Privacy policy
Honesty first: this site uses Google Analytics 4, so there is tracking. We currently show no advertising; if it is added in the future it will be contextual (non-personalised) and this policy will be updated before activation. We manage it as cleanly as possible and we do NOT ask you for accounts, login or first-party personal data.
In short
- No accounts, no login, no user database, no newsletter.
- We do NOT infer or store your sexual orientation or gender identity. The site covers LGBTQI+ topics but that is editorial context; its audience is general (LGBTQI+ people, allies, family, travellers) and visiting it reveals nothing about you.
- Data does pass to Google (Analytics). There is no advertising for now; if added in the future it will be contextual, non-personalised.
- If you write to us by email, we process your name, email and message to reply.
- Your consent is managed via a CMP banner. You can change your decision at any time from the footer ("Configure cookies").
1. Data controller
- Identity: César David Bernal Moreno
- Data protection contact: contacto@mapa.gay
We are not required to designate a Data Protection Officer (DPO) under GDPR Article 37 or Spanish LOPDGDD Article 34, as we do not perform large-scale systematic monitoring or process special categories of data.
Data Processing Agreements (GDPR Art. 28.3). The data processing agreement with Google is accepted in the service's console (Google Analytics Data Processing Terms).
2. What we do NOT do
- No user accounts. No registration, no login.
- We keep no user database or profiles. The only first-party data we process are the messages you send voluntarily (see 3.4) and the server's technical logs (see 3.3).
- No first-party profiling and no data sales to third parties.
- No newsletters or commercial emails.
- No special-category data (GDPR Art. 9): no health, no identified sexual orientation, no religious beliefs. The site's LGBTQI+ subject matter is contextual and its audience general; we do not infer or store visitors' orientation. Any advertising added in the future will be contextual (by page content), not profiled.
3. Data we process
3.1 Google Analytics 4 (usage analytics)
- Data processed: page views, duration, browser, OS, approximate country (city-level), referrer, truncated IP (Google truncates before storage), interaction events.
- Purpose: aggregate statistics to understand which content works and improve the site.
- Legal basis (GDPR Art. 6.1.a): explicit consent via CMP banner. We do NOT use "legitimate interest" for analytics — Spanish AEPD requires explicit consent for non-exempt analytics cookies.
- Retention: 14 months (configured in GA4).
- Processor: Google LLC (USA). Coverage under EU-US Data Privacy Framework + Standard Contractual Clauses (SCC).
3.2 Display advertising (possible future addition)
For now the site shows no advertising and no advertising cookies are loaded, nor is any information transmitted to Google for advertising purposes. If a display advertising provider is added in the future (e.g. Google AdSense in contextual, non-personalised mode — selected by page content, without building a profile of you), this policy will be updated with the detail (data processed, consent legal basis, retention, processor and transfers) and will require your consent before activation.
3.3 Server logs
The hosting and content delivery network (CDN) record your IP, date and time, requested page and user-agent in technical logs for security, integrity and diagnostics. The IP is personal data (CJEU C-582/14). Legal basis: legitimate interest (GDPR Art. 6.1.f). Retention: typically 30 days.
3.4 Contact by email
When you write to us by email at contacto@mapa.gay, we process the data you provide (name, email and message content) to reply to your query. Legal basis: pre-contractual measures / legitimate interest (GDPR Art. 6.1.b/f). Retention: up to 12 months after closing the query, unless a longer legal retention obligation applies.
4. International transfers
Google is established outside the European Economic Area (USA). This transfer is protected by:
- EU-US Data Privacy Framework (DPF): Google LLC is certified under the DPF approved by the European Commission (Adequacy Decision 2023).
- Standard Contractual Clauses (SCC): as additional safeguard under GDPR Article 46.
Hosting and CDN. The hosting and content delivery network (CDN) may process personal data (the IP in technical logs). If the hosting or CDN provider were established outside the EEA, the transfer would be covered by appropriate safeguards under GDPR Article 46 (Standard Contractual Clauses) or an adequacy framework.
5. Your rights (GDPR Art. 15-22)
As an EU/EEA/UK resident you have the right to access, rectification, erasure, restriction, portability, objection, not to be subject to automated decisions with legal effects (we do not apply such profiling), and to withdraw consent at any time without affecting the lawfulness of prior processing.
How they are exercised in practice:
- Tracking on mapa.gay: since we do not store identifying data, we cannot associate your identity with Google's anonymous identifiers. Effective exercise is done directly by you: change your decision in the CMP banner ("Configure cookies" in the footer) or delete your browser cookies. To delete data at Google, use your Google Account → Data & Privacy.
- Messages you have sent us: email contacto@mapa.gay and we will handle access, rectification or deletion of your query. Response time: 30 calendar days.
6. Complaint to supervisory authority
If you believe your rights have not been properly addressed, you can file a complaint with the Spanish Data Protection Agency (AEPD):
- Web: www.aepd.es
- Electronic office: sedeagpd.gob.es
- Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Residents of other EU/EEA states may complain to their national authority. UK residents to the ICO.
7. California residents (CCPA / CPRA)
Although mapa.gay does not meet the mandatory CCPA/CPRA application thresholds, we voluntarily offer these rights to California residents: to know what information is collected, delete it, correct it, and limit the use of sensitive information.
As we show no personalised advertising (and any future advertising would be contextual), we do not "sell" or "share" personal information within the meaning of the CPRA. Even so, the browser's Global Privacy Control (GPC) signal is honoured automatically, and you can manage cookies from the CMP banner. We do NOT collect real name, phone, financial data, biometrics, precise location or sensitive categories.
8. Other jurisdictions
Residents outside the EU with analogous data-protection law —other US states (Virginia, Colorado, Texas, etc.), Brazil (LGPD), the United Kingdom (UK GDPR), Switzerland, Canada, Australia, Japan, South Africa and similar— have equivalent rights. Mechanism to exercise them: CMP banner ("Configure cookies") for tracking, and contacto@mapa.gay for everything else.
9. Minors
mapa.gay is not directed to children under 14 (digital consent age in Spain, art. 7 LOPDGDD), nor under 13 (COPPA, USA), nor under 16 (GDPR default where applicable). We do not knowingly collect data from minors. If you believe a minor has provided data via the third parties (GA4), contact us to manage its deletion.
10. Cookies — more detail
Full detail of cookies used, their durations and how to manage them is in the Cookie policy.
11. What we promise NEVER to claim
For honesty, you will NOT find on this site claims like "no tracking", "no cookies", "anonymous analytics" or "we don't collect data". That would be lying: with GA4 there is tracking, period (and with advertising, if it is ever added).
12. Changes to this policy
We may update this policy when applicable laws, providers we use or site functionality change. Modifications take effect upon publication. The last updated date appears at the bottom of this page.