DRAM.
A / LEGAL / PRIVACY

Privacy policy.

LAST UPDATED · 2026-05-22

This policy explains how DRAM ("we", "the service") processes your personal data under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). We try to keep the language plain — if anything is unclear, write to us at the contact below.

// 1 · CONTROLLER

The controller responsible for processing your data on this site (Art. 4 (7) GDPR) is:

Joshua Burkert
Josef-Obenhin-str. 8
80634 München
Germany
Email: mail@liveyourdram.com

// 2 · WHAT WE COLLECT

We process the following categories of personal data:

  • Account data — email address, password (hashed), username, display name. Required to create and authenticate your account.
  • Profile data — bio (free text), location (free text), avatar URL, privacy preference. Optional; you choose what to disclose.
  • Vault data — bottles you record in your collection: which whisky, purchase price, purchase date, personal notes, opened/finished state, bottles owned.
  • Tasting notes — ratings, flavor tags, written notes you log against whiskies.
  • Wishlist — bottles you flag as want-to-taste / want-to-buy.
  • Social data — friend connections, lists, the public/private visibility you choose, notifications routed to you, reports you file.
  • Technical data — IP address (logged briefly by our hosting provider for abuse prevention), browser user-agent (for compatibility), timestamps of requests.
  • Optional content — content moderation reports you file about other users' notes.

// 3 · LEGAL BASIS

We process the data above on the following bases (Art. 6 (1) GDPR):

  • Performance of a contract (Art. 6 (1) (b)) — to operate your account, store your collection, and deliver the social features you signed up for.
  • Consent (Art. 6 (1) (a)) — for functional cookies and any optional data you choose to disclose (bio, location, public lists).
  • Legitimate interest (Art. 6 (1) (f)) — for abuse prevention, security logs, and brief IP retention by our hosting provider. You can object to this at any time (Art. 21 GDPR).
  • Legal obligation (Art. 6 (1) (c)) — when we have to retain data to comply with applicable law.

// 4 · COOKIES

We use a small number of strictly necessary cookies (for authentication) and a small number of optional functional cookies (to remember your filter selections across requests). We do not use advertising, analytics, or tracking cookies. A full list with names and lifetimes is on our cookie policy page.

You can change your cookie preferences at any time via the Cookie settings link in the page footer.

// 5 · PROCESSORS

We use the following processors (Art. 28 GDPR) on our behalf:

  • Supabase, Inc. — database hosting, authentication, and file storage. Servers in the EU region. A standard Data Processing Agreement is in place.
  • Anthropic, PBC — generative-AI assistance for whisky metadata autofill (the AI auto-fill button when adding a whisky). Only the whisky name and distillery you enter are sent; no profile or contact data is shared. Requests are not used to train models.

// 6 · TRANSFERS OUTSIDE THE EU

Where a processor stores data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and any additional safeguards required by the EU–US Data Privacy Framework.

// 7 · RETENTION

  • Auth tokens (cookies) — access token 1 hour, refresh token up to 30 days, after which you have to sign in again.
  • Account and profile data — kept while your account exists. Deleted within 30 days of account deletion, subject to legal retention obligations.
  • Vault, tasting notes, wishlist, lists, friend connections — same as account data.
  • Server access logs — generally up to 30 days for abuse prevention, then aggregated or deleted.
  • Reports filed against other users — kept indefinitely as part of the moderation record (anonymized after the target's account is deleted).

// 8 · YOUR RIGHTS

Under the GDPR you have the right to:

  • Access (Art. 15) — request a copy of your data. You can download it yourself via Account → Export my data.
  • Rectification (Art. 16) — correct inaccurate data. You can edit most of it directly in your account settings.
  • Erasure (Art. 17) — delete your account. The Delete account button in your account settings triggers this immediately.
  • Restriction (Art. 18) — restrict processing under certain conditions.
  • Portability (Art. 20) — receive your data in a machine-readable JSON format. Same export button as above.
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Withdraw consent (Art. 7 (3)) — withdraw consent at any time; legality of prior processing is unaffected.
  • Complaint (Art. 77) — lodge a complaint with a supervisory authority, in particular the one in your habitual residence.

Our supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), the data protection authority for the private sector in Bavaria:

Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18, 91522 Ansbach, Germany
Phone: +49 981 53-1300
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de

To exercise any of these rights, write to mail@liveyourdram.com.

// 9 · CHILDREN

DRAM is intended for users aged 18 and older. We do not knowingly collect personal data from children under 16 (Art. 8 GDPR). If you believe a child has registered, please contact us and we will delete the account.

// 10 · SECURITY

We use industry-standard encryption in transit (TLS) and at rest, and scope access to your data via row-level security policies in our database. No system is perfectly secure — if you spot a vulnerability, write to [SECURITY CONTACT EMAIL].

// 11 · CHANGES TO THIS POLICY

We may update this policy as the service evolves or as the law changes. Material changes will be flagged in-app before they take effect. The current version is dated below.

// LAST UPDATED · 2026-05-22