Privacy Policy

The data controller for this site is:

• Adi Coco — RomaniaFrumoasa.org
• Contact address for personal data matters: adicoco@romaniafrumoasa.org

For requests concerning your GDPR rights (access, rectification, erasure, portability, withdrawal of consent), we respond within a maximum of 30 days.

2.1 Newsletter subscription

When you subscribe to the newsletter, we collect your email address and (optionally) your name. We use this data only to send you new articles and occasional announcements about the project. We do not pass this data to third parties for marketing purposes.

The subscription itself and the actual email delivery are handled by Buttondown, a newsletter service provider based in the United States, under the standard contractual clauses approved by the European Commission. You can unsubscribe at any time with one click in any email you receive, or by writing to our contact address.

2.2 Editorial sign-in

Only authors and editors explicitly invited can access the editorial area. For this access we use Google OAuth — we receive from Google the email address, the name and a profile picture. We use this data exclusively to identify the account and we do not share it.

2.3 Automatic logging (web server logs)

Our hosting provider (Vercel) automatically keeps, for limited periods, technical logs containing the IP address, the time of the request and the browser user-agent. We use this data only for security purposes (abuse detection, debugging) and we do not correlate it with reader identities.

2.4 Analytics

We do not use Google Analytics, Facebook Pixel or any other marketing trackers. If we add analytics in the future, this page will be updated and your explicit consent will be requested before activation.

We use a minimum number of cookies, all strictly necessary for the site to work:

• Editorial session — keeps editors authenticated in the /admin area. Set only after login. Not present for ordinary readers.
• Light/dark mode preference — remembers your chosen site theme.
• Cookie consent — remembers that you have seen and responded to the GDPR banner, so we do not show it again.

All cookies are set from our own domain and are not used for advertising tracking. You can delete them at any time from your browser settings.

• Newsletter: explicit consent (Art. 6(1)(a) GDPR).
• Editorial sign-in: performance of a contractual or collaboration relationship (Art. 6(1)(b) GDPR).
• Server logs, security: the legitimate interest of the controller (Art. 6(1)(f) GDPR).
• Essential cookies: legitimate interest or technical necessity for the site to function.

We work with the following service providers who, depending on the service, process personal data strictly on our behalf:

• Vercel Inc. (website hosting) — United States, under EU standard contractual clauses.
• Neon Inc. (database) — EU (Frankfurt).
• Cloudflare Inc. (image storage, CDN) — EU (chosen storage jurisdiction).
• Buttondown (newsletter) — United States, under EU standard contractual clauses.
• Google Inc. (OAuth authentication for the editorial area) — United States.

We do not sell your data to third parties. We do not use the data for automated profiling with legal effect.

• Newsletter email: until you unsubscribe or ask us to delete it.
• Editorial account: for the duration of the collaboration; once it ends, we delete the account data within 30 days.
• Server logs: up to 30 days (according to the hosting provider’s policy).

As a data subject, you have the following rights:

• Right of access — to find out what data we hold about you.
• Right to rectification — to have us correct inaccurate data.
• Right to erasure(the “right to be forgotten”) — to have us delete your data when it is no longer necessary.
• Right to restriction of processing.
• Right to data portability — to receive your data in an easily transferable format.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent at any time, without affecting the lawfulness of processing already carried out.
• Right to lodge a complaint with the National Supervisory Authority for Personal Data Processing — dataprotection.ro.

To exercise any of these rights, write to us at adicoco@romaniafrumoasa.org. We respond within a maximum of 30 days.

We apply reasonable technical and organisational measures to protect personal data — HTTPS across the entire site, authentication with a trusted provider (Google), restricted access to the database, regular backups. In the event of a security incident affecting personal data, we notify the supervisory authority and the affected persons in accordance with the GDPR.

We will update this page whenever our technology or practices change. The date of the last update appears at the top of the document. Major changes will also be announced through the newsletter.

For any question concerning privacy or your personal data, you can write to us at adicoco@romaniafrumoasa.org.