Privacy policy

What personal data Gridline Cities collects, why we collect it, and the rights you have over it under the EU General Data Protection Regulation.

Last updated 23 April 2026

1. Who is the data controller

The data controller for this Site is Jacques Brosius, trading as Gridline Cities, established in Luxembourg. Contact: brosiusjacques@gmail.com.

Postal address: [POSTAL ADDRESS TO BE ADDED].

2. Data we collect and why

2.1. Newsletter signups

When you subscribe to the newsletter we store your email address and the page you subscribed from. We use this only to send you occasional updates about new posters and new city drops. Legal basis: your consent (GDPR art. 6(1)(a)). You can unsubscribe at any time via the link in every email.

2.2. Purchases

When you buy a poster we store your email address (provided to Stripe at checkout), the order details, the Stripe customer and payment references, and the timing of your download activity. Legal basis: performance of the sale contract (GDPR art. 6(1)(b)) and our legal obligation to keep accounting records (art. 6(1)(c)).

2.3. Payments

Card details are entered on Stripe’s checkout page and never pass through our servers. Stripe is an independent data controller for payment processing; see stripe.com/privacy.

2.4. Server logs

Our hosting provider (Railway) keeps short-lived technical logs of requests to the Site, including IP address and user-agent, for security and debugging. Legal basis: our legitimate interest in operating a secure service (GDPR art. 6(1)(f)).

3. Cookies

We use a small number of strictly-necessary cookies (for the admin session and the checkout flow). We do not use advertising or cross-site tracking cookies. See the Cookies page for the full list.

4. Who we share data with

Personal data is shared only with service providers who process it on our behalf:

Stripe — payment processing. Established in Ireland; transfers may be safeguarded by EU Standard Contractual Clauses.
Brevo (Sendinblue SAS) — transactional email and newsletter. Established in France (EU).
Railway — website hosting. Established in the United States; transfers are safeguarded by EU Standard Contractual Clauses.

We do not sell your personal data to anyone.

5. How long we keep data

Newsletter email: until you unsubscribe.
Order records: for 10 years, to meet Luxembourg accounting obligations.
Server logs: short-term, typically under 30 days.

6. Your rights

Under the GDPR you have the right to:

access the personal data we hold about you;
rectify inaccurate data;
erase your data (subject to our legal retention obligations);
restrict or object to processing;
receive your data in a portable format;
withdraw your consent at any time, without affecting prior processing.

To exercise any of these, email brosiusjacques@gmail.com. You also have the right to lodge a complaint with the Luxembourg data protection authority (Commission nationale pour la protection des données).

7. Changes to this policy

We may update this policy to reflect new services or legal developments. The “last updated” date at the top of the page shows the current version.