Privacy Policy
Last updated: 2026-05-09
What personal data do we collect and why?
Analytics data (Google Analytics 4)
If you consent to analytics cookies, Google Analytics collects anonymized data about your visits: which pages you view, how long you stay, what device you use, and roughly where you are (by IP). Your IP address is anonymized (not stored in full) via the anonymize_ip: true setting. This data helps me understand which content is useful and improve the site. You must opt-in via the consent banner.
Blog comments
If you leave a comment on a blog post, I collect: your display name (optional — you can use a pseudonym), your comment text (max 100 characters), a hashed version of your IP address (not the raw IP), and the timestamp. Your hashed IP is used only to prevent spam and detect abuse patterns; it cannot be reversed to identify you. Comments are public and visible to all visitors. There is no unsubscribe or auto-delete; if you want your comment removed, use the contact form on the homepage.
Newsletter subscription
When you subscribe to the newsletter, I collect your email address and your preferred language (en or es). Subscription uses double opt-in: you receive a confirmation email and must click a link to activate the subscription. Your email is stored in Supabase (my database provider). You can unsubscribe anytime by clicking the link in any newsletter email, which sets your status to 'unsubscribed'. Unsubscribed emails are retained for 90 days to prevent re-subscription loops, then deleted.
Contact form
When you submit the contact form, I collect your name, email, and message. This is sent to me via Resend (a transactional email service). Submissions are stored indefinitely — you opted in by submitting the form. I may use them to follow up if we are in an active conversation. You can request deletion of your submission anytime via the contact form.
Server and platform logs
Vercel (the hosting provider) automatically logs request metadata: your IP address, the URL you requested, your user agent (browser/device info), and timestamps. These logs are retained per Vercel's policy (typically 3 months) and are used for security, debugging, and compliance. I do not have access to raw server logs; Vercel retains them.
Legal basis for processing (GDPR Article 6)
Under GDPR, I must have a lawful basis for processing your data: • Necessary Cookies (Article 6(1)(f)): My legitimate interest in remembering your consent choice and preventing re-prompting (no consent required). • Analytics (Article 6(1)(a)): Explicit consent via the banner before loading GA4 cookies. • Newsletter (Article 6(1)(a)): Explicit consent via double opt-in (you confirm your subscription by clicking the link in the confirmation email). • Comments (Article 6(1)(f)): My legitimate interest in operating a public blog and managing spam (posting is optional; you consent by submitting). • Contact form (Article 6(1)(a)): Explicit consent (you voluntarily submit the form). • Server logs (Article 6(1)(f)): Vercel's legitimate interest in platform security and abuse prevention.
Who has access to your data?
I do not sell your data. Here's who has access and why: • Google Analytics: Receives anonymized analytics data (no email, no name) only if you consent to analytics cookies. You can opt out anytime. • Supabase (database): Stores comments, newsletter subscribers, and server logs in encrypted tables. Row-level security (RLS) prevents unauthorized access. Only I (via my admin account) can query subscriber or comment data. • Resend (email service): Receives newsletter subscriber emails only to send confirmation and newsletter emails. Resend is a GDPR-compliant transactional email service and does not use your email for marketing. • Cloudflare Turnstile: Receives a token you generate when the form runs its bot-protection check. See the dedicated Turnstile section below for details. • Vercel (hosting): Sees all HTTP request data per platform logs (IP, URL, user agent). Vercel is a GDPR-compliant hosting provider. No data is shared with advertisers, brokers, or other third parties for marketing purposes.
Cloudflare Turnstile (bot protection)
candio.net uses Cloudflare Turnstile to protect form submissions (contact, newsletter, blog comments) from automated abuse. Turnstile runs in your browser as an alternative to traditional CAPTCHAs and operates in 'invisible' mode — you don't have to click anything. No advertising tracking is performed. To distinguish you from a bot, Turnstile may collect and process a limited set of technical signals: your IP address, a fragment of HTTP headers (including User-Agent and Accept-Language), browser characteristics (screen size, language, timezone), and behavioral signals from a sandboxed in-browser challenge. Cloudflare uses these signals only to issue or refuse a one-time verification token; the token alone is sent to my server. No personal identifier is shared with me beyond what you typed into the form. Cloudflare is the data processor for these signals under a Data Processing Addendum. Cloudflare does not use Turnstile data for advertising profiling. For full details see Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/ Turnstile is required to use the contact form. If you cannot or prefer not to use it, contact me via the social links in the footer.
How long do we keep your data?
Here's the retention schedule: • Comments: Stored indefinitely (public content). You can request deletion anytime via the contact form. • Newsletter subscribers: Retained while 'confirmed'. When you unsubscribe, your status changes to 'unsubscribed' and the record is deleted after 90 days (to prevent rebound subscriptions). You can request immediate deletion. • Contact form submissions: Stored indefinitely (you opted in by submitting). I may use them to follow up if we're in an active conversation. You can request deletion anytime via the contact form. • Analytics data: Google Analytics uses a 14-month retention window by default (you can configure this in your Analytics settings). After 14 months, events are aggregated and individual user data is deleted. • Server logs: Vercel retains logs per their policy (typically up to 3 months). I cannot extend or shorten this. • Hashed IPs: Kept with comments indefinitely to detect spam patterns but cannot be linked to you.
Your rights under GDPR (EU and UK residents)
If you are in the EU or UK, you have the following rights: • Right to access (Article 15): You can request a copy of all personal data I hold about you. • Right to rectification (Article 16): You can correct inaccurate data (e.g., update an email address). • Right to erasure / 'Right to be forgotten' (Article 17): You can request deletion of your data, except where I have a legal obligation to retain it (e.g., fraud prevention). • Right to restrict processing (Article 18): You can ask me to stop processing your data but keep it stored. • Right to data portability (Article 20): You can request your data in a portable format (CSV/JSON) to move to another service. • Right to object (Article 21): You can object to processing for marketing or analytics. For analytics, use the consent banner to reject cookies. • Right to withdraw consent (Article 7): You can withdraw consent for analytics, newsletter, or comments anytime by contacting me or using the preference links. • Right to lodge a complaint: If you believe I am not respecting your rights, you can lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France, etc.). To exercise any of these rights, use the contact form on the homepage with your request. I aim to respond within 30 days.
Your rights under CCPA/CPRA (California residents)
If you are a California resident, you have the following rights under CCPA/CPRA: • Right to know: You can request what personal information I have collected, the sources, my business purpose, and who I share it with. • Right to delete: You can request deletion of personal information (with limited exceptions for fraud prevention and legal compliance). • Right to correct: You can request correction of inaccurate information. • Right to opt-out of 'sale': You can opt out of the sale of your personal information. Note: candio.net does not sell personal information for money or valuable consideration. To exercise CCPA rights, use the contact form on the homepage. I will verify your identity and respond within 45 days.
Children under 16
candio.net is not directed at children under 16. I do not knowingly collect personal data from children under 16. If I discover that I have collected data from a child under 16 without parental consent, I will delete it immediately. If you are a parent or guardian and believe your child has provided data, please use the contact form on the homepage.
International data transfers
Some of my service providers are based in the United States (Google, Cloudflare, Vercel, Supabase, Resend). When data is transferred to the US, it is protected by Standard Contractual Clauses (SCCs) or other mechanisms approved under GDPR. These providers are committed to GDPR compliance and have agreed to handle data with the same protections as the EU.
How we protect your data
I use industry-standard security measures: • All data in transit is encrypted with HTTPS/TLS. • Database (Supabase) is encrypted at rest and uses row-level security to prevent unauthorized access. • API keys and secrets are stored server-side only (never exposed in browser code). • Forms are protected with Turnstile CAPTCHA to prevent automated submission. • Rate limiting on API endpoints prevents brute-force and spam attacks. • Security headers (CSP, HSTS, X-Frame-Options) are configured in next.config.mjs to prevent injection and framing attacks. • Comments and newsletter subscriber data are not exposed to the public API — analytics data is always anonymized. However, no security is perfect. If you believe there has been a data breach or security incident, please use the contact form immediately.
Changes to this policy
If I make material changes to this Privacy Policy (e.g., new data collection, new sharing partners, new retention periods), I will update the 'Last updated' date and notify users by re-displaying the consent banner. Changes will not be retroactive; they apply only to data collected after the change date. Minor updates (clarifications, typo fixes, link updates) may not trigger notification.
Contact me
Use the contact form on the homepage to reach me about data requests, privacy questions, or anything related to this policy. I aim to respond to all data requests within 30 days.