Privacy Policy
Last updated: 2026 · Effective immediately upon posting
1. Data Controller
Bruckmann Foods ("Bruckmann", "we", "us", "our") is a B2B distributor of dairy, plant-based and cosmetic raw materials, operated as a subsidiary of Bruckmann GmbH, registered at Neißestr. 15, 45136 Essen, Nordrhein-Westfalen, Germany. Bruckmann GmbH is the data controller responsible for personal data processed through this website under Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA) and equivalent national legislation in jurisdictions where we operate.
For any privacy matter you may contact our Data Protection Officer at privacy@bruckmannfoods.com.
2. Scope of this Policy
This Privacy Policy applies to all personal data we collect through:
- This website and any subdomain operated by Bruckmann Foods;
- Quote request forms, sample request forms and contact forms;
- Email, phone, video conference and trade-show interactions arising from website inquiries;
- Commercial correspondence with buyers, prospects and suppliers; and
- Marketing communications you opt into, including newsletters and product updates.
3. Categories of Personal Data We Collect
We collect only the personal data necessary for legitimate B2B commercial purposes:
- Identification data — full name, job title, company name, country.
- Contact data — business email address, business phone number, postal address.
- Commercial data — product interest, target volume, intended application, incoterms preference, target delivery country, notes you provide.
- Transactional data — order references, invoice and shipping details, payment status (we do not store full card numbers; payments are processed by regulated banking partners).
- Technical data — IP address, browser type, operating system, referring URL, pages viewed, session timestamps. Collected via cookies and server logs (see our Cookie Policy).
- Marketing data — preferences, opt-in status, engagement with our emails.
We do not knowingly collect personal data from individuals under 18, and our services are not directed at consumers or children.
4. Purposes and Legal Bases of Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Respond to quote, sample and contact requests | Pre-contractual measures (Art. 6(1)(b)) |
| Negotiate, conclude and perform supply contracts | Contract performance (Art. 6(1)(b)) |
| Invoicing, accounting, tax and customs records | Legal obligation (Art. 6(1)(c)) |
| Quality, traceability and recall management | Legal obligation & legitimate interest (Art. 6(1)(c), (f)) |
| Site security, fraud prevention, analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails & newsletters | Consent (Art. 6(1)(a)), withdrawable any time |
5. How We Share Personal Data
We never sell, rent or trade personal data. We share it only with the following categories of recipients, all bound by confidentiality and data-processing agreements:
- Group companies — Bruckmann GmbH and affiliated entities for consolidated commercial operations;
- Logistics partners — freight forwarders, customs brokers, carriers, warehousing operators (only data needed to ship and clear goods);
- Banking partners — for receipt of payment and invoice reconciliation;
- IT service providers — cloud hosting, email infrastructure, CRM and analytics (all selected with GDPR-grade DPAs and EU/SCC safeguards);
- Professional advisors — auditors, legal counsel, certification bodies;
- Public authorities — where required by law, court order or regulatory request (e.g. food-safety authorities, customs).
5a. Sub-processors
We work with the following categories of sub-processors. A current named list is available on request to privacy@bruckmannfoods.com.
| Sub-processor | Purpose | Region | Safeguard |
|---|---|---|---|
| Supabase (managed Postgres & auth) | Application database, form submissions | EU (Frankfurt) | DPA + SCCs |
| Cloudflare Inc. | CDN, DDoS protection, edge compute | Global PoPs, EU origin | DPA + SCCs |
| Google Ireland Ltd. (GA4, Ads) | Anonymous analytics, B2B ad attribution | EU / US | EU-US DPF + SCCs |
| LinkedIn Ireland Unlimited Co. | B2B campaign attribution | EU / US | EU-US DPF + SCCs |
| SendGrid / Postmark (transactional email) | Quote and contact reply emails | EU / US | DPA + SCCs |
| HubSpot Ireland Ltd. | CRM & marketing automation | EU | DPA + SCCs |
We provide affected customers with prior notice of material sub-processor changes via this page or direct notice, allowing reasonable objection in line with applicable DPAs.
6. International Data Transfers
Because we operate globally, personal data may be transferred outside the European Economic Area. Such transfers are protected by European Commission adequacy decisions, Standard Contractual Clauses (2021/914), or — for UK transfers — the UK International Data Transfer Addendum. A copy of the safeguards used for a specific transfer is available on request.
7. Data Retention
- Quote and contact form submissions that do not lead to a contract: 24 months;
- Commercial correspondence and contract records: 10 years after end of business relationship (legal commercial record-keeping under German HGB §257 and Dutch BW 2:10);
- Invoices, customs and tax records: 10 years;
- Marketing data: until you withdraw consent, then deleted within 30 days;
- Server and analytics logs: 26 months maximum.
8. Security Measures
We protect personal data with administrative, technical and physical safeguards proportionate to the risk, including TLS encryption in transit, encryption at rest for production databases, role-based access controls, least-privilege administration, audit logging, regular vulnerability scanning, secured backups, and staff confidentiality undertakings. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected individuals without undue delay.
9. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Request erasure ("right to be forgotten");
- Restrict or object to processing;
- Data portability in a structured, machine-readable format;
- Withdraw consent at any time, without affecting prior lawful processing;
- Lodge a complaint with a supervisory authority — for our German lead authority this is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).
California residents additionally have CCPA/CPRA rights to know, delete, correct, limit use of sensitive personal information, and opt out of "sharing" — we do not sell or share personal data for cross-context behavioural advertising.
10. Automated Decision-Making
We do not subject individuals to decisions based solely on automated processing that produce legal or similarly significant effects. All commercial decisions involve human review.
11. Changes to this Policy
We may update this policy from time to time. Material changes will be announced on this page and, where appropriate, by direct notice. The "Last updated" date at the top reflects the current version.
12. Contact
For any privacy question or to exercise your rights, please contact: privacy@bruckmannfoods.com, or write to our registered office at the address below.
Registered parent company
Bruckmann GmbH
Neißestr. 1545136 Essen
Nordrhein-Westfalen, Germany