FINEST is published by Certus SPV SLU, registered in Spain. This policy explains what data we collect, why we collect it, and how you can control it. We have designed FINEST to need as little personal data as possible.
1. Who we are
Controller: Certus SPV SLU
Contact: [email protected]
Data Protection Officer: Not required (SME exemption, RGPD Art. 37.4).
Contact us at the address above for any data request.
2. Analytics — what we collect and why
FINEST uses Plausible Analytics, a cookieless, privacy-first analytics
tool hosted on our own server at plausible.abemon.es. Plausible does not
use cookies, does not fingerprint browsers, does not collect personal data, and does not
transmit any data to third parties.
The data Plausible records per page view: page URL, referrer, browser name (not version), device type (desktop / tablet / mobile), country code. No IP address is stored. No cross-site tracking is possible.
Legal basis: Legitimate interest (Art. 6(1)(f) RGPD), given the cookieless nature and absence of personal data collection. No consent banner is required for Plausible under Spanish LSSICE guidance.
3. Newsletter and waitlist
When you sign up for the FINEST waitlist or newsletter, we collect your email address and optionally your preferred language and professional role. This data is:
- Stored in our subscriber database (PostgreSQL, Hetzner compute, Germany).
- Used to send transactional and editorial emails via Amazon SES (EU region).
- Never sold, rented or shared with third parties for marketing purposes.
- Retained until you unsubscribe or request deletion.
Legal basis: Consent (Art. 6(1)(a) RGPD). You may withdraw consent at any time via the unsubscribe link in every email or by writing to [email protected].
Amazon SES acts as a data processor under a Data Processing Agreement with AWS, compliant with EU Standard Contractual Clauses (SCCs).
4. Media and images
Editorial photography and restaurant images are served from Cloudflare R2 (bucket: gastronomia-media), delivered via Cloudflare CDN. Cloudflare processes connection metadata (IP, country) for routing and DDoS protection. This is governed by the Cloudflare privacy policy and their EU SCCs.
5. Cookies
FINEST does not use tracking or analytics cookies. We store one item in
localStorage (key: finest_analytics_pref) to remember
your cookie banner preference. This is not a cookie and is not transmitted to any server.
If you are a logged-in Club member (Phase 3, not yet launched), a session cookie will be set by Better Auth. This policy will be updated when authentication launches.
6. Your rights (RGPD)
As a data subject under RGPD, you have the right to:
- Access your personal data we hold.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten").
- Data portability in a machine-readable format.
- Objection to processing based on legitimate interest.
- Restriction of processing.
- Withdraw consent at any time without affecting prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You may also lodge a complaint with the Spanish Data Protection Authority (AEPD): aepd.es.
7. Data retention
- Analytics data: Aggregate only (no personal data). Retained indefinitely as statistical record.
- Email subscribers: Until unsubscription or deletion request.
- Server logs: 12 months (access logs, per AEPD guidance on log retention).
8. Third-party services
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Plausible Analytics (self-hosted) | Page view analytics | No personal data | Hetzner, Germany |
| Amazon SES | Transactional email | Email address | AWS EU (Ireland) |
| Cloudflare | CDN, DNS, DDoS | IP (ephemeral) | EU / global |
We do not use Google Analytics, Facebook Pixel, or any advertising tracking.
9. Changes to this policy
We will notify waitlist subscribers of material changes by email. The effective date above will be updated. The version history is maintained in our repository.
10. Contact
[email protected]
Certus SPV SLU · Spain