Privacy Policy
Effective date: June 20, 2026 Title: Privacy Policy
Controller:
This website is operated by the “Controller”. You can contact us regarding privacy questions or data requests via our contact page: https://www.glutenfreemap.es/contact
1. Introduction
GlutenFreeMap (the “Site”, “we”, “us”, or “our”) operates glutenfreemap.es. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, the legal bases for processing (including GDPR and CCPA-relevant information), how long we retain it, and the rights available to you.
You should read this policy carefully. If you do not agree with this policy, please do not use the Site or submit personal data to us.
2. Data we collect
We collect the following categories of personal data when you use the Site or interact with its features:
- Identity data: username, name (where provided).
- Contact data: email address.
- Location data: approximate city/country from your profile; precise location only if you grant permission via your browser; and an approximate country inferred from your IP address by our hosting provider (Vercel) to tailor content — for example, to pre-select your country or to decide whether to show an optional prompt. We do not use precise/GPS geolocation for this.
- User content: reviews, ratings, photos or other content you submit when contributing to the map.
- Lists and favorites data: the lists you create (name, description, the restaurants you add and your notes) and their visibility setting (private or shared by link).
- Shared-list analytics: when someone opens a shared list, we record a view with an approximate technical identifier (a hashed value derived from the IP address, browser and date) to count roughly-unique views. This value does not let us identify you personally.
- Authentication data: password (securely hashed).
- Technical data: IP address and device/browser identifiers collected by our analytics or hosting providers (Vercel Analytics and Umami).
- Expansion-interest data: when you ask us to expand GlutenFreeMap to a country, we record the requested country, an optional email address (only if you provide one in order to be notified), and the approximate country inferred from your IP at the time of the request.
- City-alert data: when you set an alert for a city, we record the chosen cities, your consent record (date and version), your preferred email language, and the date of the last notification sent, linked to your account. We send notifications to your account email address.
- Other data you provide via contact forms, registration, newsletter signup, or contributions.
We do not intentionally collect sensitive personal data (such as health diagnoses or racial/ethnic origin) unless you explicitly provide such information in your user-generated content — in which case you should be cautious about posting sensitive personal information publicly.
We do not knowingly collect data from children under the age of 13 (or the age established by local law). The Site is not intended for children.
3. How we collect data
We collect personal data directly from you when you:
- register an account or create a profile;
- submit reviews, ratings, or other map contributions;
- use the contact form;
- submit a country-expansion request (waitlist) via our landing page or an on-site prompt;
- set a city alert to be notified when we add new safe spots;
- sign up for a newsletter (once the feature is enabled);
- grant permission for location access via your browser; or
- otherwise submit data through the Site.
We also collect technical and analytics data automatically via Vercel Analytics, Umami, and similar services when you visit the Site.
4. Purposes of processing & legal bases (GDPR)
We process personal data for the following purposes:
- Providing the map service and user accounts (performance of a contract / necessary to provide the requested service).
- Enabling user contributions (reviews, photos, map edits) and presenting those contributions on the Site (performance of a contract / legitimate interest).
- Managing your lists and their sharing (performance of a contract / legitimate interest). When you share a list by link, it becomes accessible to anyone who has that link, without an account, until you set it to private or reset the link. We record aggregate analytics of views to shared lists using a hashed identifier (legitimate interest in measuring interest in this feature); this value does not directly identify you.
- Sending transactional emails and, where you opt in, newsletters (consent for marketing communications; transactional emails such as password resets may be necessary to perform the service).
- Managing and following up on contact form submissions (legitimate interest / performance of a contract). If you tick the optional "Email me when resolved" checkbox, we will send you a single transactional notification email when your submission is handled, based on the consent you gave at the time of submission.
- Managing country-expansion interest (waitlist) (legitimate interest in measuring demand to decide where to expand). When you tell us which country you would like GlutenFreeMap to expand to, we record it as a demand signal. If you also provide an email address asking to be notified, we store it on the basis of the consent you give at submission, to send you a single notification if and when we launch in that country. We do not currently operate an email-sending pipeline for this and send no other emails as a result of your request.
- Sending city alerts (consent). When you set an alert for a city, the affirmative act of creating it is your explicit consent, which we record with its date and version. On that basis we email you when we add a new safe spot in that city. You can unsubscribe at any time from your profile (and from the link included in each email), and we will stop sending you those notifications.
- Inferring approximate location (legitimate interest in tailoring the experience). We infer your approximate country from your IP address (via our hosting provider) to, for example, pre-select your country in a form or decide whether to show an optional prompt to visitors outside Spain. We do not use precise/GPS geolocation for this.
- Analytics and product improvement (our legitimate interests in improving the Site). We retain only short-term analytics aligned with those purposes.
- Security, fraud detection, and abuse prevention (legitimate interest / compliance with legal obligations where applicable).
Where required (for example, newsletters), we will obtain your consent before sending marketing communications. You can withdraw consent at any time (see “Your rights” below).
5. Third parties and data sharing
We use third-party service providers to operate and improve the Site. These providers may process personal data on our behalf as processors. Current categories of third parties include:
- Email & marketing provider: Brevo (for emails and newsletters — only used when you opt in).
- Hosting / database / analytics: Vercel (hosting, analytics), Umami (cookieless analytics), and Supabase (database).
- Mapping tools / data: Leaflet and OpenStreetMap (for map display and geodata).
We may also share personal data with law enforcement or other authorities where required by law or to respond to legal requests. We do not sell personal data. If our practices change regarding sale/sharing in ways that trigger CCPA/CPRA requirements, we will update this policy and provide a method to opt out.
6. Cookies & similar technologies
We use cookies and similar technologies to operate the Site and enable essential functionality. You currently use a cookie consent banner; you have indicated that cookies used are essential to operation. A separate Cookie Policy will describe cookies in detail and how you can manage cookie preferences. We also use a small amount of first-party functional/technical local storage (for example, to remember that you dismissed an optional prompt or to link a request you submitted to your account); these are first-party only and are not used for tracking or advertising — see the Cookie Policy for details. If analytics or other non-essential tracking are introduced later, they will be disclosed in the Cookie Policy and controlled via the consent banner.
7. Data retention
We retain your personal data while your account is active and, after account deletion, for as long as necessary to comply with legal obligations and to reasonably respond to claims. You have stated your practice: data retained until account deletion (unless otherwise required by law or for backup/archival reasons). Country-expansion requests (including any optional email) are retained until we evaluate or launch in the relevant country, or until you ask us to delete them. City alerts are retained while the alert is active; when you remove it (from your profile or the unsubscribe link) we stop processing it.
8. Data security
We implement reasonable technical and organizational measures to protect personal data, including:
- HTTPS / SSL for secure transmission.
- Secure password storage (passwords hashing);
- Hosting on reputable providers (Vercel, Supabase) with their own security measures.
While we strive to safeguard your data, no method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and supervisory authorities as required by law.
9. Your rights (EU GDPR, and applicable rights for California residents)
If you are located in the EU, in California, or other jurisdictions with privacy rights, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correct — request correction of inaccurate or incomplete data.
- Delete — request deletion of your personal data (right to be forgotten), subject to legal exceptions.
- Portability — request a machine-readable copy of personal data you provided.
- Restriction / objection — where applicable, object to processing or request restriction.
- Withdraw consent — where processing is based on consent (e.g., newsletters).
- Opt-out of sale — we do not sell personal information. California residents may still submit requests under the CCPA/CPRA; we will respond in accordance with applicable law.
How to exercise rights: You may exercise these rights via the account settings on the Site (where available) or by contacting us through our contact page: https://www.glutenfreemap.es/contact. To protect your privacy and security, we may need to verify your identity before processing a request. We typically respond to verified requests within 30 days, or in the timeframe required by applicable law.
10. International transfers
Hosting, analytics, and processor services (Vercel, Umami, Supabase, Brevo, etc.) may process or store your data in jurisdictions outside your country (including outside the EU). Where data is transferred outside the EEA, we will ensure appropriate safeguards (e.g., Standard Contractual Clauses, if applicable) are in place as required by law.
11. Third-party websites and links
The Site may contain links to third-party websites (e.g., external review sites, social networks, mapping data sources). This policy does not cover the privacy practices of those websites. We encourage you to read their privacy policies.
12. Changes to this Privacy Policy
As the Site is still in development and features (e.g., user login, newsletter) may change, we will update this policy to reflect changes. We will post a notice on the Site and update the “Effective date” at the top of this document when substantive changes occur.
13. Contact
To ask questions, make a request, or lodge a complaint, please contact us via: Contact page: https://www.glutenfreemap.es/contact
If you are in the EU and you believe your data protection rights have been violated, you may file a complaint with your local supervisory authority.
End of document