Privacy policy

Last updated: 10 May 2026

This page explains what personal data rwemap.org collects, how it is used, and your rights under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act. It is written in plain language; if anything is unclear, please email the contact below.

Data controller

The data controller for rwemap.org is:

Teemu Nieminen
Email: rwemap@proton.me

Contact me with any questions, corrections, or requests about your personal data.

Public visitors

If you visit rwemap.org without signing in or interacting with the theme toggle, nothing is stored on your device by this site, and no personal data is collected.

If you click the light/dark theme toggle in the header, your preference is stored in your browser as a cookie named rwemap-theme and in localStorage with the same name. The value is just light or dark. It is not shared with anyone, contains no personal data, and exists solely so the site remembers your visual preference. Under EU rules these qualify as user-requested preferences and are exempt from cookie consent requirements.

Administrators

Administrators are people invited to add or edit incidents on the map. If you sign in as an admin, the following personal data is processed:

Your email address
Authentication tokens (set as cookies by Supabase, the platform that runs the auth service)
Sign-in metadata (timestamps, IP address, user-agent — retained by Supabase as part of standard authentication logging)
Your “Verified by” display label, if you choose to set one
The timestamp of your account creation
Records of incidents you create or edit

These data points are essential to running the admin tooling. Authentication cookies are exempt from cookie consent because you explicitly requested authentication when you signed in.

People and organisations documented on the map

The map shows incidents documented from publicly available sources. Information about the people and organisations the map describes (names, affiliations, dates, locations, links to public posts) is processed under the legal basis of journalistic and public-interest research permitted by Article 85 GDPR and §27 of the Finnish Data Protection Act.

If you appear on the map and believe the information is inaccurate, contact rwemap@proton.me. Corrections are evaluated against the original public sources cited on each incident.

Where data is stored

Personal data is processed on our behalf by Supabase Inc., which hosts the database in Frankfurt, Germany under a Data Processing Agreement (supabase.com/legal/dpa).

Supabase is a processor; the data controller for all personal data on this site remains Teemu Nieminen.

Cookies and browser storage

The complete list of what this site can store on your device:

Name	Type	Purpose	When set	Lifetime
`rwemap-theme`	Cookie + localStorage	Remembers your light/dark theme preference	Only when you click the toggle	1 year
`sb-*`	Cookies	Supabase authentication tokens (admins only)	After successful admin sign-in	Up to 30 days

We do not use any analytics, advertising, or tracking cookies. We do not embed third-party scripts that profile visitors. We do not share data with any party other than the hosting processor (Supabase) under a DPA.

How long data is kept

Theme preference: until you clear your browser storage, or one year — whichever comes first.
Authentication tokens: until you sign out, or up to 30 days — whichever comes first.
Admin profile: as long as you remain an admin. When access is revoked, your account and profile are deleted.
Incidents you authored: kept indefinitely as part of the public record. Your “Verified by” label remains on those incidents as historical attribution unless you request its removal under your right to erasure.
Sign-in logs: retained by Supabase per their default policy.

Your rights

Under GDPR you have the right to:

access the personal data held about you (Article 15)
have inaccurate data corrected (Article 16)
request erasure (Article 17)
restrict or object to processing (Articles 18 and 21)
receive a copy of your data in a portable format (Article 20)
lodge a complaint with a supervisory authority (Article 77)

To exercise any of these rights, email rwemap@proton.me. Requests are handled within 30 days.

When an admin invokes the right to erasure, we delete the auth account and profile, and clear the “Verified by” label from incidents the admin authored. The map then shows “Removed at the verifier’s request” in place of the original label. The incidents themselves remain published as part of the public record, with no identifying information about the former admin.

Supervisory authority

If you believe your data rights have been violated, you can lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu): tietosuoja.fi/en.

Changes to this policy

If this policy changes, the “Last updated” date at the top will change. Material changes affecting administrators’ rights will additionally be communicated by email.

← Back to the map