Canary Islands Beaches

    Privacy Policy

    How we handle strictly necessary tech and cookieless analytics

    Last updated: 2026-06-27

    We value your privacy. This page explains which technologies are strictly necessary for the website to function and how our optional analytics work.

    Strictly necessary (always on)

    These technologies are essential for core functionality and are not used for advertising or user profiling:

    • Single Page App runtime: routing, UI rendering, accessibility features
    • Service Worker: offline caching and reliable asset delivery
    • Local storage for consent choice (analytics_consent) so your preference persists
    • Supabase authentication session (admin area only) - session cookies are only set when accessing admin features
    • Security headers and HTTPS to protect data in transit

    Analytics

    We use two separate analytics tools with two different roles. Anonymous, cookieless visit counting (Umami Cloud) runs at all times to measure overall traffic. More detailed analytics and advertising measurement (Google Analytics 4) run only after you opt in from the consent banner or the Privacy preferences link in the footer.

    Providers

    • Umami Cloud – cookieless, privacy-friendly analytics hosted in the EU. It sets no cookies, collects no personal identifiers, and honors your browser's Do Not Track setting. It counts page views only and runs without consent on the basis of our legitimate interest in measuring traffic.
    • Google Analytics 4 – runs only after you grant consent. With consent it sets analytics and advertising cookies and uses Google Signals for cross-device measurement and ad personalization. Google does not log or store IP addresses in GA4.

    What we track

    Umami records page views only, to measure overall traffic. After you opt in, Google Analytics 4 additionally records interaction events (for example searches, map engagement, sharing, and session summaries) to help us understand usage and reach. Our implementation is documented in src/lib/analytics.ts.

    Data collected by Umami Cloud

    • Page views (URL path) and the referrer URL, where available
    • Technical metadata like browser, operating system, device type, viewport size, and language
    • UTM parameters present in the page URL, for campaign attribution
    • A daily-rotating, non-reversible visitor hash for counting unique visitors (no cookie, not stored as an identifier)
    • Approximate location derived from IP at request time for aggregated statistics; IP addresses are not stored

    Data collected by Google Analytics 4 (after opt-in)

    • Page views, navigation flows, and engaged sessions
    • Event data such as searches, map interactions, filter and sort usage, beach views, directions, and shares
    • Technical metadata such as browser, operating system, device category, and screen size
    • Approximate geolocation (country/region); Google does not store IP addresses
    • UTM parameters and campaign metadata when present
    • Advertising and cross-device signals via Google Signals (for signed-in Google users who allow ads personalization), used for ad personalization and remarketing
    • Consent status, so we can demonstrate your opt-in

    What we never collect

    • No names, email addresses, or precise (GPS) location
    • Nothing for advertising until you opt in — advertising cookies and Google Signals stay off and never run if you decline
    • We never sell your personal data

    Purpose and legal basis

    Cookieless traffic counting (Umami) relies on our legitimate interest (GDPR Article 6(1)(f)) in measuring overall site traffic; it uses no cookies or personal identifiers and honors Do Not Track. Detailed analytics and advertising measurement (Google Analytics 4, including Google Signals) rely on your consent (Article 6(1)(a)), which you may withdraw at any time.

    Data retention

    We retain analytics data for up to 12 months in Umami and 14 months in Google Analytics 4 (current GA minimum for aggregated reporting). Retention is configurable; if we change these windows, we will update this page. We do not sell your personal data. After you opt in, Google may use analytics data for ad personalization and remarketing through Google Signals.

    Change or withdraw your consent

    You can change your choice at any time via the Privacy preferences link in the site footer. Withdrawing consent stops Google Analytics 4 and all advertising measurement. The anonymous, cookieless visit count continues, unless you enable your browser's Do Not Track setting, which it always respects.

    Your rights (GDPR)

    • Access your personal data
    • Request deletion (erasure) of your personal data
    • Correct inaccurate data
    • Restrict or object to processing
    • Data portability
    • Withdraw consent at any time (does not affect prior lawful processing)
    • Lodge a complaint with your local supervisory authority

    Data controller and processor

    The data controller is Beaches of the Canaries. Umami Cloud provides analytics services as our data processor.

    International transfers

    Depending on your location and service infrastructure, analytics data may be processed outside your country. We rely on appropriate safeguards offered by our service providers.

    Children

    This site is not directed to children under 13, and we do not knowingly collect personal data from them.

    Changes to this policy

    We may update this policy from time to time. The “Last updated” date above reflects the latest changes.

    Contact

    Questions about this policy? Contact us at hello@beachesofcanaries.com.