Privacy Policy
Last updated: 2026-05-18 This policy applies to bibliotecas.space and all of its subdomains.
The 60-second summary
- What we collect: your email and name (if you sign in), the book pages you visit, your saved books and reading status, technical logs (IP, User-Agent)
- What we don't collect: legal name (unless you fill it in), phone number, address, payment info, biometrics
- How we use it: to sync your shelf across devices, to know which books resonate, to keep the pipeline from generating content nobody wants
- Do we sell data: No. Never.
- Third parties: Google Analytics (stats) · Microsoft Clarity (heatmaps) · Google OAuth (sign-in) · Sentry (error monitoring) · Cloudflare (CDN). That's the entire list.
- Your rights: export your data, delete your account, withdraw consent, complain to a regulator — one click each.
If that's all you wanted, you're done. The rest is the long form.
1. Data controller
| Field | Value |
|---|---|
| Service | bibliotecas |
| Domain | bibliotecas.space |
| Privacy contact | hello@bibliotecas.space (subject: "Privacy") |
| Copyright / DMCA | dmca@bibliotecas.space |
2. What we collect
2.1 Information you actively provide
- Sign-in info: email, name, and avatar URL returned by Google OAuth
- Onboarding: the three categories you choose at first sign-in (visible only to you; not shown to other users)
- Shelf data: books you save, reading status (want to read / reading / read), save timestamps
- Feedback: anything you send via /contact (including the email you provide for reply)
2.2 Information collected automatically
- Technical logs: IP address, User-Agent, Referer, access time (aggregated after 30 days)
- Behavioral stats: pages visited, time on page, scroll depth, link clicks — via GA4, keyed to an anonymous client_id, never to your identity
- Error logs: JavaScript error stacks via Sentry (default PII collection is disabled)
- Heatmaps: mouse trails and scroll behavior via Microsoft Clarity (anonymized)
2.3 What we do not collect
- ❌ Legal name (unless you type it into a feedback form yourself)
- ❌ Phone number
- ❌ Postal address
- ❌ Payment / banking information
- ❌ Biometric data (fingerprints, facial recognition)
- ❌ Sensitive categories (health, sexual orientation, religion, politics)
3. How we use your data
| Purpose | Legal basis (GDPR) | Can you opt out? |
|---|---|---|
| Provide shelf sync | Contract necessity | No (it's the feature) |
| Improve the product (stats) | Legitimate interest | Yes (decline cookie consent) |
| Error monitoring | Legitimate interest | Yes (don't sign in) |
| Abuse prevention / security | Legitimate interest | No |
| Send emails (if you subscribe) | Consent | Yes (one-click unsubscribe) |
What we explicitly do not do:
- Build user profiles for third-party advertising
- "Content-farm" personalization (no sponsor-driven "you might also like")
- Share data with insurers, employers, or financial institutions
4. Third-party services we use
| Service | Purpose | Data shared | Opt-out |
|---|---|---|---|
| Google Analytics 4 | Site stats | Anonymized IP, behavior events | Decline cookie consent |
| Microsoft Clarity | Heatmaps | Mouse trail (anonymized) | Decline cookie consent |
| Google OAuth | Authentication | Email, name, avatar | Don't sign in |
| Sentry | Error monitoring | JS error stacks (no PII) | — |
| Cloudflare | CDN / DNS | Access IP, request path | — |
What we do not use: Facebook Pixel, TikTok Pixel, any ad network tracker, Hotjar full session recordings.
5. Data storage
- Location: primary database hosted on Neon (United States); object storage on Cloudflare R2 (global edge distribution)
- Cross-border transfer: user data may transit through the US / EU under Standard Contractual Clauses (SCCs)
- Retention:
- Permanent while your account is active
- Fully deleted within 30 days of account deletion (unless legally required to retain)
- Technical logs aggregated after 30 days
- Error logs deleted after 90 days
6. Your rights
Regardless of where you live, you have the following rights:
| Right | What you can do | How |
|---|---|---|
| Access | See what we've stored about you | /me/data |
| Export | Download all your data (JSON + CSV) | /me/data → Export |
| Delete | Delete account + all data | /me/data → Delete account |
| Rectify | Correct inaccurate information | /me — self-edit |
| Withdraw consent | Disable cookie consent | Footer → Cookie settings |
| Complain | File a complaint with a regulator | See §10 |
Response time: within 30 days (GDPR statutory). We aim for 7.
7. Cookies
We use three categories of cookies:
| Category | Examples | Necessity | Can you disable? |
|---|---|---|---|
| Essential | session, CSRF token | Sign-in, security | No |
| Preferences | language, theme | Experience | Yes (clear browser) |
| Analytics | GA4, Clarity | Product improvement | Yes (banner on first visit, or footer settings) |
What we do not use: advertising cookies, cross-site tracking cookies.
8. Children
Our service is not directed at children under 13. If we discover we've collected information from a child under 13, we'll delete it immediately. If you suspect your child has given us information, please email hello@bibliotecas.space.
9. Policy changes
Material changes (new third parties, changed data use) will:
- Update the "Last updated" date at the top
- Be announced in the newsletter (if you subscribe)
- Trigger a re-prompt of the cookie banner (if applicable)
Continued use after 7 days constitutes acceptance. If you disagree, you can delete your account during that window.
10. Contact & complaints
- Privacy questions: hello@bibliotecas.space (subject: "Privacy")
- Acknowledged within 24 hours, substantive response within 30 days
- If unsatisfied, you may file a complaint with your local data protection authority (e.g. EU: your country's DPA; California: CA AG; PRC: Cyberspace Administration of China)
The English version of this policy is the canonical version. A Chinese version will be published when the Chinese site goes live.