Last updated: May 6, 2026
Spiżarnia REGIO (“we,” “us,” or “our”) owns and operates the website vinagallica.com. This Privacy Policy explains how we collect, use, and protect information when you visit our site.
Who We Are
Vina Gallica is a bilingual (English and French) guide to French wine culture, providing a directory of wineries, wine shops, and wine experiences across France, along with an interactive map and editorial content.
Website: vinagallica.com
What Data We Collect
Information collected automatically
When you visit our site, certain technical data is collected automatically to ensure the website functions correctly and to understand general usage patterns.
Cloudflare (infrastructure provider) Our website is delivered through Cloudflare’s network. Cloudflare may process the following data as part of its core security and performance services:
- IP address (used temporarily for security purposes such as bot detection and DDoS protection)
- Browser type and version
- Pages visited and referring URL
- Date and time of access
Cloudflare sets certain cookies that are strictly necessary for security and site functionality. These include cookies for bot management (_cf_bm), CAPTCHA verification (cf_clearance), and related security functions. These cookies cannot be disabled as they are essential to delivering the website securely.
For more information, see Cloudflare’s Privacy Policy.
Cloudflare Web Analytics We use Cloudflare Web Analytics to collect anonymised performance and usage data. This service does not use cookies, does not collect personal information, and does not track users across websites. It operates entirely without client-side state such as cookies or localStorage.
Cloudflare Turnstile (bot protection) Our registration and sign-in forms are protected by Cloudflare Turnstile, a privacy-preserving alternative to traditional CAPTCHAs. When you submit one of these forms, Turnstile performs a challenge in the background to verify that you are a human user. In doing so, your browser communicates with Cloudflare’s servers. The following data may be processed by Cloudflare:
- A challenge token generated by the Turnstile widget
- Your IP address (passed to Cloudflare’s verification endpoint as
CF-Connecting-IP) - Browser and device signals used for bot classification
No personal data collected by Turnstile is stored by us; it is processed solely by Cloudflare for the purpose of bot prevention. The result of the challenge (pass or fail) is verified server-side before your registration or sign-in request is processed.
For more information, see Cloudflare’s Privacy Policy.
Analytics (with your consent)
Google Analytics 4 With your consent, we use Google Analytics 4 to understand how visitors interact with our website. This helps us improve our content and user experience. Google Analytics is loaded through Cloudflare Zaraz, which processes analytics data on Cloudflare’s edge network rather than loading Google’s scripts directly in your browser. As a result, some privacy-focused browsers and browser extensions that block third-party analytics scripts may prevent this data from being collected; this is expected behaviour and does not affect your ability to use the site.
When you consent to analytics, the following data may be collected:
- Pages visited and time spent on each page
- Approximate geographic location (country and region level, derived from your IP address — we have enabled IP anonymisation so your full IP address is never sent to Google)
- Device type, screen resolution, browser, and operating system
- Referral source (how you arrived at our site)
- Session duration and interaction events
Google Analytics sets the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
_ga | Distinguishes unique visitors | 2 years |
_ga_[ID] | Maintains session state | 2 years |
We do not use Google Analytics for advertising, remarketing, or user profiling. We do not enable Google Analytics Audiences or share analytics data with Google for advertising purposes.
For more information, see Google’s Privacy Policy and Google Analytics opt-out.
Interactive map
Mapbox Our interactive wine map is powered by Mapbox GL JS. When you use the map, your browser connects directly to Mapbox’s servers to load map tiles and geographic data. Mapbox may collect:
- IP address
- Map interaction data (zoom level, coordinates viewed)
- Browser and device information
Mapbox Geocoding (map search) The map includes a search bar (“Search places…”) powered by the Mapbox Geocoding API. When you type a query into this search bar, the text you enter is transmitted to Mapbox’s servers to retrieve location suggestions. Mapbox may process this query text along with your IP address in order to return results. We do not store or log your search queries on our own systems.
Mapbox does not set cookies on our site. Map data and geocoding requests are processed only when you visit the Map page and interact with the map or the search bar.
For more information, see Mapbox’s Privacy Policy.
Information you provide
Account registration. When you create an account on the /submit page, we collect the following information:
- First name and last name
- Company name
- SIREN number
- Company address
- Email address
- Password (stored exclusively as a cryptographic hash; we never store your password in plain text)
Account data is held in a PostgreSQL database managed by Directus, self-hosted by Spiżarnia REGIO on a privately managed virtual private server (VPS) located in Poland (European Union).
Business listing data. When you submit or manage a business listing, we collect the following information relating to your business:
- Business name and category
- Wine region, French administrative region, and department
- Physical address
- Website URL and phone number
- Business logo (uploaded file)
- Opening Hours or date for festivals
If you upgrade to a premium listing, we additionally collect:
- Photographs of your business or products
- Videos
- Certifications and Awards
- A written description or story about your business
- Any additional details you choose to provide in the premium profile fields
Transactional emails. Upon registration, we send a confirmation email to the address you provide. This email contains an account activation link that is valid for seven (7) days. We may also send account-related transactional emails (for example, notifications relating to your listing or premium subscription). These emails are sent automatically by Directus in the name of Spiżarnia REGIO from an @spizarniaregio.pl address.
Premium upgrade and billing data. When you initiate the Premium upgrade process from your account dashboard, we collect additional data required to issue invoices and administer your subscription. This data is collected through the Premium order form, which becomes available after successful real-time validation of your EU intra-community VAT number or SIREN number (see Section 4.1 of our Terms of Service). The following categories of data are collected at this stage:
- Legal business name and registered address (pre-filled from SIREN or VAT validation; editable before submission)
- EU intra-community VAT number or French SIREN number (as applicable)
- Business email address (used for invoicing and subscription communications)
- Consent to receive invoices electronically, recorded at the time of form submission
This data is used exclusively for the following purposes:
- Issuing a pro-forma invoice and, following receipt of payment, a final VAT invoice
- Administering your Premium subscription, including recording the start and end dates of your subscription period
- Communicating subscription-related information (renewal reminders, payment confirmation)
Invoice data is retained in accordance with applicable Polish and EU accounting regulations, which require the retention of accounting documents for a minimum of five (5) years from the end of the financial year in which the invoice was issued. This retention obligation continues regardless of whether you subsequently delete your account.
The legal basis for processing this data is Article 6(1)(b) GDPR (performance of a contract) and, where applicable, Article 6(1)(c) GDPR (compliance with a legal obligation, namely tax and invoicing requirements).
Legal bases for processing. We process the personal data described in this section on the following legal bases under Article 6 of the GDPR:
- Article 6(1)(b) — processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract. This applies to the creation and management of your user account, the publication of your business listing, and the delivery of transactional emails necessary to activate and maintain your account.
- Article 6(1)(c) — processing is necessary to comply with a legal obligation to which the controller is subject. This applies where applicable law requires us to retain certain records.
Email delivery
Transactional emails are sent by Directus, the content management and backend system self-hosted by Spiżarnia REGIO on a VPS located in Poland (EU). Directus connects to an SMTP relay to dispatch these emails.
Fastmail as SMTP relay. The SMTP relay used is operated by Fastmail Pty Ltd (ABN 31 142 646 580), an Australian company whose registered office is at PO Box 234, Collins Street West, VIC 8007, Australia. Directus connects to Fastmail’s SMTP service (smtp.fastmail.com, port 465) using an @spizarniaregio.pl sender address. Fastmail acts as a data processor in respect of any personal data contained in or associated with emails transmitted via its infrastructure.
Data that Fastmail may process in transit. In the course of delivering transactional emails, Fastmail may process the following categories of data:
- Sender and recipient email addresses
- Email content (subject line and message body) during transit and temporary storage
- The IP address of the sending server (the VPS operated by Spiżarnia REGIO)
- Technical metadata generated in connection with email delivery (e.g., delivery timestamps, bounce records)
International transfer. Fastmail is an Australian company and may process data in Australia, the United States, and other countries outside the European Economic Area (EEA). To safeguard your personal data, Fastmail relies on EU Standard Contractual Clauses (SCCs) published by the European Commission on 4 June 2021, as incorporated in Fastmail’s Data Protection Agreement. For further details, see the Fastmail Privacy Policy and the Fastmail Data Protection Agreement.
How We Use Your Data
We use the data described above for the following purposes:
- To deliver and secure the website (Cloudflare)
- To protect our registration and sign-in forms against automated abuse (Cloudflare Turnstile)
- To understand general website usage patterns and improve content (Cloudflare Web Analytics, Google Analytics with consent)
- To provide interactive map and location search functionality (Mapbox)
- To create and manage your user account on Vina Gallica
- To publish your business listing in the Vina Gallica directory and interactive map, and to make it accessible to visitors of the site
- To send transactional emails related to your account, including account activation and other account-management communications
- To administer premium listing subscriptions, where applicable, including access to premium features and associated billing
We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
Cookies Summary
| Cookie | Provider | Type | Purpose | Consent required |
|---|---|---|---|---|
_cf_bm | Cloudflare | Strictly necessary | Bot detection | No |
cf_clearance | Cloudflare | Strictly necessary | Security verification (Turnstile / challenge) | No |
directus_access_token | Vina Gallica | Strictly necessary | Maintains your authenticated session after sign-in. Set as an HttpOnly, Secure, SameSite=Lax cookie; valid for 15 minutes. | No |
directus_refresh_token | Vina Gallica | Strictly necessary | Allows your session to be renewed without re-entering your password. Set as an HttpOnly, Secure, SameSite=Lax cookie; valid for 7 days. | No |
_ga | Google Analytics | Analytics | Identifies unique visitors | Yes |
_ga_[ID] | Google Analytics | Analytics | Session tracking | Yes |
Your Rights and Choices
Cookie preferences
When you first visit our site from the European Economic Area (EEA), you will see a cookie consent banner. You can:
- Accept all cookies — analytics cookies will be set
- Reject all cookies — only strictly necessary cookies will be used
- Manage preferences — choose which categories of cookies to accept
You can change your cookie preferences at any time by clearing analytics cookies from your browser settings. Your authentication cookies (directus_access_token and directus_refresh_token) are strictly necessary for the logged-in area to function and cannot be disabled while you are signed in.
Your rights under GDPR
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing of your data
- Right to withdraw consent — withdraw your consent to analytics cookies at any time
To exercise any of these rights, please contact us using the details provided below.
Account deletion
You can delete your account and all associated personal data directly from your account settings at vinagallica.com/dashboard/manage. After confirming the deletion, your account and all associated business listing data will be permanently removed from our systems within 30 days. Following deletion, your data will no longer be accessible through Vina Gallica systems, subject to any retention obligations imposed by applicable law (see “Data Retention” below).
If you experience any difficulty deleting your account, you may also contact us at privacy@vinagallica.com with the subject line “Account Deletion Request” and we will action your request within 30 days of receipt.
Do Not Track
We respect the Do Not Track (DNT) signal. Cloudflare Web Analytics operates without tracking by design, and Google Analytics is only loaded with your explicit consent.
Age Restriction
Vina Gallica contains content related to the consumption of alcohol. Access to the Platform is restricted to individuals aged 21 or over, in line with the legal drinking age in the United States, which is the primary market this Platform is designed to serve. By passing the age verification prompt on entry, you confirm that you meet this requirement. The result of this age verification is stored locally in your browser (in localStorage) and is not transmitted to our servers; no personal data is collected by this mechanism. We do not knowingly permit access to individuals who do not meet this age threshold. If you are located in a country where the legal drinking age is lower than 21, the stricter threshold of 21 still applies when using this Platform.
Children’s Privacy
Vina Gallica does not knowingly collect personal data from children under the age of 16. If you believe that a child under 16 has provided us with personal data without appropriate parental consent, please contact us at privacy@vinagallica.com and we will take prompt action to delete that information.
Data Retention
- Cloudflare security logs — retained according to Cloudflare’s data retention policies
- Google Analytics data — retained for 14 months, after which it is automatically deleted
- Cookie consent preferences — stored in your browser until you clear your cookies
- User account data (name, email address, password hash, company details) — retained for as long as the account is active; deleted within 30 days of account deletion
- Business listing data (all free and premium fields) — retained for as long as the associated account is active; deleted together with the account within 30 days of deletion
- Transactional email logs — retained in accordance with Fastmail’s data retention policy
- Premium billing and invoicing data (business name, address, VAT or SIREN number, email address, invoice records) — retained for a minimum of 5 years from the end of the financial year in which the invoice was issued, in accordance with applicable Polish and EU accounting regulations. This retention obligation applies regardless of account deletion.
Data Transfers
Our website infrastructure is provided by Cloudflare, which operates a global network. Data may be processed in data centres outside the EEA. Cloudflare complies with applicable data protection frameworks for international data transfers.
Google Analytics data is processed by Google LLC, which participates in the EU-US Data Privacy Framework. For more information, see Google’s data transfer practices.
Transactional emails are relayed via Fastmail Pty Ltd (Australia), which relies on EU Standard Contractual Clauses for international data transfers. For more information, see the Fastmail Data Protection Agreement.
Third-Party Links
Our site contains links to external websites, including wineries, wine shops, and other businesses listed in our directory. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
- Bogusław Siemiątkowski “Spiżarnia REGIO”
- Napoleońska 49, 06-500 Mława, Poland
- VAT-EU: PL5691729538
- Email: privacy@vinagallica.com