Privacy Policy

FolkUp — Setúbal Encyclopedia Version: 2.1 | Effective Date: February 2026 | Last Updated: March 2026

1. Who We Are

Data Controller: FolkUp Address: Lg. José Afonso 20 RC, 2900-429 Setúbal, Portugal Email: privacy@folkup.app

FolkUp operates setubal.folkup.city, a free, open-content encyclopedia about Setúbal, Portugal. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and Portuguese law.

We are not required to appoint a Data Protection Officer (DPO) given the scale of our operations (GDPR Art. 37). For all data protection inquiries, contact: privacy@folkup.app

2. Our Approach to Privacy

We collect and process the minimum amount of data necessary to operate this website and provide our services. Where optional features (such as user accounts) involve additional data processing, we clearly explain what is collected, why, and on what legal basis.

3. What Data We Process

3.1. Server Logs

When you visit setubal.folkup.city, our web server automatically records standard access logs:

IP address
Browser type and version (User-Agent)
Pages requested and timestamps

This data is collected automatically by our hosting provider (Hetzner) and is used solely for security monitoring and troubleshooting. Server logs are retained for approximately 30 days and then deleted.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — maintaining the security and availability of our website.

Legitimate interest detail: Without server logs, we cannot detect malicious activity, debug errors, or ensure the website remains operational. This interest is balanced against the minimal impact on your privacy, as logs are automatically deleted after 30 days.

3.2. Cloudflare DNS

Our DNS is managed by Cloudflare. When you access our website, Cloudflare may process your IP address and connection metadata as part of DNS resolution. Cloudflare may also set security cookies on your device (see our Cookie Policy).

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — ensuring reliable and secure DNS resolution.

Legitimate interest detail: Cloudflare DNS is necessary to route visitors to our server and to provide DDoS protection. Without it, the website would not be accessible.

3.3. Voluntary Email Contact

If you choose to contact us by email (hello@folkup.app or privacy@folkup.app), we will process:

Your email address
The content of your message

Email is routed through Cloudflare Email Routing to Gmail. We retain correspondence for up to 12 months for reference purposes.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — responding to your enquiry.

Legitimate interest detail: We need to process your email address and message content to respond to your correspondence. Retention for 12 months allows us to maintain context for ongoing conversations.

3.4. Authentication (FolkUp Auth)

We offer optional user accounts through FolkUp Auth, powered by Keycloak, hosted at auth.folkup.app. If you choose to create an account, we process:

Email address
Username
Session data (login timestamps, session tokens)
IP address (at the time of authentication)

Your account data is stored on our self-hosted Keycloak instance (hosted by Hetzner in Germany, EU). Data is retained until you delete your account. You may request account deletion at any time by contacting privacy@folkup.app.

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) — providing the authentication service you have requested by creating an account.

Necessity of data (Art. 13(2)(e)): Creating an account via FolkUp Auth requires providing an email address and username. This data is necessary to provide the authentication service. Without it, account creation is not possible.

3.4.1. Registration via OAuth Providers (Art. 14)

When you register or log in via an OAuth provider (e.g., Google), we receive the following data from the provider:

Email address
Display name

This data is used solely for account creation and authentication. We do not receive or store your password from the OAuth provider. The provider’s own privacy policy governs how they process your data on their end.

Legal basis: Performance of a contract (GDPR Art. 6(1)(b)) — creating and managing the account you have requested.

Source of data: The respective OAuth provider (e.g., Google LLC), as selected by you during registration.

3.5. Analytics (Umami)

We use Umami, a self-hosted, privacy-focused analytics tool, to understand how visitors use our website. Umami collects:

Anonymized page views
Referrer information (which website brought you here)
Browser type and screen size
Country-level location (derived from IP, but IP is not stored)

Umami does not use cookies, does not track individual users, and does not collect personal data. All data is aggregated and cannot be used to identify any individual visitor.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — improving the quality and usability of our website.

Legitimate interest detail: Understanding which pages are popular and how visitors navigate the site helps us improve content and user experience. Since Umami collects no personal data and uses no cookies, the impact on your privacy is negligible.

3.6. Data We Do NOT Collect

For transparency, setubal.folkup.city does not collect:

Payment or financial data
Precise location data (beyond country-level derived by Umami and IP in server logs)
Advertising or tracking data
Social media data
Any special categories of personal data

4. Cookies

We use only Cloudflare security cookies, which are strictly necessary and exempt from consent requirements. Umami analytics does not use cookies. We do not use analytics, advertising, or tracking cookies.

For full details, see our Cookie Policy.

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data. Data is processed by the following service providers:

Provider	Location	Purpose	Safeguards
Hetzner Online GmbH	Germany (EU)	Server hosting, server logs, Keycloak hosting, Umami hosting	EU-based; DPA in place
Cloudflare, Inc.	United States	DNS, security, email routing	EU-US Data Privacy Framework; SCCs
Google LLC	United States	OAuth provider (only if you choose to register via Google); Gmail (email routing destination)	EU-US Data Privacy Framework; SCCs

Keycloak and Umami are self-hosted on our own infrastructure (Hetzner, Germany). They are not third-party service providers — all data remains on our servers within the EU.

Ko-fi (our donation platform) is an independent service. If you choose to donate via Ko-fi, your data is processed under Ko-fi’s own privacy policy. We do not receive your payment details.

6. International Data Transfers

Hetzner — Germany (EU). No international transfer.
Cloudflare — United States. Certified under the EU-US Data Privacy Framework (DPF), with Standard Contractual Clauses (SCCs) as an additional safeguard. Purposes: DNS resolution, security, and email routing (see Section 3.3).
Google LLC — United States. Certified under the EU-US Data Privacy Framework (DPF), with Standard Contractual Clauses (SCCs) as an additional safeguard.
- OAuth: Data transfer occurs only if you choose to register or log in via Google.
- Gmail (email routing): When you email hello@folkup.app or privacy@folkup.app, your message is routed via Cloudflare Email Routing to Google LLC (Gmail). This transfer occurs for all email correspondence with these addresses, regardless of whether you have a FolkUp Auth account.

7. Automated Decision-Making (Art. 13(2)(f))

We do not use automated decision-making or profiling as defined in GDPR Art. 22. No decisions with legal or similarly significant effects are made about you based on automated processing.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access (Art. 15) — request a copy of data we hold about you
Rectification (Art. 16) — request correction of inaccurate data
Erasure (Art. 17) — request deletion of your data
Restriction (Art. 18) — request that we limit processing
Portability (Art. 20) — receive your data in a machine-readable format
Objection (Art. 21) — object to processing based on legitimate interest

If you have a FolkUp Auth account, you may request a full export or deletion of your account data at any time. Server logs are automatically deleted after approximately 30 days. We will honour any valid request.

To exercise your rights: Email privacy@folkup.app. We will respond within one month.

Right to Lodge a Complaint

You may lodge a complaint with the Portuguese supervisory authority:

Comissao Nacional de Protecao de Dados (CNPD) Av. D. Carlos I, 134 - 1.o, 1200-651 Lisboa, Portugal Email: geral@cnpd.pt | Website: https://www.cnpd.pt

You may also complain to the supervisory authority of your habitual residence within the EU/EEA.

9. Data Security

We implement appropriate measures to protect your data:

HTTPS/TLS encryption for all connections
Access controls — only authorised personnel can access server logs and Keycloak data
Regular updates to server software and security configurations
Self-hosted infrastructure — Keycloak and Umami run on our own servers within the EU, reducing third-party exposure

10. Children’s Data

This website’s content is freely accessible without registration. The optional account feature (FolkUp Auth) is not intended for children under 16. We do not knowingly collect personal data from children under 16 through the account system. If we become aware that an account has been created by a child under 16, we will delete the account and associated data promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The “Last Updated” date at the top will be revised. Previous versions are available upon request.

12. Contact

For any questions about this Privacy Policy or your personal data:

Email: privacy@folkup.app

13. Applicable Law

This Privacy Policy is governed by:

Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
Portuguese Lei 58/2019 — National implementation of the GDPR
Portuguese Lei 41/2004 (as amended by Lei 46/2012) — ePrivacy Directive transposition