Privacy Policy.
What data GTRotation handles, why, and the rights you have over it. Last updated 12 June 2026.
Who is responsible
GTRotation (“the site”) is an independent, one-person fan project operated by Besian Shala from Italy, in the European Union. For any privacy question or to exercise your rights, reach out through the contact page. As the data controller, the operator decides what data is processed and why, as described below.
What we collect
If you create an account: your email address, a password (stored only as a salted hash by our authentication provider — never in plain text), and an optional display name.
If you use wishlist or garage features: the cars you save. While signed out these stay in your browser only; when signed in they are linked to your account so they sync across devices.
If you enable car alerts: a preference flag and a log of which alerts were sent, so the same alert is not emailed twice.
If you use the contact form: the message you write and, optionally, your email so we can reply.
Everyone: anonymous, aggregated usage counts (daily site visits and per-car page views) that are not tied to your identity, plus cookieless analytics and performance metrics provided by Vercel. Advertising data is only processed if you consent to cookies (see section 5).
Why, and on what legal basis
Account data is processed to provide the service you ask for (Art. 6(1)(b) GDPR — performance of a contract). Anonymous analytics and basic security are processed on the basis of our legitimate interest in keeping the site working and improving it (Art. 6(1)(f)). Advertising cookies and any non-essential tracking are processed only with your consent (Art. 6(1)(a)), which you can withdraw at any time. Car alert emails are sent only after you opt in.
Who we share it with
We do not sell your data. We rely on a small number of processors that handle data strictly on our behalf:
- Supabase — database, authentication, and account storage.
- Vercel — hosting, plus cookieless analytics and performance monitoring.
- Google AdSense — advertising, only after you consent to cookies.
- Formspree — delivery of contact-form messages.
- Resend — delivery of car-alert emails, if you opt in.
Some of these providers may process data outside the EU, including in the United States. Where that happens, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy framework.
Cookies
We use essential cookies and local storage to run the site, and — only with your consent — Google AdSense advertising cookies. No advertising or profiling cookie is set before you accept. Full details and a way to change your choice are in the Cookie Policy.
How long we keep it
Account data is kept for as long as your account exists; when you ask us to delete it, it is removed along with your wishlist, garage, and alert preferences. Anonymous usage counts contain no personal data and are retained in aggregate. Contact-form messages are kept only as long as needed to handle your request.
Your rights
Under the GDPR you can request access to your data, correction, deletion, restriction or objection to processing, and portability, and you can withdraw consent at any time. To exercise any of these, contact us through the contact page — account deletion (data erasure) can be requested the same way. You also have the right to lodge a complaint with the Italian data protection authority, the Garante per la protezione dei dati personali.
Children
The site is not directed at children under 14. In Italy, that is the minimum age to consent to online services on one's own; younger users need a parent or guardian's consent. If you believe a child has given us personal data, contact us and we will delete it.
Changes
We may update this policy as the site evolves. Material changes will be reflected here with a new “last updated” date.