Privacy

What we collect, and why

This page explains what data Gritline collects, why, and how we handle it. It’s written by hand to be readable. If anything here is unclear, write to us - see Contact.

Last updated: 11 May 2026

Who we are

Gritline is operated by Robin Spano, an individual based at Passeig del Mare Nostrum 15, 08039 Barcelona, Catalonia, Spain. We are the data controller for personal data processed through gritline.cc.

For privacy questions, or to exercise any of the rights below, use the contact form on /about or email hello@gritline.cc.

What we collect

When you visit anonymously

Standard server access logs: your IP address, the page you requested, your browser type, and the timestamp. Held for 90 days, then auto-deleted.

We use Vercel Analyticsto count page views and roughly understand which routes and events get attention. It records no cookies, doesn’t identify you, hashes IP addresses before storage, and doesn’t share data with third-party advertisers. Under GDPR it qualifies as “essential” analytics that doesn’t require a consent banner. If we ever switch to anything more invasive, we will update this policy and add a consent step before turning it on.

When you sign in (Google or Strava)

You sign in via OAuth. The provider sends us your name, your email (Google only - Strava doesn’t share email), your profile picture URL, and a stable provider account ID so repeat sign-ins update the same record. We never see or store your password.

When you fill in your profile

You can edit your display name, home region, short bio, custom profile photo, Strava profile link, and the public-profile toggle. These are stored in our content management system (Sanity).

When you mark attendance for an event

We record which event you’re attending, which distance (for multi-distance events), and a timestamp. Your name and avatar appear on the event page if your profile is public, and the attendance shows on your member profile.

When you contact us

The contact form sends your name, email, message-type, and message to Robin’s personal inbox via Resend. We don’t store the message anywhere on the site itself; it lives only in the email inbox until manually deleted.

When you receive the Gritline newsletter

If you have a member account, we’ll occasionally email you about new routes and Catalan gravel events worth knowing about - about once a month, sometimes less. This sits under legitimate interest (GDPR Article 6(1)(f)) for service-related editorial communications between us and our members, not marketing consent. You can switch the newsletter off any time from /profile, or click the unsubscribe link at the foot of any email.

Why we use this data

Each kind of processing has a specific legal basis under GDPR Article 6:

  • OAuth identity + profile fields - to run your member account and attribute event attendance. Basis: contract.
  • Event attendance- to show counts, surface coordination chats, and populate your “My events” list. Basis: contract.
  • Server logs - to operate and secure the site. Basis: legitimate interest.
  • Contact-form submissions - to reply to you. Basis: legitimate interest + your consent in sending it.
  • Newsletter to members - to keep you up to date on new routes and Catalan gravel events. Basis: legitimate interest, with an opt-out on /profile and in every email.

We don’t process data for advertising. We don’t sell it. We don’t share with advertisers - we don’t have any.

Who else sees your data

Gritline is a small site running on third-party infrastructure. Your data is handled by these processors:

  • Sanity (content management) - stores user records, profiles, and attendance.
  • Vercel (hosting + analytics) - serves the site, keeps server logs, and runs Vercel Analytics for aggregate page-view counts (no cookies, no individual identification).
  • Resend (transactional email) - receives contact-form submissions to deliver them by email.
  • Google and Strava - only when you sign in via their OAuth flow. Their privacy policies apply on their side.

These are all data processors operating under standard contractual clauses for any EU data they handle. We don’t share data with anyone else. There are no advertisers, ad networks, or third-party trackers active on the site.

How long we keep it

  • Your account and profile - until you delete it.
  • Event attendance records - until you delete your account.
  • Server logs - 90 days.
  • Contact-form emails- until manually deleted from Robin’s inbox.

Your rights

Under GDPR, you can:

  • Accessthe data we hold about you - we’ll send it to you.
  • Correct anything inaccurate. Most fields are already editable on /profile.
  • Deleteyour account and all linked data - use the “Delete my account” control on /profile. The deletion is immediate and permanent.
  • Export your data in a portable format.
  • Object to any processing.
  • Lodge a complaint with the Spanish data protection authority, the AEPD, if you’re unhappy with how we’ve handled your data.

Cookies

The only cookies on gritline.cc are session cookies set by Auth.js when you sign in. They’re essential - the site can’t keep you logged in without them. They don’t track you across other sites and expire when your session does (or in 30 days, whichever comes first).

We don’t use analytics cookies, ad cookies, or third-party cookies. If we add analytics in future, we’ll update this policy and add a consent step before any tracking starts.

International transfers

Some of our processors (Vercel, Resend, Google) operate from outside the EU. Where this involves your personal data, transfers happen under standard contractual clauses approved by the European Commission.

Changes

If we change how we handle data, we’ll update this page and bump the “Last updated” date at the top. Material changes will also be flagged on the homepage so you don’t have to come hunting for them.