Privacy Policy

Effective date: October 24, 2025 Title: Privacy Policy

Controller:
This website is operated by the “Controller”. You can contact us regarding privacy questions or data requests via our contact page: https://www.glutenfreemap.es/contact

1. Introduction

GlutenFreeMap (the “Site”, “we”, “us”, or “our”) operates glutenfreemap.es. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, the legal bases for processing (including GDPR and CCPA-relevant information), how long we retain it, and the rights available to you.

You should read this policy carefully. If you do not agree with this policy, please do not use the Site or submit personal data to us.

2. Data we collect

We collect the following categories of personal data when you use the Site or interact with its features:

  • Identity data: username, name (where provided).
  • Contact data: email address.
  • Location data: approximate city/country from your profile; precise location only if you grant permission via your browser.
  • User content: reviews, ratings, photos or other content you submit when contributing to the map.
  • Authentication data: password (securely hashed).
  • Technical data: : IP address and device/browser identifiers collected by our analytics or hosting providers (Vercel Analytics).
  • Other data you provide via contact forms, registration, newsletter signup, or contributions.

We do not intentionally collect sensitive personal data (such as health diagnoses or racial/ethnic origin) unless you explicitly provide such information in your user-generated content — in which case you should be cautious about posting sensitive personal information publicly.

We do not knowingly collect data from children under the age of 13 (or the age established by local law). The Site is not intended for children.

3. How we collect data

We collect personal data directly from you when you:

  • register an account or create a profile;
  • submit reviews, ratings, or other map contributions;
  • use the contact form;
  • sign up for a newsletter (once the feature is enabled);
  • grant permission for location access via your browser; or
  • otherwise submit data through the Site.

We also collect technical and analytics data automatically via Vercel Analytics and similar services when you visit the Site.

4. Purposes of processing & legal bases (GDPR)

We process personal data for the following purposes:

  • Providing the map service and user accounts (performance of a contract / necessary to provide the requested service).
  • Enabling user contributions (reviews, photos, map edits) and presenting those contributions on the Site (performance of a contract / legitimate interest).
  • Sending transactional emails and, where you opt in, newsletters (consent for marketing communications; transactional emails such as password resets may be necessary to perform the service).
  • Analytics and product improvement (our legitimate interests in improving the Site). We retain only short-term analytics aligned with those purposes.
  • Security, fraud detection, and abuse prevention (legitimate interest / compliance with legal obligations where applicable).

Where required (for example, newsletters), we will obtain your consent before sending marketing communications. You can withdraw consent at any time (see “Your rights” below).

5. Third parties and data sharing

We use third-party service providers to operate and improve the Site. These providers may process personal data on our behalf as processors. Current categories of third parties include:

  • Email & marketing provider: Brevo (for emails and newsletters — only used when you opt in).
  • Hosting / database / analytics: Vercel (hosting, analytics) and Supabase (database).
  • Mapping tools / data: Leaflet and OpenStreetMap (for map display and geodata).

We may also share personal data with law enforcement or other authorities where required by law or to respond to legal requests. We do not sell personal data. If our practices change regarding sale/sharing in ways that trigger CCPA/CPRA requirements, we will update this policy and provide a method to opt out.

6. Cookies & similar technologies

We use cookies and similar technologies to operate the Site and enable essential functionality. You currently use a cookie consent banner; you have indicated that cookies used are essential to operation. A separate Cookie Policy will describe cookies in detail and how you can manage cookie preferences. If analytics or other non-essential tracking are introduced later, they will be disclosed in the Cookie Policy and controlled via the consent banner.

7. Data retention

We retain your personal data while your account is active and, after account deletion, for as long as necessary to comply with legal obligations and to reasonably respond to claims. You have stated your practice: data retained until account deletion (unless otherwise required by law or for backup/archival reasons).

8. Data security

We implement reasonable technical and organizational measures to protect personal data, including:

  • HTTPS / SSL for secure transmission.
  • Secure password storage (passwords hashing);
  • Hosting on reputable providers (Vercel, Supabase) with their own security measures.

While we strive to safeguard your data, no method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and supervisory authorities as required by law.

9. Your rights (EU GDPR, and applicable rights for California residents)

If you are located in the EU, in California, or other jurisdictions with privacy rights, you may have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correct — request correction of inaccurate or incomplete data.
  • Delete — request deletion of your personal data (right to be forgotten), subject to legal exceptions.
  • Portability — request a machine-readable copy of personal data you provided.
  • Restriction / objectiont — where applicable, object to processing or request restriction.
  • Withdraw consent — where processing is based on consent (e.g., newsletters).
  • Opt-out of sale — we do not sell personal information. California residents may still submit requests under the CCPA/CPRA; we will respond in accordance with applicable law.

How to exercise rights: You may exercise these rights via the account settings on the Site (where available) or by contacting us through our contact page: https://www.glutenfreemap.es/contact. To protect your privacy and security, we may need to verify your identity before processing a request. We typically respond to verified requests within 30 days, or in the timeframe required by applicable law.

10. International transfers

Hosting, analytics, and processor services (Vercel, Supabase, Brevo, etc.) may process or store your data in jurisdictions outside your country (including outside the EU). Where data is transferred outside the EEA, we will ensure appropriate safeguards (e.g., Standard Contractual Clauses, if applicable) are in place as required by law.

11. Third-party websites and links

The Site may contain links to third-party websites (e.g., external review sites, social networks, mapping data sources). This policy does not cover the privacy practices of those websites. We encourage you to read their privacy policies.

12. Changes to this Privacy Policy

As the Site is still in development and features (e.g., user login, newsletter) may change, we will update this policy to reflect changes. We will post a notice on the Site and update the “Effective date” at the top of this document when substantive changes occur.

13. Contact

To ask questions, make a request, or lodge a complaint, please contact us via: Contact page: https://www.glutenfreemap.es/contact

If you are in the EU and you believe your data protection rights have been violated, you may file a complaint with your local supervisory authority.

End of document