Privacy Policy

Last updated: 15 April 2026

This Privacy Policy explains how Zippy ("we", "us", "our") collects, uses and protects your personal data when you use the website zippytravel.de (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

The data controller responsible for your personal data under Art. 4(7) GDPR is:

Francesco Edoardo Candi
Libauer Straße 11
10245 Berlin, Deutschland
Email: info@zippytravel.de

Full contact details are available in our Impressum.

2. Data We Collect

2.1 Data automatically collected (server logs)

When you visit our website, our hosting provider (Netlify, Inc.) automatically records technical information:

Anonymised IP address
Date and time of request
Browser type and version, operating system
Referrer URL
Requested page

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring security, stability and proper operation of the website. Logs are retained for up to 14 days and then deleted.

2.2 Analytics (Umami)

We use Umami Analytics (Umami Software, Inc., hosted on EU infrastructure at cloud.umami.is) to understand how visitors use the site in aggregate. Umami is a privacy-friendly analytics tool that:

Does not set any cookies
Does not collect personal data or persistent identifiers
Does not track users across sessions or websites
Anonymises IP addresses and stores only aggregate statistics (page views, referrers, country, browser)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding aggregate website usage. Because Umami does not process personal data in a way that requires consent under §25 TTDSG (no device storage, no identifiers), no cookie banner is required.

More information: umami.is/docs/faq

2.3 Data you provide voluntarily

The Zippy prompt builder processes the answers you give to its questions (destination, travel dates, group composition, budget, etc.) locally in your browser. These answers are sent to our serverless function only to generate the prompt text and are not stored after the prompt is returned.

Legal basis: Art. 6(1)(b) GDPR — performance of a service you have requested.

3. Hosting & Sub-processors

The website is hosted by Netlify, Inc. (44 Montgomery Street, Suite 300, San Francisco, CA 94104, USA). Netlify serves content from EU edge nodes where possible. A Data Processing Agreement under Art. 28 GDPR is in place. Transfers to the United States are covered by Standard Contractual Clauses and Netlify's certification under the EU-U.S. Data Privacy Framework.

4. Fonts & External Resources

Fonts (DM Sans, Instrument Serif) are self-hosted on our servers. No requests are made to Google Fonts or other third-party CDNs, so no personal data is transmitted to Google when you load our pages.

5. Cookies

This website does not use tracking, advertising or analytics cookies. We may use strictly necessary cookies only if required for core site functionality (e.g. session management). No consent banner is required under §25(2) TTDSG because all data collection on our site is either (a) strictly necessary for the service you requested or (b) based on privacy-friendly analytics that do not use device storage.

6. Your Rights

Under Articles 15–22 GDPR you have the right to:

Access the personal data we hold about you (Art. 15)
Rectification of inaccurate data (Art. 16)
Erasure ("right to be forgotten", Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Objection to processing based on legitimate interest (Art. 21)
Withdraw consent at any time, where processing is based on consent (Art. 7(3))

To exercise these rights, contact us at info@zippytravel.de. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). In Germany, the competent authority is the data protection authority of the federal state where you reside.

7. Data Retention

We only store personal data for as long as necessary for the purposes set out above:

Server logs: up to 14 days
Umami aggregate statistics: indefinitely (no personal data)
Prompt inputs: not stored after generation

8. Security

The website is served exclusively over HTTPS (TLS 1.2+). We apply technical and organisational measures to protect personal data against unauthorised access, loss or alteration.

9. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the most recent changes. Material changes will be announced on the website.

10. Contact

Questions about this Privacy Policy or about the processing of your personal data: info@zippytravel.de.