Privacy
Privacy Notice
This page describes the technical data processing of indexbakery.com and follows the information duties under Art. 13 GDPR. This is an English convenience translation; the authoritative version is the German Datenschutzerklärung.
Last updated: 5 June 2026
Deutsche Versionarrow_forwardController
Hosting and Data Processing Agreement
The website is operated via Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) as the technical hosting provider. Vercel acts as a data processor under a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.
On each page visit, Vercel technically processes request data including IP address, timestamp, requested URL, HTTP method, transferred data volume, and browser/device information. This data is required for delivery, security, and error analysis and is deleted from edge logs after a maximum of 30 days.
As Vercel is based in the United States, data is transferred to a third country outside the EU/EEA. The legal basis for this transfer is the EU Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, which form part of the DPA with Vercel.
Further information on Vercel's data processing: vercel.com/legal/privacy-policy
Processing Activities
| Activity | Data | Purpose | Legal basis |
|---|---|---|---|
| Website delivery | IP address, timestamp, requested URL, browser/device information, transferred data volume, and server logs. | Delivering the website, technical stability, security, and error analysis. | Art. 6(1)(f) GDPR; legitimate interest in secure and stable website operation. |
| Index data and APIs | Browser request metadata and public index-data payloads. | Displaying the index catalog, detail pages, charts, notifications, and update status. | Art. 6(1)(f) GDPR; legitimate interest in providing the website. |
| Consent settings | Selected consent categories, consent version, and timestamp of the latest browser-side save. | Storing and respecting the selected privacy and cookie settings. | Art. 6(1)(f) GDPR for necessary settings; consent for optional categories. |
| OpenStreetMap | After active approval: browser/request data sent to OpenStreetMap when the map loads. | Optional display of the company location on the legal notice page. | Art. 6(1)(a) GDPR based on active consent for External Media & Maps. |
| Authentication (SSO) | Email address and profile name when signing in via Google or GitHub (only when login is active). | Identity verification and access management for registered institutional users. | Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) (consent via OAuth flow). Only relevant once the login area is activated in production. |
Consent and Storage
By default, only technically necessary functionality is active. Analytics, marketing, and external media are activated only after explicit consent. No analytics or marketing services are currently active in the codebase.
| Key | Category | Purpose | Retention |
|---|---|---|---|
| tib_cookie_consent_v2 | Essential | Stores the selected privacy and cookie settings. | Until the settings are changed or browser storage is cleared. |
| tib_cookie_consent | Legacy | Old consent version. Ignored for new decisions and removed when consent is saved again. | Only until the next saved consent decision. |
Data Subject Rights
Subject to the legal requirements, data subjects have the following rights. To exercise any of these rights, please contact us at info@indexbakery.com.
- check_circleAccess to processed personal data (Art. 15 GDPR)
- check_circleCorrection of inaccurate or incomplete data (Art. 16 GDPR)
- check_circleDeletion or restriction of processing where legally available (Art. 17, 18 GDPR)
- check_circleObjection to processing based on legitimate interests (Art. 21 GDPR)
- check_circleWithdrawal of consent with future effect (Art. 7(3) GDPR)
- check_circleComplaint to the competent data protection supervisory authority (Art. 77 GDPR)
Supervisory Authority
The competent data protection supervisory authority for T.I.B. GmbH is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI) — the Hessian Commissioner for Data Protection and Freedom of Information.
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Phone: +49 611 1408 0
datenschutz.hessen.de
You have the right to lodge a complaint with the supervisory authority at any time if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).
API Endpoints
| Endpoint | Purpose | Payload |
|---|---|---|
| /api/notifications | Returns a daily summary generated from published index data. | Market-data status, date, number of updated indices, and top movers. |
| /api/updates | Server-Sent Events endpoint for local/live index-data updates. | Ping events plus ticker, latest date, and latest index value when files change. |
External Media
The legal notice page contains an optional map from OpenStreetMap (OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, UK). The map loads only after the “External Media & Maps” category has been actively allowed. No automatic request is made to OpenStreetMap before that point.
Fonts (Manrope, Space Grotesk) and Material Symbols icons are served locally from the website repository. No requests to Google Fonts or Google Static Fonts are required.
Change Your Choice
Optional consent can be changed or withdrawn at any time through Cookie Settings. Further legal information is available in the legal notice.