Privacy notice
How EU Vetted handles personal data, under GDPR Art. 13.
Last updated 2026-05-18
Who is the controller
The controller for the personal data processed on euvetted.com (the "site") is the operator named on our Legal Notice page. For privacy enquiries, write to privacy@euvetted.com.
What data we process, and why
1. Server access logs
When you visit a page, our web server records the timestamp, the URL requested, the HTTP method and status, the response size, the requesting user agent, and a truncated IP address. We do not store full IP addresses. These logs are retained for 14 days for security and performance diagnostics. Legal basis: GDPR Art. 6(1)(f) — legitimate interest in operating a secure service.
2. Analytics
We use self-hosted Umami, a cookieless analytics tool that does not collect personally identifiable information. Umami runs on the same EU-hosted infrastructure as the rest of EU Vetted. Aggregated metrics (page views, country at country-level only derived from IP without storing the IP, referrer, screen size) are kept for 24 months. Legal basis: GDPR Art. 6(1)(f).
3. Affiliate-link click routing
If you click a "Visit site" link on a product page, you may pass through an intermediate /go/<product-slug> route that adds a partner tracking parameter to the destination URL. We log only an aggregate click count (no IP, no user identifier). The vendor's own tracking, cookies and privacy policy take over once you reach their site. Legal basis: GDPR Art. 6(1)(f).
4. Removal requests and other email contact
If you write to us, via the request-removal page or directly to any of our published email addresses, we will process the contents of your message for the purpose of replying, taking the requested action, and keeping a record of the interaction. Legal basis: GDPR Art. 6(1)(b) (contractual / pre-contractual) for removal requests; Art. 6(1)(f) for general correspondence. Retention: as long as needed plus a reasonable backup window, typically up to 24 months.
Cookies
EU Vetted sets only strictly necessary first-party cookies by default. Umami analytics is cookieless. No third-party analytics or advertising cookies are set unless you explicitly grant consent on the banner.
The cookies currently set on every visit:
| Name | Purpose | Lifetime | Type |
|---|---|---|---|
eu-vetted-session | Server-side session (form state, locale, CSRF binding). HttpOnly. | 2 hours (rolling) | Strictly necessary |
XSRF-TOKEN | Cross-site request forgery protection for any form submission. | 2 hours (rolling) | Strictly necessary |
euvetted_consent_ads | Records your response to the consent banner so it does not re-appear on every page load. Contains no identifier, no personal data — just 1 (granted) or 0 (denied). | 12 months | Strictly necessary |
Strictly necessary cookies are exempt from consent under Article 5(3) of the ePrivacy Directive and the German TTDSG, because the site cannot function without session management, CSRF protection, or a record of your privacy choice. You can still delete them at any time in your browser; the site will then start a new session, and the consent banner will re-appear.
Advertising cookies (only with consent)
The consent flag controls personalisation, not whether advertising appears at all. If you grant consent, any display advertising on the site can use cookies to be tailored to you. If you decline, any ads still appear in their fixed labelled slots but stay generic and contextual — served without cookies, without tracking, and without a behavioural profile. No advertising network is currently integrated; this paragraph and the consent banner are in place ahead of that change, so the moment any ad script ships, your choice is already on file. We will update this page with the named advertising sub-processor — including the cookies it sets — before any ad script is enabled.
You can change your choice at any time via the Cookie settings link in the footer.
Recipients of personal data (sub-processors)
Our hosting infrastructure is Hetzner Online GmbH (Falkenstein, Germany). Our DNS is operated through the same provider. We do not use Cloudflare, AWS, Google Cloud, or any other US-controlled hyperscaler. We do not send any data to third-party analytics or advertising platforms.
If we add a sub-processor in the future (for example, a transactional email provider for newsletter delivery), we will update this page before the change takes effect.
International transfers
All personal data is processed and stored within the European Union. We do not transfer personal data to third countries.
Your rights under the GDPR
You have the right to:
- request access to your personal data (Art. 15);
- request rectification of inaccurate data (Art. 16);
- request erasure (Art. 17);
- request restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- lodge a complaint with a supervisory authority (Art. 77).
To exercise any of these, email privacy@euvetted.com. We will respond within 30 days.
Changes to this notice
If we change how we handle personal data, we will update the "Last updated" date at the top of this page and, when changes are material, post a summary at the top.