RHL

Privacy Policy

Last updated: April 27, 2026

This policy explains what personal data Restore Her Legacy ("we", "the site") collects, why we collect it, how long we keep it, who we share it with, and how you can exercise the rights the GDPR gives you.

1. Who is the data controller

Restore Her Legacy is a free, non-commercial educational blog operated from Romania by an individual author. We do not publish a postal address because we are not a commercial information-society service under Romanian Law 365/2002. For all data-protection matters, please contact:

privacy@restoreherlegacy.com

2. What we collect and why

Newsletter subscribers

If you subscribe to our newsletter, we store: your email address, the time you confirmed your subscription, the page or surface you subscribed from, your IP address at the time of consent, and your browser's user-agent string. We keep this so we can prove your consent was freely given if you ever object, and so we can send you the newsletter you asked for.

  • Legal basis: Article 6(1)(a) GDPR - your explicit consent.
  • Retention: while your subscription is active. If you unsubscribe, we keep a minimal suppression record (your email + unsubscribe date) so we never accidentally email you again. You can request full erasure at any time (see Section 6).

Contact form messages

If you write to us through the contact form, we store the name, email and message you provide.

  • Legal basis: Article 6(1)(f) GDPR - legitimate interest in being able to reply to you.
  • Retention: 1 year, then we delete the message.

Server access logs

Our hosting provider (Vercel) and CDN (Cloudflare) record standard request logs that include IP address, request URL, user-agent, and timestamp. These logs are used to detect abuse, debug errors, and protect the site.

  • Legal basis: Article 6(1)(f) GDPR - legitimate interest in security and stability.
  • Retention: typically 30 days at the provider level. We do not maintain our own copy.

Cookieless analytics (no consent required)

We run a self-hosted instance of Umami to count page views. Umami does not set cookies, does not create a persistent visitor ID, and does not collect personal data. The data lives in a database we control. No data is shared with third parties.

  • Legal basis: Article 6(1)(f) GDPR - legitimate interest in understanding aggregate site traffic. Exempt from consent under Romanian Law 506/2004 / EU ePrivacy because no terminal-equipment information is stored or read.
  • Retention: aggregate counters, retained indefinitely.

Optional analytics (only if you accept the cookie banner)

We use Google Analytics 4 to understand which articles are read and roughly where readers come from. GA cookies and requests are only loaded afteryou accept them in the cookie banner. If you decline (or don't answer), no analytics data leaves your browser.

  • Legal basis: Article 6(1)(a) GDPR + Romanian Law 506/2004 - your consent.
  • Retention: set to the GA minimum (2 months for events, 14 months for user-scoped data).

3. Who we share data with (processors)

We do not sell your data and we do not share it with advertisers. We do rely on a small number of service providers ("processors") to run the site:

  • Neon (PostgreSQL hosting, EU region) - stores subscribers, contact messages, and site content.
  • Vercel (application hosting) - runs the website and admin.
  • Cloudflare (CDN + DNS) - caches public pages and protects the site from abuse.
  • Upstash (Redis) - short-lived rate limit counters keyed by hashed IP.
  • Resend (transactional email) - delivers newsletter confirmation, welcome and issue emails.
  • Google (Analytics 4) - only loaded after you accept the cookie banner.

Some of these providers are based in the United States. They participate in the EU-US Data Privacy Framework and use the European Commission's Standard Contractual Clauses for transfers.

4. Cookies

We use a small set of strictly necessary cookies for the site to function (login session for the admin area, your chosen colour theme). For details on what each cookie does and how to withdraw analytics consent, see our Cookie Policy.

5. International transfers

Where personal data leaves the European Economic Area (e.g. transactional email is delivered through Resend in the US), the transfer is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.

6. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten");
  • restrict or object to processing;
  • receive your data in a portable format;
  • withdraw consent at any time (e.g. unsubscribe from the newsletter via the link in any email; clear analytics cookies via the cookie banner reset).

To exercise any of these, email privacy@restoreherlegacy.com. We will respond within 30 days.

7. Right to lodge a complaint

If you believe we have mishandled your personal data, you have the right to complain to the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral Gheorghe Magheru 28-30, Sector 1, București
www.dataprotection.ro

You can also complain to the supervisory authority in your own EU country of residence.

8. Changes to this policy

If we change this policy materially, we will update the "last updated" date at the top and, for newsletter subscribers, mention the change in the next issue.

← Back to the archive