your browser's local storage under the key ef_visitor_id. It allows Clarity to group multiple sessions from the same browser, contains no personal data and is removed when you withdraw your consent.
  • Anonymous interaction events (e.g. clicking an Amazon affiliate link, adding a product to the comparison, completing a calculator) and structural session tags such as the product category currently being viewed or the tool name in use. These tags can later be used as filters in Clarity so we can segment heatmaps and recordings (e.g. by "sessions with an Amazon click") — they contain no personal data and no calculator inputs.

Masking of sensitive inputs

Inputs in our calculators (e.g. weight, age, height) as well as the contact and comment forms are fully masked from Clarity (via the data-clarity-mask attribute on the respective containers). In heatmaps and session recordings these areas appear as grey blocks; the actual values are neither transmitted nor stored. The computed results (BMR, TDEE, protein requirement etc.) are masked as well, because they would allow conclusions about the inputs.

Legal Basis

Processing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Without your consent in the cookie banner the Clarity script will not be loaded. You can withdraw your consent at any time by reopening the cookie banner.

Data transfer to the USA

Microsoft may transfer data to the USA. An adequate level of data protection is ensured through EU Standard Contractual Clauses and Microsoft's certification under the EU-US Data Privacy Framework.

More information: Microsoft Privacy Statement.

9. Internal Notifications via Telegram

For internal moderation and quality assurance we send only content-free notices to our own Telegram notification channels. The provider is Telegram FZ-LLC, Business Central Towers, Dubai, United Arab Emirates.

Data Processed

  • For new comments and recipe ratings we send only a content-free notice (e.g. “new comment” with a link to the affected, already-public page, or the star rating given). NO personal data is transferred — in particular neither your display name nor the comment text. The actual review and moderation takes place exclusively in our access-protected admin area.
  • For system events (e.g. publishing actions, error states): purely technical metadata without reference to individual visitors.

Legal Basis

Insofar as any data is processed at all, this is based on our legitimate interest in quality assurance and the prevention of spam and abuse under Art. 6 (1) lit. f GDPR. Since the Telegram notices contain no personal data, they involve no additional risk for you.

Transfer Outside the EEA

Telegram operates servers outside the EEA, including in the UK, the United Arab Emirates and the USA. Since we transmit to Telegram exclusively content-free, non-personal notices, no transfer of personal data to a third country takes place; a specific transfer mechanism under Art. 44 et seq. GDPR is therefore not required.

More information: Telegram Privacy Policy.

10. Amazon Affiliate Program

This website is a participant in the Amazon affiliate program operated by Amazon Europe Core S.à r.l. If you click on a product link and make a purchase on Amazon, we receive a small commission — the price for you does not change. Affiliate links are marked on the product pages (e.g. with the note "* Affiliate link").

When you click on an affiliate link, you are redirected to Amazon. Amazon then receives your IP address, browser information and a tracking parameter (our partner ID) so that the commission can be correctly attributed. The data Amazon processes in detail is described in the Amazon Privacy Notice. Legal basis for the redirect is our legitimate interest in financing this free website pursuant to Art. 6 (1) lit. f GDPR.

In addition, every click on an Amazon affiliate link sends an anonymous interaction event to our analytics tools (Vercel Analytics without consent; Google Analytics and Microsoft Clarity only after you opted in via the cookie banner). Only structural attributes are transmitted: product slug, product category, manufacturer, position in a list, sales price and the UI component the action originated from. No personal data and no identifiers are forwarded. This measurement serves funnel analysis — it lets us understand which UI areas lead to recommendations without identifying individual users.

11. Your Rights

You are entitled to:

  • Information about the data stored about you
  • Rectification of inaccurate data
  • Erasure of data
  • Restriction of processing
  • Data portability
  • Objection to the processing of personal data (Art. 21 GDPR)
  • Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)
  • Lodging a complaint with a supervisory authority (Art. 77 GDPR)

Please contact us by email to exercise your rights: info@essentials.fitness. You may also contact the competent supervisory authority, e.g. the Bavarian Data Protection Authority (BayLDA).

12. Technical and Organisational Measures

We protect your data through technical and organisational measures such as TLS-encrypted transmission, role-based access control, logging of system access and regular updates of the software used.

13. Next.js and Server-Side Rendering (SSR)

This website uses Next.js, a framework for React that supports server-side rendering. Parts of the content are generated on the server before being sent to your browser.

  • Processing of IP addresses: When visiting the site, your IP address is processed for the duration of server communication to deliver the content correctly.
  • Data processing: The processing is temporary and solely for the purpose of secure provision of the website.

14. Automatic Logging by Next.js (Server Logs)

When the website is accessed, automatic server logs may be recorded:

  • IP address (anonymized where possible)
  • Date and time of access
  • Pages visited
  • User agent (browser type and version)

Purpose of logging: These data are used solely for troubleshooting and technical security.

15. Automated Decision-Making

No automated decision-making, including profiling, takes place.

16. Changes to this Privacy Policy

We reserve the right to update this privacy policy when necessary to comply with legal requirements or to reflect new functions of the website.

Back to homepage