Privacy Policy

Last updated: April 2026

The short version

The free RefillCraft planner tool runs entirely in your browser — no cookies, no server, no personal data. If you create an account to purchase a premium planner package, we store your email address and purchase history in a database and set a session cookie to keep you signed in. If you subscribe to our newsletter, we store only your email address on our own server in the EU. That's it.

The planner tool

The free RefillCraft refill generator at refillcraft.com/app processes everything locally in your web browser. Your planner configurations, customizations, and generated PDFs are never uploaded to any server. No data leaves your device.

We use self-hosted Umami analytics to collect anonymous, aggregated usage statistics such as which planner sizes and templates are most popular. Umami does not use cookies, does not track individual users, and does not collect personal data. The analytics server is self-hosted and located in the European Union.

Accounts & Purchases

If you create an account to purchase a premium planner package, we collect and store the following data:

  • Email address — used as your account identifier and to deliver sign-in links
  • Name (optional) — displayed in the app if provided
  • Purchase records — the product and year of each purchase, used to verify your lifetime access entitlement
  • rc_session cookie — an HttpOnly session cookie that keeps you signed in for up to 30 days. This cookie is strictly necessary to maintain your signed-in session and does not track you across sites.

Legal basis

Processing your purchase data is necessary to perform the contract (lifetime access to a purchased planner) under Art. 6(1)(b) GDPR. Processing your email address for sign-in links is based on your consent (Art. 6(1)(a) GDPR), given when you submit the sign-in form.

Data retention

Your email address and name are retained for as long as your account exists. Purchase records are retained permanently as evidence of your purchased entitlement. You can request account deletion at any time (see "Your rights" below).

Third-party processors

We use the following third-party services to provide account and payment functionality. Each acts as a data processor under a Data Processing Agreement:

  • Google LLC (USA) — optional sign-in via Google Identity Services. If you use "Sign in with Google", Google processes your Google account credential to verify your identity. We receive your Google account ID, email address, and display name. This processing is governed by Google's Privacy Policy. Google LLC is certified under the EU–US Data Privacy Framework.
  • Resend, Inc. (USA) — transactional email. Your email address is sent to Resend's API solely to deliver sign-in links. Resend does not use your email for any other purpose. DPA available at resend.com.
  • Stripe, Inc. (USA) — payment processing. When you purchase a planner package, you are redirected to Stripe's secure checkout page. Card details are entered and processed entirely by Stripe; we never see them. We only send product metadata (product ID and year) and receive a session confirmation in return. Stripe is certified under the EU–US Data Privacy Framework.
  • Cloudflare, Inc. (USA) — database hosting. Account and purchase data are stored in Cloudflare D1, a managed database hosted on Cloudflare's infrastructure. Cloudflare is certified under the EU–US Data Privacy Framework.

Newsletter

If you choose to subscribe to our newsletter, we collect the following:

  • Email address — the only personal data we collect for newsletter purposes

Purpose

We use your email address solely to send you occasional updates about new planner refill layouts, new planner sizes, and product improvements. We typically send one to two emails per month.

Legal basis

The legal basis for processing your email address is your explicit consent (Art. 6(1)(a) GDPR), given when you submit the newsletter signup form and confirm your subscription via double opt-in.

Double opt-in

After submitting your email, you will receive a confirmation email. Your subscription only becomes active after you click the confirmation link. This ensures that only the owner of the email address can subscribe.

Data processing

Our newsletter is managed through self-hosted software on a server located in the European Union. Your email address is stored and processed exclusively within the EU. We do not share your data with third parties.

Emails are sent via IONOS SE (Elgendorfer Str. 57, 56410 Montabaur, Germany), which acts as our email service provider under a Data Processing Agreement in accordance with Art. 28 GDPR.

Unsubscribe

You can unsubscribe at any time by clicking the unsubscribe link included in every email, or by contacting us directly. Upon unsubscribing, your email address will be removed from our mailing list.

Data retention

We retain your email address for as long as your subscription is active. If you unsubscribe, your email address is deleted from our mailing list.

This website

The marketing website at refillcraft.com does not use cookies or tracking pixels. We do not collect any personal data through the marketing website other than through the voluntary newsletter signup described above.

We use Cloudflare Web Analytics to collect anonymous, aggregated usage statistics such as page views, referrers, and browser information. Cloudflare Web Analytics does not use cookies, does not track individual users, and does not collect personal data.

We also use self-hosted Umami analytics for custom event tracking (e.g., which templates are downloaded). Like Cloudflare Web Analytics, Umami does not use cookies, does not track individual users, and does not collect personal data. The analytics server is self-hosted and located in the EU.

The website is hosted on Cloudflare Pages. Cloudflare may process certain technical data (such as IP addresses) as part of delivering the website. This processing is governed by Cloudflare's Privacy Policy. Cloudflare, Inc. is certified under the EU-US Data Privacy Framework.

Your rights under GDPR

If you are in the European Economic Area, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your personal data (including your account)
  • Restriction — request restriction of processing
  • Data portability — receive your data in a structured format
  • Objection — object to processing of your data
  • Withdraw consent — withdraw your newsletter or sign-in consent at any time

To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with your local data protection supervisory authority.

Contact

For any privacy-related questions or requests:
[email protected]