Last Updated: July 20, 2025
This GDPR Policy supplements our Privacy Policy and is intended specifically for visitors located in the European Economic Area (EEA), the United Kingdom (UK), and, where applicable, Switzerland. It explains additional rights and the measures SavorySpiral.com (“Savory Spiral,” “we,” “us,” or “our”) takes to comply with the EU General Data Protection Regulation (EU GDPR) and the UK GDPR.
Plain Language Summary: We act as a data controller for the personal data you provide or that we collect through the Site. We collect only what we need to operate and improve the Site (e.g., email address for newsletters, anonymized analytics). You may withdraw consent, request access, correction, deletion, portability, or object to certain processing at any time by emailing contact@savoryspiral.com.
1. Data Controller and Contact Details
Data Controller: Savory Spiral (Charlotte)
Address: 155 N 1st Ave, Hillsboro, OR 97124, United States
Email: contact@savoryspiral.com
We do not currently appoint an EU/UK representative because our processing is occasional, low‑risk, and does not include large‑scale processing of special category data. If our processing volume or scope changes, we will reassess this determination.
2. Categories of Personal Data Processed
| Category | Examples | Source | Purpose | Retention (Typical) |
|---|---|---|---|---|
| Identification / Contact | Name, email address (newsletter sign‑up, contact form) | You | Communication, newsletters | Until unsubscribe + suppression log (12 months) |
| Comment Data (if enabled) | Display name, comment text, timestamp | You | Community interaction | While published or until removal request |
| Device / Technical | IP (possibly truncated), user agent, pages viewed, timestamps | Automated (cookies/logs) | Site security, performance, analytics | 12–18 months (logs) |
| Usage / Preference | Saved favorite recipes, measurement unit preference | You / cookies/local storage | Personalization | Until cleared or account feature removed |
| Giveaway / Promotion | Name, email, postal address (winners), eligibility data | You | Administer promotions, compliance | Promotion duration + up to 12 months |
| Security / Fraud | Suspicious IP hashes, limited log snippets | Automated | Protect Site integrity | Up to 24 months if part of investigation |
We do not intentionally process special category data or conduct automated individual decision-making with legal or similarly significant effects.
3. Lawful Bases for Processing
| Purpose | Lawful Basis | Explanation |
| Provide and secure the Site | Art. 6(1)(f) Legitimate Interests | Necessary for operating an efficient, secure recipe platform. |
| Send newsletters / marketing | Art. 6(1)(a) Consent | You opt in; you can withdraw at any time via unsubscribe link. |
| Respond to inquiries | Art. 6(1)(f) Legitimate Interests / (b) Contract | Needed to address your requests; quasi‑contractual. |
| Personalization (non-essential) | Art. 6(1)(a) Consent | Optional cookies/local storage after preference. |
| Analytics (non-essential) | Art. 6(1)(a) Consent | Only after consent banner acceptance (if required). |
| Giveaways / promotions | Art. 6(1)(b) Contract & (c) Legal Obligation | To fulfill prize distribution and comply with tax/eligibility laws. |
| Legal compliance & dispute handling | Art. 6(1)(c) Legal Obligation / (f) Legitimate Interests | To cooperate with lawful requests and defend legal rights. |
4. Consent Management
Where required, we display a consent banner for non‑essential cookies/trackers. You may:
- Accept all, reject all, or customize settings (if using a consent tool).
- Withdraw consent later by clearing cookies, adjusting browser settings, or using provided preference links (we recommend implementing a “Manage Cookies” link in the footer).
Consent withdrawal does not affect processing already performed.
5. Data Minimization & Privacy by Design
We collect only data relevant for stated purposes and configure services (e.g., analytics IP anonymization, shortest practical retention periods) to reduce risk. Access is restricted to the site owner and essential service providers under data processing agreements where applicable.
6. International Transfers
Your data may be transferred to the United States or other countries lacking the same data protection standards. When required, we rely on:
- Standard Contractual Clauses (SCCs) issued by the European Commission (and UK Addendum where applicable), or
- An adequacy decision (if applicable).
You may request a copy or summary of relevant safeguards by contacting us.
7. Data Subject Rights
You have the following rights (subject to limitations under Articles 12–23 GDPR):
| Right | Description |
| Access | Obtain confirmation whether we process your data and access a copy. |
| Rectification | Correct inaccurate or incomplete data. |
| Erasure | Request deletion where data is no longer needed, consent is withdrawn, or processing is unlawful. |
| Restriction | Temporarily limit processing while a challenge is resolved. |
| Portability | Receive certain data you provided in a structured, commonly used format. |
| Object | Object to processing based on legitimate interests (including basic analytics) and to direct marketing at any time. |
| Withdraw Consent | Withdraw previously given consent (e.g., newsletters, analytics). |
| Complaint | Lodge a complaint with a supervisory authority in your habitual residence or where an alleged infringement occurred. |
Exercising Rights
Email contact@savoryspiral.com with the subject line “GDPR Request” describing your request. We will respond within one month (extendable by two months for complex requests; we will inform you if extended). We may need to verify your identity (e.g., confirmation link to the email used for signup).
8. Automated Decision-Making & Profiling
We do not engage in automated decision-making producing legal or similarly significant effects. Any analytics segmentation is aggregate and not used to make individualized decisions.
9. Security Measures
We implement proportionate technical and organizational controls: TLS encryption; regular CMS/plugin updates; principle of least privilege; periodic password changes; firewall/WAF/CDN; and secure backups. No method is completely secure, but we strive for continual improvement.
10. Processors & Subprocessors
We maintain a list of core service providers acting as processors (e.g., hosting, email marketing platform, analytics provider). Each is contractually bound to process data only on our instructions and implement safeguards. You may request more detailed information.
11. Children’s Data
The Site is not directed to children under 16. If we learn we inadvertently collected personal data from a child below the applicable age of consent, we will delete it promptly.
12. Changes to This GDPR Policy
We may update this Policy for legal or operational reasons. Material changes will be indicated by updating the Last Updated date and, where appropriate, providing a notice on the Site or via email (if subscribed). Continued use of the Site after changes constitutes acceptance.
13. Contact / Complaints
Primary Contact: contact@savoryspiral.com
Postal Address: 155 N 1st Ave, Hillsboro, OR 97124, United States
Supervisory Authority: You have the right to lodge a complaint with your local Data Protection Authority. A list of EU authorities is available from the European Data Protection Board; UK users may contact the ICO.
