SERGIO LUQUE

Privacy policy

Last updated: 28 April 2026

1. Who we are

This site, sergioluque.com, is operated by Sergio Luque, composer and researcher (the data controller for the purposes of the EU General Data Protection Regulation, Regulation (EU) 2016/679 — hereafter the GDPR).

For any privacy-related question, exercise of rights, or to withdraw a consent you have given, write to dataprotection@sergioluque.com.

2. Personal data we process

2.1 Contact form

When you fill in the form on the contact page we process the name, email address, subject, and message you provide. The message is delivered to our inbox by Resend (email delivery service) and is kept only as long as needed to reply to you and document the exchange.

Legal basis (Art. 6 GDPR): consent — you choose to send the form — and our legitimate interest in answering the enquiries we receive (Art. 6(1)(a) and 6(1)(f) GDPR).

2.2 Site preferences (local storage)

Your theme choice (light or dark) and your cookie consent state are stored in your browser’s local storage under the keys sl-theme and sl-cookie-consent. They never leave your device and are not personal data in the GDPR sense — they only describe how the interface should render for you.

2.3 Admin authentication (only for authorised users)

If you sign in to the admin section under /admin we set an authentication cookie (sl_admin_jwt). This applies only to the site operator and people they have explicitly granted access to. Legal basis: performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR).

2.4 Server access logs

Our hosting provider Cloudflare keeps short-lived technical logs of HTTP requests (IP, user agent, timestamps, paths). These are used only to keep the service running and to mitigate abuse. We do not access them to profile visitors. Legal basis: legitimate interest in operating and securing the site (Art. 6(1)(f) GDPR).

2.5 Analytics (optional, with your consent)

If you grant the Analytics consent in the cookie banner we load Google Analytics 4 with Consent Mode v2, anonymize_ip enabled, and ad signals turned off. We use it to understand which works and pages are visited; we do not build individual profiles, do not run advertising, and do not sell any data.

Until you grant consent, GA4 sends only anonymous, cookieless pings (or no pings at all) and no analytics cookies are set on your browser. You can change your choice at any time from the link in the footer.

Legal basis: your consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive).

3. Categories of recipients (sub-processors)

We use a small number of vetted service providers to run the site. They process data only on our instructions, under data-processing agreements aligned with Art. 28 GDPR.

  • Cloudflare, Inc. — hosting (Pages), edge compute (Workers), object storage (R2), database (D1). Privacy policy.
  • Resend — transactional email delivery for the contact form. Privacy policy.
  • Google Ireland Limited — Google Analytics 4 (loaded only if you grant the analytics consent). Privacy policy.

4. International transfers

Cloudflare and Google are US-headquartered companies. Where personal data flows outside the European Economic Area, those transfers are covered by the European Commission’s Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU–US Data Privacy Framework (adequacy decision of 10 July 2023).

5. Retention

  • Contact-form messages: kept while needed to reply, then archived or deleted.
  • Server access logs at Cloudflare: retained per Cloudflare’s standard policy (typically days to weeks).
  • Analytics data in GA4 (with consent): retained according to the property setting (default 14 months, configurable).
  • Local-storage values on your device: until you clear them or revoke consent.
  • Admin authentication cookie: until logout or expiry (24h by default).

6. Your rights under the GDPR

You have the right, at any time and free of charge, to:

  • Access — request confirmation and a copy of the personal data we hold about you (Art. 15).
  • Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
  • Erasure — ask us to delete data that is no longer needed or that you have withdrawn consent for (Art. 17).
  • Restriction — ask us to limit processing in specific circumstances (Art. 18).
  • Portability — receive your data in a structured, commonly-used, machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with the data-protection supervisory authority of your EU member state (e.g. the AEPD in Spain, the CNIL in France, the DPC in Ireland). A list is available at edpb.europa.eu.

To exercise any of these rights, write to dataprotection@sergioluque.com. We respond within one month (Art. 12(3) GDPR).

7. Cookies and similar technologies

The site uses very few cookies and a small amount of local storage. The breakdown:

  • Strictly necessary — theme preference (sl-theme), cookie consent state (sl-cookie-consent), admin authentication (sl_admin_jwt, only set after sign-in). No consent required.
  • Analytics — Google Analytics 4 cookies (_ga, _ga_*). Loaded only if you grant the consent.
  • Marketing — none currently. Reserved for any future third-party embed (e.g. social sharing) so it loads only with consent.

Manage your choice at any time via the link in the footer. Browser-level controls (delete cookies, block third-party cookies, “Do Not Track”) are also respected.

8. Children

The site is not directed to children under 16. We do not knowingly collect personal data from minors. If you believe a child has provided us with data, contact us and we will delete it.

9. Security

Communications with the site are encrypted in transit (HTTPS). Authentication uses signed JSON Web Tokens stored as HTTP-only cookies. The admin area is reachable only after a successful login.

10. Changes to this policy

We will update this page when our processing changes. The current version is dated above. For substantive changes affecting consent we will surface a fresh banner so you can review and re-confirm your choices.

11. Contact

Sergio Luque · data controller · dataprotection@sergioluque.com