Privacy policy

Pablo Díaz Coira, author and operator of Reedlog, with address in A Coruña (Spain).

Contact: pablo@reedlog.app

When creating an account via invitation: your email address, a public username (which you pick), an optional display name, and your password (stored encrypted with bcrypt by Supabase, never in plain text).

During use of the application: the records you create about your reeds, their measurements, the associated scraping entries, the comments you publish on public reeds, and the feedback you submit through the internal inbox.

We don't use behavioral analytics, fingerprinting, or device data beyond what is strictly necessary to serve the website (IP is recorded in Vercel logs for a maximum of 30 days).

· Providing the service you requested when registering: authentication, storage and display of your records, analysis tools and export. Legal basis: performance of contract (GDPR art. 6.1.b).

· Showing a record in the public /explore feed: only when you actively decide so from within the application. Legal basis: performance of service at the user's request (GDPR art. 6.1.b). You can revert this at any time by unpublishing the record from its page.

· Sending you essential communications related to your account (initial invitation, password reset, security notices, or substantial service changes). Legal basis: performance of contract and legitimate interest in security (GDPR arts. 6.1.b and 6.1.f).

· Handling the suggestions and reports you send through the inbox. Legal basis: legitimate interest in improving the product (GDPR art. 6.1.f).

We work with a minimum of providers, all bound by data processing agreements:

· Supabase (database and authentication). Infrastructure configured for primary hosting in the EU. · Resend (sending transactional emails: invitations, password reset). Primary processing in the US. · Vercel (application hosting). Global edge distribution. · Cloudflare (DNS and forwarding of incoming mail to pablo@reedlog.app). Global edge distribution.

We do not sell personal data to third parties, we do not display ads, and we do not share your data with any entity other than those listed here.

You can exercise your rights of access, rectification, erasure, objection, restriction of processing and data portability by emailing pablo@reedlog.app. We will respond within the one-month period set by the GDPR, extendable by up to two additional months when complexity or the number of requests so requires.

Many of these rights can be exercised directly from the application: at /settings you can change your profile and password, and export all your data in JSON or CSV. Full account deletion has to be requested by email while we implement automated in-app deletion.

If you believe we are processing your data improperly, you have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es) or your local authority.

We keep your data while your account remains active and as long as needed to provide the service.

When you request account deletion, we erase your personal data within a maximum of 30 days. Supabase automatic backups may retain them for up to 90 additional days before being overwritten.

Comments you have posted on other users' reeds remain visible after deletion of your account but disassociated from your identity (shown as 'Anonymous'). If you prefer their complete erasure, indicate so in the deletion request.

We use a minimum of cookies, all strictly necessary for the operation of the service (no prior consent required under applicable European regulation):

· Supabase session (sb-*): to keep your session active. · NEXT_LOCALE: to remember your preferred language. · reedlog-theme: to remember your theme preference (light/dark/system).

We don't use tracking, analytics, or advertising cookies.

We apply reasonable technical and organisational measures to protect your data against unauthorised access, loss, alteration or improper disclosure. These include: HTTPS encryption in transit, password storage with bcrypt, Row-Level Security at the database to isolate each user's content, and strict separation between service-role keys (server-side) and anonymous keys (client).

No system is completely invulnerable. If you detect or suspect unauthorised access to your account, please notify us immediately at pablo@reedlog.app.

Some providers (Resend, Vercel, Cloudflare) process data on servers located outside the European Economic Area, mainly in the United States. These transfers are covered by the Standard Contractual Clauses (SCCs) approved by the European Commission, which guarantee a level of protection equivalent to the GDPR.

Reedlog is not directed to children under 14 and we do not knowingly collect data from minors under that age. The minimum age of consent in Spain under the LOPDGDD (art. 7) is 14. If you believe a minor under that age has provided us with data, let us know and we will erase it.

If we make substantial changes to this policy, we'll notify you via email at the address you signed up with and keep a visible notice in the application for a reasonable period.