Last updated 2026-05-18
Privacy & cookies
Short version: we use Google Analytics 4 with consent required, store nothing on our server, never sell your data, and you can decline cookies and still use every feature.
What we collect
Google Analytics 4 (with your consent)
If you click Accept on the cookie banner, Google Analytics 4 sets one first-party cookie (_ga) and tracks pageviews, country (approximate from IP, then discarded), device type, and browser. We use this to know which waterfall pages people actually find useful.
If you click Decline, GA4 still loads but in consent-denied mode — it sends anonymous “ping” requests without cookies and without your IP. No identifiers, no profile. You can revoke or change consent any time by clearing site data in your browser.
We have disabled Google Signals, ad personalization, and IP-based location precision in our GA4 configuration.
Local storage (no consent needed)
Two features use your browser's localStorage:
- “Saved” list: when you click the heart icon on a waterfall page, we store its slug in your browser. The list stays on your device — we can't see it, it's not synced to any server, and clearing browser data deletes it.
- Cookie consent choice: when you accept or decline the banner we store that choice in
fallspots:consentso we don't ask again. This is a legitimate interest and exempt from consent under GDPR.
Geolocation (only with permission)
The “Find waterfalls near me” button asks your browser for your location. Your browser asks you to permit it. If you allow, we use the coordinates ONCE to find the closest waterfall in our dataset, then immediately discard them. Nothing is sent to our server. Nothing is stored.
Server logs (essential, no consent)
Our hosting provider (Cloudflare Pages) keeps standard HTTP access logs for security and abuse prevention. These contain IP addresses and user agents, kept for up to 30 days. We don't access them unless investigating an incident.
Email (only when you write us)
If you email hello@fallspots.com — for trip planning, photo submissions, corrections, etc. — we use your email address only to reply. We do not add it to any list and we do not share it.
What we don't do
- We do not sell, rent, or share your data with third parties.
- We do not run advertising on the site.
- We do not use third-party tracking beyond GA4 (no Meta Pixel, no TikTok, no LinkedIn).
- We do not have user accounts. There is nothing to log in to.
- We do not store anything about you on our server — the site is fully static HTML.
- We do not use dark patterns to coax consent. “Decline” is the same size and prominence as “Accept”.
Your rights (GDPR + CCPA)
Because we store nothing about you on our side, most data-subject rights are already satisfied by your own browser controls. Specifically:
- Right of access / erasure: clear your cookies + site data in your browser. There is nothing for us to provide because we don't hold anything tied to you.
- Right to object to processing: click Decline on the cookie banner (or clear
fallspots:consentand reload). - Right to portability: the “Saved” list lives in your own localStorage — open DevTools, copy it out.
- California “Do Not Sell” (CCPA): we don't sell. The “Decline” button on the cookie banner is the equivalent opt-out.
For anything else, write to hello@fallspots.com.
Children
The site is general-audience and we don't knowingly collect data from children under 13. If you believe a child has interacted with us, contact us and we'll investigate.
Changes to this policy
We'll update this page if we add or remove tracking. The “Last updated” date at the top tells you when. We don't email you about it — there's no list to email.
Contact
Email hello@fallspots.com. We read it. We're Marina and Theo Vance, the two people who run this site.
See also: Terms of service · Safety disclaimer · DMCA notice