GDPR Policy – Noor Recipes | European Data Protection Rights

GDPR Policy – Noor Recipes

Last Updated: September 23, 2025
Effective Date: October 15, 2024

🇪🇺 European Union General Data Protection Regulation (GDPR) Compliance

If you’re visiting from the European Union, this page is specifically for you. The GDPR gives you important rights about how your personal data is collected and used. I respect these rights completely, and I’ve written this policy to clearly explain how I handle your information and how you can control it.

Who We Are (Data Controller Information)

Under GDPR, I am the “data controller” for your personal information. Here’s my official information:

Data Controller: Noor Bennett
Business Name: Noor Recipes
Location: New York, NY, United States
Email: [email protected]
Data Protection Contact: [email protected]

As a small, family-run food blog, I personally handle all data protection responsibilities. I don’t have a separate Data Protection Officer (DPO) because the law doesn’t require one for a business of my size, but I take your privacy rights just as seriously as any large company would.

Legal Basis for Processing Your Data

Under GDPR, I can only process your personal data if I have a valid legal reason. Here are the legal bases I rely on:

Data Processing Activity	Legal Basis	Explanation
Email Newsletter	Consent (Article 6(1)(a))	You explicitly sign up and can withdraw consent anytime
Website Analytics	Legitimate Interest (Article 6(1)(f))	Understanding how to improve the website for all users
Responding to Emails	Legitimate Interest (Article 6(1)(f))	Providing customer service and recipe support
Security & Fraud Prevention	Legitimate Interest (Article 6(1)(f))	Protecting website and users from spam/abuse
Legal Compliance	Legal Obligation (Article 6(1)(c))	When required by law (rare for a recipe blog)

Important: Your Right to Object

Where we rely on “legitimate interest” as our legal basis, you have the right to object to that processing. Simply email [email protected] with your objection, and I’ll stop processing your data for that purpose (unless I can demonstrate compelling legitimate grounds).

Personal Data We Collect

Here’s exactly what personal data I collect from EU visitors and why:

Data You Provide Directly:

Email Address: When you subscribe to the newsletter
Name: If you choose to provide it (not required for newsletter)
Communication Content: When you email me questions or feedback
Recipe Reviews: If you comment on recipes or share cooking experiences
Photos: If you email pictures of your cooking results

Data Collected Automatically:

IP Address: For security and basic analytics (anonymized after 14 months)
Browser Information: Type and version (for compatibility)
Device Type: Mobile, tablet, or desktop (for responsive design)
Page Views: Which recipes you visit (for content improvement)
Time Spent: How long you stay on pages (for user experience)
Referral Source: How you found the website (for understanding traffic)

Cookies and Similar Technologies:

Essential Cookies: Required for website functionality
Analytics Cookies: Google Analytics (anonymized)
Preference Cookies: Remember your newsletter signup status

Cookie Consent for EU Visitors

As an EU visitor, you should see a cookie consent banner on your first visit. You can:

Accept all cookies
Accept only essential cookies
Customize your cookie preferences
Change your mind anytime using the cookie preferences link in our footer

How We Use Your Personal Data

I’m completely transparent about how I use your information:

Newsletter Communications:

Send you new recipe notifications (2-3 times per week)
Share cooking tips and kitchen stories
Provide updates about website changes or improvements
Track email delivery and engagement (to improve content)

Website Improvement:

Analyze which recipes are most popular
Understand user behavior to improve navigation
Fix technical issues and optimize performance
Create content that matches visitor interests

Communication & Support:

Respond to your recipe questions and cooking help requests
Address technical issues with the website
Handle privacy requests and data subject rights

What I DON’T Do:

Sell, rent, or trade your personal data
Share your data with advertising companies
Use your data for automated decision-making or profiling
Send unsolicited marketing from third parties
Track your browsing on other websites

As an EU resident, you have specific rights under GDPR. Here’s how to exercise each one:

1. Right of Access (Article 15)

What it means: You can request a copy of all personal data I have about you.

How to exercise: Email [email protected] with “Data Access Request” in the subject line.

Timeline: I’ll respond within 30 days with a complete data export.

2. Right to Rectification (Article 16)

What it means: You can ask me to correct inaccurate or incomplete personal data.

How to exercise: Email me the correct information, and I’ll update it immediately.

Timeline: Corrections are usually made within 24 hours.

3. Right to Erasure / “Right to be Forgotten” (Article 17)

What it means: You can request complete deletion of your personal data.

How to exercise: Email [email protected] with “Delete My Data” in the subject line.

Timeline: Complete deletion within 30 days, confirmation provided.

Note: I may need to keep some data if required by law, but I’ll explain any exceptions.

4. Right to Restrict Processing (Article 18)

What it means: You can ask me to limit how I use your data while keeping it stored.

Example: Stop sending newsletters but keep your email for legal compliance.

How to exercise: Email with specific restrictions you want applied.

5. Right to Data Portability (Article 20)

What it means: You can get your data in a format that’s easy to transfer elsewhere.

How to exercise: Request a data export in CSV or JSON format.

What you’ll get: Your email, preferences, and any content you’ve shared with us.

6. Right to Object (Article 21)

What it means: You can object to processing based on legitimate interest.

Common objections: Analytics tracking, marketing communications.

How to exercise: Email with specific processing activities you object to.

7. Right to Withdraw Consent

What it means: You can withdraw consent for processing that requires it (like newsletters).

How to exercise: Use the unsubscribe link in emails or email me directly.

Effect: I’ll stop processing immediately, but past processing remains lawful.

Response Timelines

Standard Response: 30 days from receiving your request

Complex Requests: Up to 60 additional days (I’ll explain why)

My Goal: Most requests handled within 1-7 days

Free of Charge: All GDPR requests are free unless clearly excessive or repetitive

Data Retention Periods

I don’t keep your data longer than necessary. Here are my specific retention periods:

Data Type	Retention Period	Reason for Retention
Newsletter Email Addresses	Until you unsubscribe	Ongoing service provision
Website Analytics	26 months (Google Analytics setting)	Understanding long-term trends
Email Correspondence	3 years	Customer service history
IP Addresses	14 months (anonymized)	Security and spam prevention
Cookie Data	13 months maximum	Technical functionality
Recipe Comments/Reviews	Until you request deletion	Community value for other users

Automatic Deletion

I regularly review and delete old data according to these schedules. If you haven’t engaged with the newsletter for 3+ years, I’ll send a re-engagement email before removing you from the list.

International Data Transfers

Since I’m based in the United States, your data will be transferred outside the EU. Here’s how I protect it:

Transfer Safeguards:

Adequacy Decision: The US participates in data protection frameworks recognized by the EU
Contractual Safeguards: Service providers use Standard Contractual Clauses (SCCs)
Technical Measures: Encryption in transit and at rest
Limited Transfers: Only to processors essential for website operation

Where Your Data Goes:

United States: Main website servers and email processing
Service Providers: ConvertKit (email), Google Analytics (anonymized)
Your Rights: Same GDPR protections apply regardless of data location

Data Protection Measures

I protect your data using technical and organizational measures appropriate for a small business:

Technical Safeguards:

Encryption: SSL/TLS for all data transmission
Secure Hosting: Reputable providers with security certifications
Regular Backups: Encrypted and geographically distributed
Access Controls: Limited to essential personnel only (just me)
Software Updates: Regular security patches and updates

Organizational Safeguards:

Privacy by Design: Data protection considered in all new features
Data Minimization: I only collect what’s necessary
Regular Review: Quarterly assessment of data practices
Incident Response: Clear procedures for potential data breaches

Data Breach Notification:

If a data breach occurs that poses a risk to your rights:

I’ll notify the relevant EU supervisory authority within 72 hours
I’ll notify affected individuals without undue delay
I’ll provide clear information about the breach and steps being taken
I’ll offer assistance and advice on protecting yourself

Right to Lodge Complaints

If you’re not satisfied with how I handle your data or privacy requests, you have the right to complain to a supervisory authority:

EU Supervisory Authorities:

Your Country: Contact the data protection authority in your EU country
My Location: You can also complain to authorities where I process data (US)
European Data Protection Board: Find your local authority

Before Filing a Complaint:

I encourage you to contact me first at [email protected]. I’m committed to resolving any concerns directly and quickly. Most issues can be resolved within a few days through direct communication.

Under GDPR, children under 16 need parental consent for data processing. My approach:

Age Verification: Newsletter signup includes age confirmation
Parental Consent: Required for anyone under 16 in the EU
No Targeting: I don’t specifically target or market to children
Immediate Deletion: If I discover a child’s data without proper consent, I delete it immediately

Contact Information for GDPR Matters

Data Protection Contact:
Noor Bennett
Email: [email protected]
Subject Line: Include “GDPR Request” for fastest processing

Response Times:
* Simple requests: 1-7 days
* Complex requests: Up to 30 days
* Emergency/breach concerns: Within 24 hours

What to Include in Your Request:

Your email address associated with our website
Specific right you want to exercise
Any relevant details or context
Preferred method of response

Identity Verification:
To protect your privacy, I may ask for verification that you own the email address in question. This usually involves sending a confirmation email to that address.

Updates to This GDPR Policy

I’ll update this policy when:

GDPR regulations change
My data processing practices change
I add new website features that affect privacy
EU authorities provide new guidance

Change Notification Process:

Minor Changes: Updated date on this page

Significant Changes: Email notification to newsletter subscribers

Major Changes: 30-day notice period before implementation

Your Options: Object to changes or withdraw consent

The Bottom Line for EU Visitors

Your privacy rights under GDPR are important, and I respect them completely. I run a small family food blog, not a big corporation, but I take data protection just as seriously. My goal is to share recipes and cooking advice while keeping your personal information safe and giving you full control over how it’s used.

If you have any questions about GDPR, your rights, or how I handle your data, please don’t hesitate to reach out. I’d rather answer questions and build trust than have any confusion about privacy.

Thank you for visiting from across the pond, and I hope you find recipes that work well in your kitchen—whether you’re cooking in London, Berlin, Rome, or anywhere else in the EU!

This GDPR policy was created with genuine respect for European privacy rights.
Your data protection matters to me, regardless of where you’re located.