1. Data Controller
The Asphodel Collective is operated from Norway and is the data controller under the GDPR and the Norwegian Personal Data Act (Personopplysningsloven). Contact: mail@asphodelcollective.com. This policy may be updated; changes are reflected in the "Last updated" date above.
2. What We Collect and Why
- Submission data (image, social handle, country, car model, description): Collected when you submit a car. Approved submissions become publicly visible. Legal basis: Consent (Art. 6(1)(a)).
- IP address & screen resolution: Processed to generate a one-way cryptographic hash for vote integrity. The raw IP is not stored permanently. Legal basis: Legitimate interest (Art. 6(1)(f)).
- Vote fingerprint hash: A SHA-256 hash derived from IP, screen resolution, user agent, and car ID. Cannot be reversed to identify you. Stored for 90 days. Legal basis: Legitimate interest (Art. 6(1)(f)).
3. Third-Party Processors
- Cloudflare (USA): Hosting and bot protection. Transfers covered by the EU-US Data Privacy Framework. Privacy policy.
- Resend (USA): Email notifications on new submissions. Privacy policy.
- Google Fonts: Font delivery. Google may log your IP. Privacy policy.
Where data is transferred outside the EEA, we rely on adequacy decisions, Standard Contractual Clauses, or the EU-US Data Privacy Framework.
4. Data Retention
- Submissions: Stored while live on the site, or until you request removal.
- Rejected submissions: Deleted immediately upon rejection.
- Vote fingerprint hashes: Deleted after 90 days.
- Rate limit records: Deleted after 1 hour.
5. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time (without affecting prior lawful processing). To exercise any right, email mail@asphodelcollective.com. We will respond within 30 days.
You may also lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet): datatilsynet.no.
6. Children
This service is not directed at children under 16. We do not knowingly collect data from anyone under 16.