Privacy Policy

6 min read • 1,205 words

How go-mapi.app handles visitor data. GDPR and LOPDGDD compliant. Spain jurisdiction.

Draft. This privacy policy is a draft pending review by a Spanish privacy lawyer before commercial launch (Phase 3 of the project). If you are evaluating go-mapi and have questions about data handling, contact us via the email in the Aviso legal.

Who we are

The operator of this website is Chispa Sideral (en constitución) SL, a Spanish Sociedad Limitada currently in formation. Full legal-entity details, registered address, and contact email are published in the Aviso legal , which is the authoritative source for identification data under LSSI-CE Art. 10.

This privacy policy describes how go-mapi.app — the public marketing and documentation site for the go-mapi project — handles personal data of visitors. It is written to comply with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Spanish Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (“LOPDGDD”).

What data we collect

As of this publication, go-mapi.app is a static website. We do not run our own analytics, we do not set cookies, and we do not operate any form on this site. The only personal data that exists in relation to a visit to this site is the network-layer data that our hosting and CDN subprocessors process to deliver the HTML, CSS, JavaScript, and font files to your browser.

Specifically, each HTTP request to go-mapi.app causes the following data points to be visible to our subprocessors (see Subprocessors below):

IP address (logged by GitHub Pages during HTTP request handling, per GitHub’s documented logging behavior).
User-Agent header (sent by your browser; typically identifies browser family and operating system).
Referrer header (sent by your browser if you arrived from another page; may be empty).
Date and time of request.

We do not receive, store, or have access to this data ourselves — it lives in our subprocessors’ logs. We have no direct visibility into who visits the site or how often.

Future versions of this policy will describe additional data flows when forms and analytics are added — each change is a new version of this page, committed to the public git history of the site’s source repository.

When you submit the lead-capture form on /cloud/, we collect the email address, organization name, and estimated seat count you provide, along with technical metadata (IP address, User-Agent header, submission timestamp) that our form processor (Formspark — see Subprocessors) records to operate the spam filter and the audit log. Lead data is stored in Ireland (EU). The form does not set cookies and does not load any third-party JavaScript; the data is transmitted via a single HTTPS POST to Formspark when you click “Join the Managed pilot”. A specific retention period for this data is finalized in Task 3 of this plan and amended into the policy at the same merge that takes the form live (see Subprocessors → Formspark for the effective number).

Subprocessors

We currently rely on four subprocessors to deliver the site, operate the lead-capture form, and measure aggregate page traffic. Personal data transfers to subprocessors outside the EEA rely on Standard Contractual Clauses (SCCs) under GDPR Chapter V where applicable, under each subprocessor’s own data-transfer framework.

GitHub Pages — GitHub, Inc., 88 Colin P Kelly Jr Street, San Francisco, CA 94107, USA. Hosts the static site. Processes HTTP request data (IP, User-Agent, referrer, timestamp) per GitHub’s logging policy. See: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement .
Cloudflare — Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. Provides DNS resolution and CDN services in front of GitHub Pages. Processes IP address and TLS connection metadata; does not store application-layer personal data. See: https://www.cloudflare.com/privacypolicy/ .
Formspark — Formspark BV, Belgium. Operates the lead-capture form on /cloud/. Processes form-submission data (email, organization name, estimated seat count) plus technical metadata (IP address, User-Agent, timestamp) at the moment of submission. Form data is stored in Ireland (EU). Retention period: [RETENTION-TBD-TASK-3]. Formspark’s own subprocessors include Amazon Web Services (cloud infrastructure), Akismet (spam detection), Sentry (error reporting), and ipstack (IP-to-geolocation); IP and a hashed submission signature may be shared with Akismet for spam classification. Standard Contractual Clauses cover the Akismet, Sentry, and ipstack transfers (US-based). DPA: executed under Standard Contractual Clauses, countersigned [DATE-OF-COUNTERSIGNATURE]. See: https://formspark.io/legal/gdpr/ and https://formspark.io/legal/subprocessors .
Plausible — Plausible Insights OÜ, Estonia. Provides privacy-friendly aggregate pageview analytics once enabled. Plausible does not use cookies and does not store full IP addresses; site traffic is reported in aggregate for go-mapi.app. We proxy the script through Cloudflare Workers to avoid third-party script requests from the browser. See: https://plausible.io/data-policy and https://plausible.io/dpa .

Purpose and legal basis

The purpose of any processing described above is static website delivery — serving the HTML, stylesheets, scripts, and fonts that make go-mapi.app readable in your browser.

The legal basis for the log data that GitHub Pages and Cloudflare retain is legitimate interest under GDPR Art. 6(1)(f) — specifically, our and our subprocessors’ legitimate interest in operating, securing, and diagnosing the delivery of a public-facing website. No consent is required because no cookies are set and no direct-marketing processing takes place.

Retention

Log data retained by GitHub Pages and Cloudflare is governed by their respective retention policies, linked in Subprocessors above. We do not independently store visitor data, so retention on our side is effectively zero.

As a data subject, you have the following rights over your personal data, as defined in GDPR Arts. 15–22 and reinforced by LOPDGDD:

Right of access (GDPR Art. 15) — obtain confirmation of whether we process your personal data and, if so, a copy of it.
Right to rectification (GDPR Art. 16) — have inaccurate personal data corrected.
Right to erasure / “right to be forgotten” (GDPR Art. 17) — request deletion of your personal data where the conditions of Art. 17 apply.
Right to restriction of processing (GDPR Art. 18) — request that we limit processing to storage only, in the cases listed in Art. 18.
Right to data portability (GDPR Art. 20) — receive your personal data in a structured, commonly used, machine-readable format.
Right to object (GDPR Art. 21) — object to processing based on legitimate interest, including profiling.
Rights related to automated decision-making, including profiling (GDPR Art. 22) — we do not perform automated decision-making or profiling on this site; the right is listed for completeness.
Right to lodge a complaint with the supervisory authority (LOPDGDD Art. 34) — file a complaint with the Agencia Española de Protección de Datos ("AEPD"), the Spanish supervisory authority, at https://www.aepd.es .

To exercise any of these rights, write to us using the contact email published in the Aviso legal . We will respond within the time limits set by GDPR Art. 12.

Changes to this policy

This policy will be updated when we introduce analytics (planned) and a lead-capture form (planned). Each update will be a new commit on this page in the public git repository of the site’s source. The latest version is always the one you are reading now.

Last updated

2026-05-05 (Phase 4 update - added Plausible analytics subprocessor entry and clarified aggregate pageview analytics; draft pending Spanish privacy lawyer review before commercial launch).

Baseline generator: AEPD “Guía para el cumplimiento del deber de informar” (public-facing small-site guidance).