Gastro CriticGastro Critic

Privacy Policy

This Privacy Policy explains how Gastro Critic (operated by Arnd v. Wedemeyer, Mallorca, Spain) collects, processes, and stores personal data when you use our website gastro-critic.com. We process your data solely in accordance with applicable data protection laws, in particular the General Data Protection Regulation (GDPR) and the Spanish Data Protection Act (LOPDGDD).

1. Data Controller

Arnd v. Wedemeyer
c/o Predator SL
Calle Vicari Joaquin Fuster, 31
07006 Palma de Mallorca, Spain
Email: datenschutz@gastro-critic.com

2. Data We Collect

Depending on how you use our site, we may process the following categories of personal data:

  • Account data: Email address and password (encrypted) when you register.
  • Profile data: Display name and optional profile information you voluntarily provide.
  • User contributions: Restaurant reviews and comments you submit.
  • Technical data: IP address, browser type, operating system, and access times (for server security and analytics).
  • Cookies: Necessary session cookies and optional analytics cookies (Google Analytics).

3. Legal Bases (Art. 6 GDPR)

  • Art. 6(1)(a): Consent – for optional analytics cookies.
  • Art. 6(1)(b): Performance of a contract – for managing your user account and submitted reviews.
  • Art. 6(1)(f): Legitimate interests – for website security, availability, and abuse prevention.

4. Cookies

We use two categories of cookies:

  • Necessary cookies: Session cookies for authentication and maintaining your session. These cannot be disabled as they are required for the website to function.
  • Analytics cookies: Google Analytics sets cookies to collect anonymised usage statistics. These cookies are only set with your consent.

5. Third-Party Services and Data Transfers

We use the following third-party providers to deliver our services:

Supabase (Database & Authentication)

Provider: Supabase Inc. Our database is hosted on EU servers (Frankfurt). Account data, profile data, and user contributions are stored here. Legal basis: Art. 6(1)(b) GDPR (contract performance). Privacy policy: supabase.com/privacy.

Vercel (Hosting & Analytics)

Provider: Vercel Inc., San Francisco, USA. Vercel is certified under the EU–US Data Privacy Framework (DPF). Technical data (IP address, access times) is transmitted to Vercel when you visit the site. We use Vercel Analytics for anonymised visitor statistics. Privacy policy: vercel.com/legal/privacy-policy.

Google Analytics

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We use Google Analytics to analyse user behaviour on our website. IP anonymisation is enabled. Data may be transferred to the USA; Google is DPF-certified. Legal basis: your consent (Art. 6(1)(a) GDPR). You can opt out by installing the browser add-on at tools.google.com/dlpage/gaoptout.

Brevo (Transactional Emails)

Provider: Brevo SAS (formerly Sendinblue), Paris, France. We use Brevo to send transactional emails (e.g. account confirmations). Your email address is transmitted to Brevo for this purpose. Privacy policy: brevo.com/legal/privacypolicy.

6. Retention Periods

  • Account data: For as long as your account is active. After account deletion, your data is removed within 30 days unless statutory retention obligations apply.
  • User contributions: Reviews and comments are stored while published on the platform. Upon account deletion, published contributions may be anonymised and retained.
  • Server logs: Up to 30 days.
  • Analytics cookies: Up to 2 years (Google Analytics default).

7. Your Rights

Under the GDPR, you have the following rights:

  • Access (Art. 15): Right to obtain information about your stored data.
  • Rectification (Art. 16): Right to correction of inaccurate data.
  • Erasure(Art. 17): Right to deletion of your data ("right to be forgotten").
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20): Right to receive your data in a structured, machine-readable format.
  • Objection (Art. 21): Right to object to processing based on legitimate interests.
  • Withdrawal of consent: You may withdraw any consent you have given at any time with effect for the future.

To exercise your rights, please contact: datenschutz@gastro-critic.com

You also have the right to lodge a complaint with the competent supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD), available at www.aepd.es.

8. Security

We implement technical and organisational security measures to protect your data against loss, misuse, and unauthorised access. All data transmissions are encrypted via HTTPS. Passwords are stored exclusively in hashed form.

9. Changes to This Policy

We reserve the right to update this Privacy Policy to reflect changes in legal requirements or our services. The current version is always available on this page. Last updated: March 2026.