Privacy Policy
Effective date: 12 May 2026 Version: 1.0
Introduction
This Privacy Policy explains how Pedro José Pimenta Rodrigues, operating the website festivallynx.com under the trade name FestivalLynx ("FestivalLynx", "we", "us", "our"), collects, uses and protects your personal data.
We are the data controller for the personal data processed in connection with festivallynx.com. This policy applies to all visitors of festivallynx.com and its language variants (/en, /pt, /es).
The policy is written to satisfy our obligations under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Portuguese Lei n.º 58/2019.
1. Controller
| Name | Pedro José Pimenta Rodrigues |
| NIF | 229819109 |
| General contact | pedro@festivallynx.com |
| Data protection contact | privacy@festivallynx.com |
FestivalLynx does not appoint a Data Protection Officer (DPO). The criteria under GDPR Art. 37 do not apply: we are not a public authority, our core activities do not involve large-scale regular monitoring of data subjects, and we do not process special categories of data on a large scale.
For any privacy-related question or request, write to privacy@festivallynx.com.
2. What we collect, why and for how long
FestivalLynx does not offer user accounts. You can browse the entire site and use the festival budget calculator without registering. The processing operations we carry out are listed below.
| Data | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Email address (entered into the festival budget send form) | Deliver your festival budget summary by email | Consent — Art. 6(1)(a) GDPR | Not retained on our servers after delivery; see section 2.1 for processor logging |
| Email address, name, language and signup source | Newsletter delivery | Consent — Art. 6(1)(a) GDPR | Until withdrawal or 24 months of inactivity |
| Analytics events (page views, interactions, IP address, device metadata, approximate geographic location, heatmap data) | Understand site usage to improve content and navigation | Consent — Art. 6(1)(a) GDPR | See section 2.3 |
| Server logs (request ID, path, host, user agent, region, timestamp) | Security, abuse prevention, debugging | Legitimate interest — Art. 6(1)(f) GDPR | 1 hour, as retained by Vercel's Hobby plan |
| Cookies and similar technologies | See Cookie Policy | See Cookie Policy | See Cookie Policy |
| Consent records | Demonstrate compliance with GDPR Art. 7 | Legal obligation — Art. 6(1)(c) GDPR | 24 months |
| Feedback submission (rating, free-text responses, optional name, optional email, user agent, language) | Improve the service based on user feedback | Legitimate interest — Art. 6(1)(f) GDPR | 12 months after resolution |
| Beta access opt-in (email) | Contact you about early access to new features, if you opted in via the feedback form | Consent — Art. 6(1)(a) GDPR | Until you withdraw consent or are contacted with the beta invite |
2.1 Festival budget email summary
The festival budget calculator does not save your selections on our servers. Your selections (festivals, transport options, accommodation choices and calculated costs) exist only in your browser during the session and are discarded when you close the page or reset the calculator.
If you choose to send the budget summary to your own email, you submit your email address into the send form. We pass that address to our transactional email provider, which delivers the summary to you. We do not retain the address in our database after delivery.
If a delivery error occurs, our system writes a diagnostic entry to our hosting provider's function logs. Email addresses are automatically masked in these log entries (for example, pe***@festivallynx.com) before they are written, so the full address is not stored in logs. Logs are accessible only to the controller and are retained for the period stated in section 2.4.
The transactional email is delivered through Brevo (Sendinblue SAS), an EU-based email service provider headquartered in France. Brevo may retain message metadata (recipient address, delivery timestamp, delivery status) for a limited period as part of its standard delivery monitoring. Details are available in Brevo's own privacy notice.
2.2 Newsletter
The newsletter is a voluntary subscription service. We send festival updates, and travel tips. You can subscribe from the newsletter widget in the footer and unsubscribe at any time via the link in every email or by writing to privacy@festivallynx.com.
When you subscribe we collect your email address and your name. The name is required at subscription and is used to personalise greetings in newsletter emails. We also record the language you signed up in and the page or context the signup originated from. If you sign up from a specific festival page, we record which festival so we can tailor relevant updates.
We use a double opt-in process: after submitting the form, you receive a confirmation email and are only added to the list after you click the confirmation link. This ensures you genuinely intended to subscribe.
The newsletter is delivered through Brevo (Sendinblue SAS), an EU-based email service provider headquartered in France. Subscriber data is stored on Brevo's infrastructure under a Data Processing Agreement.
2.3 Product analytics
We use PostHog to understand how visitors use festivallynx.com so we can improve content and navigation. PostHog records:
- Page views and the routes you visit
- Interactions with key features (e.g. budget calculator inputs, language switcher, filter selections)
- Heatmap data — aggregated click and scroll patterns across pages
- Your IP address, used transiently by PostHog for geographic enrichment (country and region) and bot detection. The IP itself is then discarded and is not stored with your event data
- Device and browser metadata
We do not link analytics events or heatmaps to identifiable individuals: no email address, name or other identifier is ever passed to PostHog. PostHog person profiles are not created for our visitors.
For performance and to keep the cookie domain first-party, PostHog event traffic is routed through a reverse proxy at z.festivallynx.com. The traffic is forwarded to PostHog Cloud EU and is processed by PostHog under its own privacy notice. The reverse proxy does not change who processes the data — PostHog remains the processor.
PostHog data loads only after you grant consent for the analytics category in the cookie banner. You can withdraw consent at any time via the cookie preferences link in the footer; once withdrawn, PostHog stops collecting data and existing PostHog cookies and local storage are cleared.
PostHog data is hosted on PostHog Cloud EU (Frankfurt, Germany). Event and heatmap data is retained for 30 days, after which it is automatically deleted.
2.4 Server logs
When you visit festivallynx.com our hosting provider (Vercel) writes technical logs accessible to us. These logs contain the request ID, the path requested, the host, your browser's user agent, the request region and the timestamp. We use these logs to identify and prevent abuse, debug issues and maintain service security. We do not use server logs to build user profiles.
We operate on Vercel's Hobby plan, which retains runtime logs for one hour. Logs older than one hour are not retained and cannot be recovered.
Cloudflare, our DNS and CDN provider, processes IP addresses transiently for network routing and protection in line with Cloudflare's own privacy notice.
2.5 Cookies and similar technologies
We use cookies and similar technologies as described in our separate Cookie Policy, available at festivallynx.com/cookies.
2.6 Consent records
To demonstrate that we obtained valid consent, as required by GDPR Art. 7(1), we keep a record each time you make a cookie choice. The record contains the timestamp, the version of the cookie banner shown, the language of the banner, your specific choices per category, a truncated IP address (last octet of IPv4 / final 80 bits of IPv6 removed), your browser's user agent (truncated), and a randomly-generated anonymous identifier stored in a first-party cookie so we can correlate withdrawal actions to the original choice.
Cookie consent records are stored in our database at Supabase. Newsletter consent records (the fact you opted in via double opt-in) are stored by Brevo as part of subscriber metadata.
2.7 Feedback submissions
We offer a feedback form at festivallynx.com/feedback. Submitting the form is voluntary.
The form collects:
- A satisfaction rating (1–5)
- Free-text responses to questions about what you like, what frustrates you, and what improvements you would value
- Optionally, your name and email address
- A "beta access" tick-box, separate from the feedback itself
- Automatically: the language of the page and your browser's user agent
If you provide your email and you tick the beta access box, we will keep your email so we can contact you about early access to new features. This processing is based on your consent and you can withdraw it at any time by writing to privacy@festivallynx.com.
If you provide name or email without ticking beta access, we keep them only so we can follow up on your feedback if needed.
Feedback submissions are stored in our database at Supabase, in a table that is not publicly readable.
3. Who we share your data with
We use the processors listed below. Each is bound by a Data Processing Agreement (DPA) under Art. 28 GDPR.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Database (consent records, feedback submissions) | Zurich, Switzerland (eu-central-2) | Adequacy decision of the European Commission (Switzerland) |
| Vercel Inc. | Hosting and serverless functions | Function execution in Paris (eu-west-3); company headquartered in the United States | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Cloudflare, Inc. | DNS and edge network | Global | EU-US Data Privacy Framework and Standard Contractual Clauses |
| Brevo (Sendinblue SAS) | Newsletter delivery and festival budget email summaries | France and Germany (OVH); backups in Belgium (Google Cloud) | Data stored in EU; no extra-EU transfer |
| PostHog Inc. | Product analytics | Frankfurt, Germany (EU Cloud) | Data stored in EU; no extra-EU transfer |
| Stay22 Inc. | Accommodation widget on blog accommodation guides | Canada | Adequacy decision of the European Commission |
| Travelpayouts | Affiliate network for transport and accommodation links | Lithuania | Intra-EU; no transfer outside the EEA |
We do not sell or rent personal data. We do not share personal data with any party other than the processors listed above and as required by law.
When you click an affiliate link on festivallynx.com, our affiliate networks (Stay22 and Travelpayouts) receive an attribution identifier so commission can be tracked. They may pass this identifier to the underlying merchant (the accommodation, transport or ticketing provider) to confirm the booking originated from FestivalLynx. No other data about you is sent to these networks or merchants.
We may add additional affiliate networks in future. When we do, we will update this Privacy Policy and the processors table accordingly.
4. International data transfers
Some of our processors store or process data outside the European Economic Area (EEA). For such transfers, we rely on the safeguards specified in each processor's Data Processing Agreement (DPA), which we have accepted as part of using the service. These safeguards are one or more of:
- An adequacy decision by the European Commission for the destination country
- Standard Contractual Clauses (SCCs) approved by the European Commission, complemented by supplementary technical measures
- EU-US Data Privacy Framework certification of the recipient
Details of each processor's safeguards are available in their respective privacy notices. If you cannot locate them, write to privacy@festivallynx.com.
5. Your rights
Under GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15) — confirmation of whether we process your data, and a copy of it
- Right to rectification (Art. 16) — correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — deletion of your data where one of the legal grounds applies
- Right to restriction (Art. 18) — limiting processing in specific circumstances
- Right to data portability (Art. 20) — receiving your data in a structured, machine-readable format
- Right to object (Art. 21) — objecting to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — withdrawing any consent at any time, with no effect on processing already carried out before withdrawal
- Right not to be subject to automated decision-making (Art. 22) — not applicable; we do not perform automated decision-making with legal or similarly significant effects on you
6. How to exercise your rights
Send a request to privacy@festivallynx.com. Include:
- The right you are exercising
- Sufficient information for us to identify the data concerned (for example, the email address used to subscribe to the newsletter, or the date and subject of a feedback message)
We respond within one month of receipt. The deadline can be extended by a further two months for complex or numerous requests. In that case we will inform you within the first month, with reasons.
Exercising your rights is free. We may charge a reasonable fee or refuse a request only if it is manifestly unfounded or excessive, in line with Art. 12(5) GDPR.
7. How to lodge a complaint
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Portuguese supervisory authority:
Comissão Nacional de Proteção de Dados (CNPD) Avenida D. Carlos I, n.º 134, 1.º 1200-651 Lisboa, Portugal Website: www.cnpd.pt Online complaint form: www.cnpd.pt/cidadaos/reclamacoes
You may also lodge your complaint with the supervisory authority of the EU country where you reside, as provided by Art. 77 GDPR.
We would appreciate the chance to address your concern first. Please contact us at privacy@festivallynx.com before escalating.
8. Children
FestivalLynx is not directed at children under 16.
Under Portuguese law (Lei n.º 58/2019, art. 16), processing of personal data based on consent is lawful only from the age of 13, and from 13 to 16 it requires parental authorisation. We do not knowingly collect personal data from children under 16 without parental consent.
If you believe a child has provided personal data to us, contact privacy@festivallynx.com and we will investigate and, where appropriate, delete the data.
9. Security
We apply technical and organisational measures appropriate to the risk:
- Data in transit is protected by TLS
- Access to production data is limited to the controller
- Hosting is provided by processors that maintain SOC 2 or ISO 27001 certifications
- The Supabase database uses row-level security (RLS), which prevents unauthorised read or modification of sensitive tables (consent records, feedback submissions) via the public client
- Email addresses are automatically masked before being written to server logs, so full addresses do not appear in operational diagnostics
- Consent records and feedback submissions are stored in EU-located infrastructure
- Analytics traffic is reverse-proxied through our own domain so that data never transits third-party advertising domains
In the event of a personal data breach affecting your rights and freedoms, we will notify the CNPD within 72 hours of becoming aware of it. We will inform affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms, as required by Art. 33 and 34 GDPR.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our services, processors or legal obligations. The current version is always available at festivallynx.com/privacy. The "Effective date" at the top reflects when the current version took effect.
For material changes we will display a notice on the site for at least 30 days before the changes take effect. Newsletter subscribers will additionally be notified by email.
A history of past versions is available on request from privacy@festivallynx.com.
11. Contact
For any question about this Privacy Policy or your personal data:
- Privacy contact: privacy@festivallynx.com
- General contact: pedro@festivallynx.com