Sparn Blog

Privacy Policy

Last updated: March 3, 2026

1. Data Controller

Sparn Blog (blog.sparn.dev) is operated by Sparn. For any questions regarding your personal data, contact us at privacy@sparn.dev.

2. Data We Collect

Account Data

When you create an account, we collect:

  • Email address — for authentication and account recovery
  • Name and username — for your public profile
  • Password — stored securely using bcrypt hashing (cost factor 14), never in plain text
  • Profile image — from OAuth providers or uploaded
  • Biography — optional, for your public profile

OAuth Data

If you sign in with Google or GitHub, we receive your name, email, and profile image from the provider. We store the provider account ID but do not retain your OAuth access tokens beyond the session.

Usage Data

  • Comments — content you post on articles
  • Favorites — articles you bookmark
  • Reading history — articles you have viewed

Data We Do NOT Collect

  • No analytics or tracking (no Google Analytics, no third-party trackers)
  • No IP address logging
  • No device fingerprinting
  • No advertising cookies

3. Legal Basis (GDPR Art. 6)

  • Consent — you agree to our privacy policy when creating an account
  • Legitimate interest — essential cookies for authentication
  • Contract — providing the service you signed up for

4. Cookies

We use one essential cookie for authentication (NextAuth JWT session). This cookie is HTTP-only, secure, and expires after 24 hours. We do not use analytics, tracking, or advertising cookies.

5. Third Parties

ServicePurposeData Shared
Google OAuthSign-inAuthentication flow only
GitHub OAuthSign-inAuthentication flow only
AI APIs (Ollama/OpenRouter)Article generationNo personal data — only article content
Image APIs (Unsplash/Pexels/Pixabay)Article bannersNo personal data — search queries only

6. Your Rights (GDPR / RGPD)

Under EU/French law, you have the right to:

  • Access — export all your data (Settings → Export Data)
  • Rectification — edit your profile at any time
  • Erasure — delete your account and all associated data (Settings → Delete Account)
  • Portability — download your data in JSON format
  • Object — contact us to object to any processing
  • Withdraw consent — delete your account at any time

7. Data Retention

Your data is retained for the duration of your account. When you delete your account, all personal data is permanently and immediately deleted, including comments, favorites, and reading history. This operation is irreversible.

8. Data Security

  • All traffic encrypted via HTTPS (TLS 1.3) with HSTS preloading
  • Passwords hashed with bcrypt (cost factor 14)
  • API keys encrypted with AES-256-GCM at rest
  • Rate limiting and account lockout against brute force
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options, COOP
  • No sensitive data in URLs or logs

9. CNIL (French Data Protection Authority)

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

  • Website: www.cnil.fr
  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

10. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated through the website. Continued use of the site after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: privacy@sparn.dev