Privacy Policy

Cookie Fines (cookiefines.eu) is a non-commercial, open-source project that aggregates publicly available GDPR and ePrivacy enforcement data for educational and research purposes.

For privacy inquiries, please contact us at privacy@cookiefines.eu.

Enforcement Data (Public Records)

Our database contains information about GDPR and ePrivacy enforcement actions that are already publicly available through official DPA publications, court records, GDPRhub, and the CMS Enforcement Tracker. This includes company names, fine amounts, DPA decisions, and case summaries. We process this data under Article 6(1)(f) GDPR (legitimate interest) for the purpose of transparency and public interest research.

Visitor Data (Minimal)

This website does not:

• Use tracking cookies or advertising cookies
• Use third-party analytics services
• Collect personal data through registration or accounts
• Share visitor data with third parties
• Fingerprint browsers or devices

The only cookie set is a strictly necessary admin session cookie ("admin_session") used exclusively for site administration. This cookie is not set for regular visitors.

Server Logs

Our hosting provider may collect standard server logs (IP address, user agent, requested URL, timestamp) for security and operational purposes. These logs are retained for a maximum of 30 days and are not used for tracking or profiling.

The website is hosted in the European Union (Frankfurt, Germany region). Our infrastructure providers include:

• Railway – Application hosting (EU region, Frankfurt)
• Neon – PostgreSQL database hosting (EU region)

Sub-processors

For AI-assisted classification and summarisation of enforcement records, we use the OpenAI API (GPT-4o). Data sent to the API is limited to publicly available enforcement action texts (DPA decision summaries, fine amounts, company names). No visitor data or private personal data is sent to OpenAI.

OpenAI, Inc. is based in the United States. This transfer is covered by the EU-U.S. Data Privacy Framework (OpenAI is a certified participant) and by OpenAI's Data Processing Addendum, which includes EU Standard Contractual Clauses (SCCs). OpenAI does not use API inputs for model training. See OpenAI's privacy policy for details.

All other data processing (hosting, database) remains within the EU/EEA. No visitor data is transferred to third countries.

If your personal data appears in our database as part of a publicly reported enforcement action, you have the right to:

• Access – Request confirmation of whether we process your data (Art. 15 GDPR)
• Rectification – Request correction of inaccurate data (Art. 16 GDPR)
• Objection – Object to processing based on legitimate interest (Art. 21 GDPR)
• Erasure – Request deletion in certain circumstances (Art. 17 GDPR)
• Complaint – Lodge a complaint with your local supervisory authority

To exercise your rights, contact us at privacy@cookiefines.eu. We will respond within 30 days.

Please note that enforcement data is derived from official public records. We may retain factual information about publicly documented enforcement actions where there is a legitimate public interest, in accordance with Art. 17(3)(a) GDPR (freedom of expression and information).

For any privacy-related questions, data subject requests, or concerns about inaccurate data, please contact: