Privacy Policy
Effective: 2026-05-17 · Last updated: 2026-06-15
This policy explains what personal information consalsa.app ("we", "our", "us", "the Site") collects, why we collect it, how long we keep it, who we share it with, and your rights over it. It is written in plain English but addresses the requirements of the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA") and other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and similar), as well as the EU and UK GDPR for visitors from those jurisdictions.
consalsa.app is operated by a United States company (Data Sauna LLC), its audience is primarily in the United States, and all personal information is stored and processed in the United States. US federal and state privacy law is therefore our primary framework, and the rights and disclosures below are written with US visitors in mind first. We also extend the core privacy rights to visitors from the EU, the UK, and elsewhere — those provisions are flagged where they apply. If you are outside the United States, by using the Site you understand that your information is transferred to and processed in the US.
This site is designed for adults, not children. The content covers colloquial and sometimes adult Mexican Spanish slang, and the Site is intended for users who are at least 18 years old. See Section 9 for details.
1. Who we are (data controller / business)
consalsa.app is operated by Data Sauna LLC, a single-member limited liability company formed in the State of Wyoming, United States, with a registered office at 30 N Gould St, Ste R, Sheridan, WY 82801, USA. For the purposes of this policy, Data Sauna LLC is the "business" under CCPA/CPRA and the "data controller" under GDPR and UK GDPR. The easiest way to reach us about anything in this policy is to email hola@consalsa.app.
2. Notice at collection: what we collect and why
We try to collect as little as possible. The full inventory, mapped to the CCPA's enumerated categories of personal information:
Newsletter signup
CCPA category: identifiers (email address, IP address) and internet/network activity (signup source page).
- Email address — stored lowercased so we can send you the daily word.
- Signup source — the page you signed up from (homepage, a specific word page, a blog post). Used internally to see which placements actually convert.
- IP address — captured at the moment of signup. Used to rate-limit the form (maximum 6 signups per IP per hour) and to detect abuse. We don't use it to profile you or look up your location.
- Timestamp — when the row was created (proof of consent and an audit trail).
Purpose of processing: sending the newsletter you signed up for and preventing abuse of the signup form. Retention: see Section 6. Legal basis for EU / UK visitors (GDPR Art. 6): your consent under Art. 6(1)(a) for sending the newsletter, and our legitimate interest under Art. 6(1)(f) in keeping the signup form free from spam and abuse.
Analytics
CCPA category: internet/network activity (aggregated and not linked to you).
We use Vercel Analytics, which is cookieless and privacy-friendly. It records page views, referrer, country, device type, and browser — but no cookies are set, no localStorage is written, and no personal identifier (IP, user ID) is stored in a way that can be linked back to you. We use this to understand aggregate traffic patterns. Legal basis for EU / UK visitors: legitimate interest under Art. 6(1)(f) GDPR.
Server logs
CCPA category: identifiers (IP), internet activity (URLs, user-agent).
Like any website, our host (Vercel) generates short-lived server logs that include request IP, user-agent, timestamp, and the URL requested. These are used for delivery, performance debugging, and abuse prevention, and are retained according to Vercel's standard log retention. Legal basis for EU / UK visitors: legitimate interest in operating and securing the Site.
"Cookies" notice
The Site does not set tracking cookies. The only client-side storage we
use is a small set of values in your browser's localStorage:
-
cookie-consent— remembers that you've dismissed the cookie notice. -
cs_popup_shown_at— a timestamp so the exit-intent popup (newsletter signup or quiz teaser) doesn't show again for 30 days after you've seen it. -
cs_subscribed— set after a successful newsletter signup so we stop showing you the signup popup on future visits.
None of these contain personal information — they are timestamps or boolean flags.
The exit-intent popup logic is gated on the cookie-consent flag, so
the cs_* entries are only written after you've dismissed the cookie
notice. See our cookie policy for the full breakdown,
legal basis, and how to clear them.
3. Sale and sharing of personal information
We do not sell personal information for money or other valuable consideration. We do not share personal information for cross-context behavioral advertising (often shortened to "targeted advertising"). Because we don't sell or share, there is nothing for you to opt out of in those categories — but if you submit a Global Privacy Control (GPC) signal, we treat it as a valid opt-out request consistent with applicable law.
We do not knowingly sell or share the personal information of consumers under 16 (or under any other age that may apply under state law).
4. How we use your information
- To send you the daily newsletter you signed up for.
- To rate-limit signups and prevent spam and abuse.
- To understand, in aggregate, how the Site is used and improve it.
- To respond to your requests (e.g. unsubscribe, deletion).
- To comply with applicable law and protect our legal rights.
We do not use your personal information for automated decision- making or profiling that would produce legal or similarly significant effects on you (GDPR Art. 22). We do not process "sensitive personal information" as that term is used under the CPRA.
5. Who we share information with (service providers)
We rely on a small set of vendors ("service providers" under CCPA/CPRA; "processors" under GDPR) that process information on our behalf, under contract. Each only sees what it needs to do its job.
- Vercel Inc. (United States) — hosting and serverless functions that run the signup endpoint. Sees: requests to the Site, server logs. Vercel privacy policy.
- Vercel Analytics (Vercel Inc., United States) — cookieless, aggregate analytics.
- Supabase Inc. (United States; database hosted in our chosen region) — Postgres database that stores newsletter signups. Sees: your email, signup source, and IP as described above. Supabase privacy policy.
- Resend, Inc. (United States) — transactional email provider that delivers the daily newsletter. Sees: your email address and the content of messages sent to you. Resend privacy policy.
We don't add or change vendors casually. If we do, we'll update this list and the "Last updated" date at the top.
6. International data transfers and retention
Our service providers are based in the United States. When personal information is transferred from the EEA, UK, or Switzerland to the US, we rely on appropriate safeguards under GDPR Art. 46 — typically the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and/or the EU–US Data Privacy Framework where the provider is certified. Each provider's privacy page (linked above) describes the transfer mechanism they offer.
How long we keep things:
- Newsletter subscription record (email, source, IP, timestamp) — kept while you are subscribed. If you unsubscribe, we keep a minimal suppression record (your email, hashed where feasible) so we don't accidentally re-add you. If you request full deletion, the record is removed entirely.
- Vercel Analytics aggregates — retained per Vercel's standard retention; anonymized at collection and not linked to you.
- Server logs — short-lived, retained per Vercel's standard log-retention windows.
7. Your rights
You have rights over the personal information we hold about you. We honor these rights for everyone, regardless of jurisdiction:
- Right to know / access — request a copy of, or details about, the personal information we hold about you.
- Right to correct / rectify — ask us to correct inaccurate information.
- Right to delete / erasure — ask us to delete your information.
- Right to portability — ask for your information in a structured, machine-readable format.
- Right to opt out of sale or sharing — we don't sell or share, but you can submit a GPC signal at any time.
- Right to limit use of sensitive personal information — we don't process it; this right is non-applicable here.
- Right to non-discrimination — we will not penalize you for exercising any privacy right.
- For EU/UK visitors: the rights to restriction, objection, and to withdraw consent at any time (with no effect on the lawfulness of past processing).
To exercise any of these, email hola@consalsa.app from the address subscribed (or otherwise reasonably identify yourself). We aim to respond within 45 days (CCPA/CPRA) or 30 days (GDPR/UK GDPR). You may also designate an authorized agent to make a request on your behalf in accordance with applicable law. You can unsubscribe from the newsletter at any time using the link in any email we send.
8. Right to lodge a complaint
If you believe we've mishandled your personal information, you can lodge a complaint with the relevant authority:
- California residents — California Privacy Protection Agency at cppa.ca.gov, or the California Attorney General at oag.ca.gov.
- Other US state residents — your state Attorney General.
- EEA residents — your local Data Protection Authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.
- UK residents — the Information Commissioner's Office at ico.org.uk.
We'd appreciate the chance to address concerns directly first, but you're under no obligation to come to us before contacting an authority.
9. Children
The Site is designed for adults, not children. It is intended for users who are at least 18 years old, and we do not knowingly collect personal information from anyone under 18. The newsletter is not directed at children, and we comply with the Children's Online Privacy Protection Act (COPPA) by not knowingly collecting personal information from children under 13 in the United States, and with applicable digital-consent rules in other jurisdictions. If you believe a minor has provided us with personal information, contact us and we will delete it.
10. Security
Information is transmitted over HTTPS. Newsletter records are stored in our service provider's database (Postgres on Supabase) with access restricted to authenticated server requests. No system is perfectly secure, but we take reasonable steps to protect the small amount of information we hold. If we ever experience a security incident that affects your personal information, we will notify you and any relevant authority where required by law.
11. About AI-assisted content
We use AI tools to draft and research the words, examples, and blog posts on the Site. All content is fact-checked and edited by a human before publication. AI is not used to make decisions about you, to profile you, or to process your personal information — it is used to help write the content you read on the Site.
12. Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the "Effective" and "Last updated" dates at the top, and significant changes will be flagged in the newsletter. Continued use of the Site after changes take effect means you accept the updated policy.
13. Contact
Questions, requests, or complaints? Email hola@consalsa.app, reply to any newsletter email, or reach out via the social links in the footer.