Skip to content

Legal

Privacy Policy

Effective date: May 10, 2025

Document pending configuration

This document is rendered with placeholder values because the NEXT_PUBLIC_LEGAL_* environment variables are not yet configured. Before publishing to production, review MD/7.5-legal-pages.md and populate the operator identity.

This Privacy Policy explains how Bojan Antonijevic ("we", "us") processes personal data belonging to people who visit https://calahype.com or use the Cala Hype platform. We comply with Regulation (EU) 2016/679 (GDPR) and the Spanish Data Protection Act (LOPDGDD 3/2018).

1. Data controller

The data controller for your personal data is Bojan Antonijevic, with registered address at Carrer Menorca, 07181 Bendinat, España. For any privacy-related question you can reach us at [email protected].

2. Data we collect

We only collect data that is strictly necessary to deliver the service.

From anonymous visitors: truncated IP address, device type, preferred language, pages visited, and the consent decision you make on analytics cookies.

From registered organisers: public organiser name, authentication email address, public profile details (description, logo, website) and the events they publish on the platform.

3. How we use your data

We process your data to: (i) display the catalogue of published events; (ii) authenticate organisers via magic-link emails; (iii) measure aggregated, anonymous usage of the site to improve the product; (iv) prevent fraud and abusive form submissions; and (v) comply with our legal obligations, including responses to competent authorities.

4. Legal bases for processing

Each purpose has a clear legal basis: performance of the contract with the organiser (Art. 6(1)(b) GDPR) for authentication and profile management; your consent (Art. 6(1)(a) GDPR) for analytics cookies and optional communications; our legitimate interest (Art. 6(1)(f) GDPR) in preventing abuse and improving the product through aggregated metrics; and compliance with a legal obligation (Art. 6(1)(c) GDPR) where applicable.

5. Cookies and analytics

We use essential cookies to keep the session alive and remember your language and theme preferences; these do not require consent. For anonymous usage metrics we rely on Vercel Web Analytics and Vercel Speed Insights, which only load if you explicitly accept analytics cookies. See our Cookies Policy for the full breakdown.

6. Processors and providers

We share data with providers that act as processors on our behalf under an Art. 28 GDPR agreement: Supabase (database + authentication, EU-hosted), Vercel (hosting, delivery and analytics), Resend (transactional email), MapTiler (base maps), Sentry (error reporting) and, when enabled, Stripe (billing). We never sell or license data for commercial targeting.

7. International transfers

We always favour providers with infrastructure in the European Union or the European Economic Area. When a provider might process data outside the EU/EEA, the transfer is covered by the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) or by a current adequacy decision.

8. Data retention

We keep data only for as long as we need it: organiser accounts remain while active; published events stay in the historical archive until the organiser deletes them; technical access logs rotate after 90 days; and the cookie decision is stored for 12 months, following EDPB and AEPD guidance.

9. Your rights

You can exercise the rights of access, rectification, erasure ("right to be forgotten"), objection, restriction of processing and data portability at any time, and withdraw any consent previously given. Just email [email protected] from the affected account. You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) or the supervisory authority in your country of residence.

10. Security measures

We apply technical and organisational measures proportional to the state of the art: TLS 1.2+ encryption in transit, encryption at rest on Supabase, Row-Level Security isolation in the database, role-based access control, authentication event logging, and regular dependency audits.

11. Children

Cala Hype is not directed at children under 14 and we do not knowingly collect personal data from this age group. If you notice that a minor has provided us with data, please email [email protected] and we will delete it without delay.

12. Changes to this policy

We may update this Privacy Policy to reflect legal or service changes. The effective date at the top of this document will always be current. For material changes we will notify registered organisers by email and, where appropriate, ask for renewed consent.

Privacy Policy | Cala Hype