privacy without the fog

What we hold, what we refuse,
and how you stay in charge.

About six minutes Built around GDPR & CCPA Your data is not for sale Reviewed by people, not bots

In a nutshell

We keep only what it takes to recommend good tables, protect logins, and keep the lights on. We do not sell personal information. Export or wipe your whole account anytime from a single settings screen.

— Pedro, Data Steward
01

The company behind Platefolk

Platefolk is an independent guide to neighbourhood food and welcoming rooms. A crew of sixteen runs it from a shared workspace in Lisbon, Portugal, with a small desk in Berlin. On paper we are Platefolk Lda., with our registered address at Rua do Loreto 15, 1200-241 Lisbon.

In this policy, "we," "us," and "Platefolk" mean that company. "You" means anyone browsing platefolk.com, reading our notes, creating an account, or writing to us.

say it simply No distant holding company. No mystery shell. Pedro owns the privacy brief, and you can reach him at [email protected].
02

Information we hold

We group what we store into two piles: essentials for running the product and extras you volunteer. The second pile is never mandatory. The table below is the complete inventory.

Data Why Type
Email address Account creation, the weekly letter, and password recovery. Required
Display name Appears beside notes or tips you publish (a nickname is fine). Required
Password (hashed) Kept solely as a salted argon2id hash — plaintext never reaches us. Required
Approximate city Lets the homepage surface kitchens near where you are. Optional
Tasting notes & submissions Short reviews and place tips you decide to share. Optional
Saved lists Bookmarked spots. Private unless you choose to publish a list. Optional
Device & browser Coarse diagnostics (browser version, screen width) for fixing bugs. Required
IP address (truncated) Hashed and shortened, held 30 days to blunt spam and abuse. Required
Categories we refuse
  • Exact GPS. City-level is the finest grain, and only when you opt in.
  • Address books, calendars, photo libraries, or microphone access — we never request them.
  • Full payment card numbers. Stripe processes cards; we see only the last four digits on receipts.
  • Behavioural, canvas, audio, or similar fingerprinting tricks.
  • Private tips you send "off the record" (for example by email) are never pasted onto a public profile.
03

Reasons we hold it

GDPR expects a lawful basis for each purpose. Ours, in everyday language:

  • Contract — delivering the account you signed up for (login, saves, newsletter opt-in).
  • Legitimate interest — keeping the site stable, blocking spam, patching bugs, and running aggregate analytics that cannot identify you.
  • Consent — extras such as marketing beyond the newsletter, near-me features, or the two optional cookies (see §05).
  • Legal obligation — answering a valid court order or retaining invoices for tax rules.
put another way Your email exists because you asked us to reach you. Error logs exist because the product fails without them. Anything beyond that waits for a clear yes from you.
04

Who else can see it

A short, fixed roster of vendors — "sub-processors" in legal jargon — each receives only the slice required for their job. That roster is:

Vendor Role Where
Fly.io Hosts the web app and database Amsterdam, NL
Backblaze B2 Stores photos you upload Amsterdam, NL
Postmark Delivers transactional mail (login links) United States
Buttondown Delivers the weekly newsletter United States
Stripe Charges (restaurant partners only) Ireland / US
Plausible Cookie-free page-view analytics Frankfurt, DE
Sentry Error tracking (IPs truncated on intake) Frankfurt, DE
Parties we never hand data to
  • Data brokers — none, under any circumstance.
  • Ad networks — we do not serve display or other ads.
  • Restaurants — saved lists and private notes stay yours. Owners only see comments you post publicly on their page, like any other reader.
  • "Analytics partners" that stitch profiles across unrelated sites.
05

Cookies and analytics

Platefolk sets three cookies and stops there. Many sites ship dozens; we prefer the short shelf.

Name What it does Lifespan
wb_sess Maintains your login. First-party, httpOnly. 30 days (sliding)
wb_theme Remembers dark/light preference and font size. 1 year
wb_ref Credits a first visit (for example from a newsletter link). 14 days

That is the entire set. Analytics run through Plausible, which needs no cookies and sits comfortably with GDPR — a daily-rotating salt means the same person cannot be followed from one day to the next.

why no popup Three first-party cookies and zero ad trackers mean EU rules do not force a consent wall. We skip the banner most people dismiss without reading.
06

Where the bits live

Account records and uploaded photos sit on servers in Amsterdam (EU). Encrypted backups rotate for 30 days in a second EU centre in Frankfurt.

🇳🇱
Primary — Amsterdam

Live database, user photos, active sessions.

🇩🇪
Backup — Frankfurt

Encrypted snapshot on a 30-day roll.

🇺🇸
Transactional email — US

Login links via Postmark, kept 7 days.

🇵🇹
Finance — Lisbon

Invoices and tax files, retained 10 years under EU rules.

When data leaves the EU (for example to Postmark in the United States), the transfer rides on the EU Commission's Standard Contractual Clauses — the framework the European Data Protection Board accepts for those moves.

07

How long it stays

  • Your account — until you delete it. Idle accounts are not auto-purged.
  • Notes & submissions — while the place remains on Platefolk, unless you take them down.
  • Login audit log — 90 days, then erased.
  • Error logs (Sentry) — 30 days; IPs truncated on arrival.
  • Newsletter open/click data — 6 months, then deleted.
  • Invoices / VAT records — 10 years, as Portuguese tax law requires.
  • Deleted accounts — cleared from live systems within 48 hours and from backups within 30 days.
08

Controls you already have

Wherever you live, these tools sit in account settings under "Data & privacy" — no endless ticket queue required.

Download a copy

Receive a full ZIP: profile, notes, saved places, and photos.

Settings → Data & privacy
Fix mistakes

Update inaccurate fields yourself; rare edge cases go by email.

Edit profile
Erase the account

One control. Live systems clear in 48 hours; backups within 30 days.

Delete account
Freeze without deleting

Park the account temporarily — handy for a break from the feed.

Pause account
Object to processing

Turn off legitimate-interest uses such as the welcome email series.

Preferences
File a complaint

If we miss the mark, Portugal's CNPD is the supervisory authority.

cnpd.pt
for California readers CCPA gives you matching rights — know, delete, and opt out of sale (we do not sell, so that last one is already satisfied). The same settings page covers them.
09

Younger visitors

Platefolk is not aimed at anyone under 16, and we do not knowingly gather data from children in that age group. If you think we collected a child's information by mistake, write to [email protected] and we will remove it within 72 hours.

10

When this page updates

Material changes get an email to every account holder at least 30 days before they apply, plus a notice on the homepage. Typos, layout tweaks, and clarifications skip the mail blast and appear in the changelog below.

Changelog

  • March 28, 2026 Added Backblaze B2 for photo storage; retired Cloudinary. Shortened newsletter click retention from 12 months to 6.
  • November 5, 2025 Moved analytics from Fathom to Plausible. Same cookie-free model; Plausible's EU hosting eases transfer paperwork.
  • July 14, 2025 First public policy shipped with launch.
11

Reach the Data Steward

Pedro handles data protection for Platefolk. He reads the inbox himself and typically answers within two working days — no ticket IDs, no chatbots, just someone who knows this policy cold.

[email protected] Rua do Loreto 15, 1200-241 Lisbon, Portugal Replies within 2 working days

Anything still unclear?

Ask us first — we'd rather talk than send you hunting for a regulator.

Write to Pedro Read the FAQ