01 The company behind Platefolk
Platefolk is an independent guide to neighbourhood food and welcoming rooms. A crew of sixteen runs it from a shared workspace in Lisbon, Portugal, with a small desk in Berlin. On paper we are Platefolk Lda., with our registered address at Rua do Loreto 15, 1200-241 Lisbon.
In this policy, "we," "us," and "Platefolk" mean that company. "You" means anyone browsing platefolk.com, reading our notes, creating an account, or writing to us.
say it simply No distant holding company. No mystery shell. Pedro owns the privacy brief, and you can reach him at
[email protected].
02 Information we hold
We group what we store into two piles: essentials for running the product and extras you volunteer. The second pile is never mandatory. The table below is the complete inventory.
| Data | Why | Type |
| Email address | Account creation, the weekly letter, and password recovery. | Required |
| Display name | Appears beside notes or tips you publish (a nickname is fine). | Required |
| Password (hashed) | Kept solely as a salted argon2id hash — plaintext never reaches us. | Required |
| Approximate city | Lets the homepage surface kitchens near where you are. | Optional |
| Tasting notes & submissions | Short reviews and place tips you decide to share. | Optional |
| Saved lists | Bookmarked spots. Private unless you choose to publish a list. | Optional |
| Device & browser | Coarse diagnostics (browser version, screen width) for fixing bugs. | Required |
| IP address (truncated) | Hashed and shortened, held 30 days to blunt spam and abuse. | Required |
Categories we refuse
- Exact GPS. City-level is the finest grain, and only when you opt in.
- Address books, calendars, photo libraries, or microphone access — we never request them.
- Full payment card numbers. Stripe processes cards; we see only the last four digits on receipts.
- Behavioural, canvas, audio, or similar fingerprinting tricks.
- Private tips you send "off the record" (for example by email) are never pasted onto a public profile.
03 Reasons we hold it
GDPR expects a lawful basis for each purpose. Ours, in everyday language:
- Contract — delivering the account you signed up for (login, saves, newsletter opt-in).
- Legitimate interest — keeping the site stable, blocking spam, patching bugs, and running aggregate analytics that cannot identify you.
- Consent — extras such as marketing beyond the newsletter, near-me features, or the two optional cookies (see §05).
- Legal obligation — answering a valid court order or retaining invoices for tax rules.
put another way Your email exists because you asked us to reach you. Error logs exist because the product fails without them. Anything beyond that waits for a clear yes from you.
04 Who else can see it
A short, fixed roster of vendors — "sub-processors" in legal jargon — each receives only the slice required for their job. That roster is:
| Vendor | Role | Where |
| Fly.io | Hosts the web app and database | Amsterdam, NL |
| Backblaze B2 | Stores photos you upload | Amsterdam, NL |
| Postmark | Delivers transactional mail (login links) | United States |
| Buttondown | Delivers the weekly newsletter | United States |
| Stripe | Charges (restaurant partners only) | Ireland / US |
| Plausible | Cookie-free page-view analytics | Frankfurt, DE |
| Sentry | Error tracking (IPs truncated on intake) | Frankfurt, DE |
Parties we never hand data to
- Data brokers — none, under any circumstance.
- Ad networks — we do not serve display or other ads.
- Restaurants — saved lists and private notes stay yours. Owners only see comments you post publicly on their page, like any other reader.
- "Analytics partners" that stitch profiles across unrelated sites.
05 Cookies and analytics
Platefolk sets three cookies and stops there. Many sites ship dozens; we prefer the short shelf.
| Name | What it does | Lifespan |
| wb_sess | Maintains your login. First-party, httpOnly. | 30 days (sliding) |
| wb_theme | Remembers dark/light preference and font size. | 1 year |
| wb_ref | Credits a first visit (for example from a newsletter link). | 14 days |
That is the entire set. Analytics run through Plausible, which needs no cookies and sits comfortably with GDPR — a daily-rotating salt means the same person cannot be followed from one day to the next.
why no popup Three first-party cookies and zero ad trackers mean EU rules do not force a consent wall. We skip the banner most people dismiss without reading.
06 Where the bits live
Account records and uploaded photos sit on servers in Amsterdam (EU). Encrypted backups rotate for 30 days in a second EU centre in Frankfurt.
🇳🇱
Primary — Amsterdam
Live database, user photos, active sessions.
🇩🇪
Backup — Frankfurt
Encrypted snapshot on a 30-day roll.
🇺🇸
Transactional email — US
Login links via Postmark, kept 7 days.
🇵🇹
Finance — Lisbon
Invoices and tax files, retained 10 years under EU rules.
When data leaves the EU (for example to Postmark in the United States), the transfer rides on the EU Commission's Standard Contractual Clauses — the framework the European Data Protection Board accepts for those moves.
07 How long it stays
- Your account — until you delete it. Idle accounts are not auto-purged.
- Notes & submissions — while the place remains on Platefolk, unless you take them down.
- Login audit log — 90 days, then erased.
- Error logs (Sentry) — 30 days; IPs truncated on arrival.
- Newsletter open/click data — 6 months, then deleted.
- Invoices / VAT records — 10 years, as Portuguese tax law requires.
- Deleted accounts — cleared from live systems within 48 hours and from backups within 30 days.
08 Controls you already have
Wherever you live, these tools sit in account settings under "Data & privacy" — no endless ticket queue required.
Fix mistakes
Update inaccurate fields yourself; rare edge cases go by email.
Edit profile
Erase the account
One control. Live systems clear in 48 hours; backups within 30 days.
Delete account
Freeze without deleting
Park the account temporarily — handy for a break from the feed.
Pause account
Object to processing
Turn off legitimate-interest uses such as the welcome email series.
Preferences
File a complaint
If we miss the mark, Portugal's CNPD is the supervisory authority.
cnpd.pt for California readers CCPA gives you matching rights — know, delete, and opt out of sale (we do not sell, so that last one is already satisfied). The same settings page covers them.
09 Younger visitors
Platefolk is not aimed at anyone under 16, and we do not knowingly gather data from children in that age group. If you think we collected a child's information by mistake, write to [email protected] and we will remove it within 72 hours.
10 When this page updates
Material changes get an email to every account holder at least 30 days before they apply, plus a notice on the homepage. Typos, layout tweaks, and clarifications skip the mail blast and appear in the changelog below.
Changelog
- March 28, 2026 Added Backblaze B2 for photo storage; retired Cloudinary. Shortened newsletter click retention from 12 months to 6.
- November 5, 2025 Moved analytics from Fathom to Plausible. Same cookie-free model; Plausible's EU hosting eases transfer paperwork.
- July 14, 2025 First public policy shipped with launch.
11 Reach the Data Steward
Pedro handles data protection for Platefolk. He reads the inbox himself and typically answers within two working days — no ticket IDs, no chatbots, just someone who knows this policy cold.
[email protected] Rua do Loreto 15, 1200-241 Lisbon, Portugal Replies within 2 working days