Privacy Policy
This Privacy Policy applies only to the mymolecules website and waitlist. It does not apply to the mymolecules app.
1. Controller
mymolecules GmbH
Maria-Goeppert-Strasse 1
23562 Luebeck
Germany
Email: info@mymolecules.de
CEO: Paul Beier
2. What this website does and does not collect
This website is a marketing and waitlist website. You can read about mymolecules, contact us by email and join the waitlist. The website does not provide an app account, app login, meal logging, symptom logging, wearable sync, glucose analysis or health-data processing.
We do not use marketing trackers or external Google Fonts on this website. Fonts are hosted locally. We use Vercel Web Analytics for privacy-friendly, aggregated website statistics. We do not sell personal data.
3. Hosting, delivery and server logs
The website is hosted and delivered through Vercel. When you open the website, technical connection data may be processed, including your IP address, requested URL, date and time, user agent, device/browser information, referrer, HTTP status code and similar security logs.
We use this data to deliver the website, keep it stable, prevent abuse, troubleshoot errors and protect the service. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is a secure and reliable website. Vercel acts as a service provider/processor for hosting and delivery. Vercel may use subprocessors and may process some service data internationally under its data processing terms.
4. Vercel Web Analytics
We use Vercel Web Analytics to understand how the website is used and to improve the website's technical performance, content structure and user experience. Vercel Web Analytics can measure page views, client-side page transitions, referrers, approximate location, device type, operating system and browser information.
According to Vercel, Web Analytics is designed for aggregated statistics, does not use third-party cookies and does not store information that would allow us to personally identify a visitor or reconstruct a browsing session across different websites. Visitors are identified through a request-based hash that is automatically reset after a short period.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is understanding whether the website is discoverable, stable and useful, while avoiding invasive marketing tracking.
5. mymolecules waitlist and email updates
If you join the waitlist, we process the information you enter: first name, last name, email address, consent checkbox status and the technical captcha token needed to protect the form. The waitlist may include product updates, research or study updates and opportunities to participate.
We use double opt-in. This means we send you a confirmation email first, and the signup becomes active only after you click the confirmation link. You can withdraw your consent at any time, for example by using an unsubscribe link in an email or by contacting us at info@mymolecules.de.
The legal basis for the waitlist and email updates is your consent under Art. 6(1)(a) GDPR. We store proof of consent and confirmation under Art. 6(1)(c) GDPR together with Art. 7(1) GDPR. Abuse prevention and technical reliability are based on Art. 6(1)(f) GDPR.
6. Supabase backend
The waitlist form uses Supabase Edge Functions and a Supabase database. The backend/database project is configured in Europe, Central EU (Frankfurt), where applicable.
For the waitlist, Supabase may store your email address, name, consent status, subscription status, signup/confirmation/unsubscribe timestamps, confirmation or unsubscribe token data, a Resend contact id and technical job records for email delivery. Supabase is used to operate the waitlist, manage double opt-in and document consent.
7. Cloudflare Turnstile
We use Cloudflare Turnstile to protect the waitlist form from bots and spam. Turnstile loads a script from Cloudflare and checks technical signals from your browser. The website temporarily stores the Turnstile site key in browser storage so the widget can load reliably. The backend verifies the captcha token with Cloudflare and may send the requesting IP address as part of that verification.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is protecting the form and our systems from automated abuse. Any strictly necessary storage or access on your device is based on Section 25(2) TDDDG. Cloudflare may process some data as our processor and some Turnstile signals as an independent controller to improve bot detection.
8. Resend email delivery
We use Resend for email delivery and technical delivery handling. Resend is used to send confirmation and welcome emails and to create or update the corresponding email contact for the waitlist. For this purpose, your email address and, where provided, your first and last name may be transferred to Resend.
Resend is based in the United States. International transfers may be protected through Resend's data processing terms, standard contractual clauses and, where applicable, the EU-U.S. Data Privacy Framework.
9. Retention
Active waitlist records are stored for as long as you remain subscribed or as long as they are needed to run the waitlist. If you unsubscribe or withdraw consent, we stop sending waitlist emails. We may keep a limited unsubscribe record and consent proof where this is necessary to document compliance, prevent renewed sending or defend legal claims. The exact period depends on legal limitation and documentation requirements.
Technical waitlist email job records that are completed or failed are cleaned up after 30 days. Unconfirmed pending signups are kept only as long as needed for double opt-in, abuse prevention and consent management.
10. Email contact
If you contact us by email, we process your email address and the content of your message to reply to you and handle your request. The legal basis is Art. 6(1)(f) GDPR. If your request relates to a contract or pre-contractual communication, Art. 6(1)(b) GDPR may also apply.
11. Cookies, analytics and device storage
We do not use marketing cookies on this website. Vercel Web Analytics does not use third-party cookies. Security tools such as Cloudflare Turnstile and our hosting infrastructure may use strictly necessary technical signals, storage or cookies to deliver the site securely and protect forms from abuse.
12. Security measures
We use technical and organizational measures to protect the website and waitlist data. This includes HTTPS, HSTS, a Content Security Policy, referrer policy, permissions policy, local font hosting, restricted allowed service connections and protection against being embedded in third-party frames.
13. Recipients and international processing
Personal data may be processed by the following providers where necessary:
- Vercel for website hosting, delivery and aggregated Web Analytics.
- Supabase for backend functions and waitlist database storage.
- Cloudflare for Turnstile bot and spam protection.
- Resend for email delivery and waitlist contact handling.
The Supabase backend/database project is configured in Frankfurt/Germany where applicable. Vercel, Cloudflare and Resend may involve international processing. Where required, we rely on provider data processing terms, standard contractual clauses, adequacy decisions or other appropriate safeguards.
14. Your rights
You have the right to request access, rectification, erasure, restriction of processing, data portability and objection under the GDPR. Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
To exercise your rights, contact us at info@mymolecules.de. We may need to verify your identity before responding.
15. Supervisory authority
You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for Schleswig-Holstein is:
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein (ULD)
Holstenstrasse 98
24103 Kiel
Germany
Email: mail@datenschutzzentrum.de
16. No automated decision-making
The current website and waitlist do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
17. Changes to this Privacy Policy
We may update this Privacy Policy when the website, waitlist or service providers change. The version published on this page applies.