ENES

Privacy Policy

Last updated: [YYYY-MM-DD]

1. Data controller

[COMPANY_NAME], CIF [CIF], with registered office at [COMPANY_ADDRESS], is the data controller for the personal data processed through this service. Contact: [PRIVACY_EMAIL].

2. What data we process

  • Account data: name, email, company, role. Authentication is handled by Amazon Cognito.
  • Usage data: pages visited, actions within the product, timestamps, IP address, device and browser information.
  • Content data: mix designs, materials, test results and other data you upload.
  • Billing data: if applicable, handled through our payment processor (e.g. Stripe). We do not store full card numbers.

3. Purposes and legal bases

  • Provide the service (authentication, storing your data, running predictions): performance of contract (Art. 6.1.b GDPR).
  • Security and fraud prevention: legitimate interest (Art. 6.1.f GDPR).
  • Legal and tax obligations: legal obligation (Art. 6.1.c GDPR).
  • Analytics and product improvement: consent (Art. 6.1.a GDPR) — you control this via the cookie banner.
  • Marketing communications: consent; you can withdraw at any time via the unsubscribe link in any email.

4. Retention

We keep account and content data for as long as your account is active and for up to [N] months after termination, after which it is deleted or anonymised. Billing records are kept as required by Spanish tax law (typically 4–6 years). Analytics events are kept for [N] months.

5. Recipients and sub-processors

We share data only with providers that support the service and are bound by data processing agreements:

  • AWS (Amazon Web Services EMEA SARL): hosting, database, authentication (Cognito). Region: EU (eu-west-1 / eu-west-3).
  • [EMAIL_PROVIDER]: transactional email (e.g. Amazon SES).
  • [ANALYTICS_PROVIDER]: product analytics, if consented.
  • [PAYMENT_PROVIDER]: payment processing, if applicable.
  • [ERROR_MONITORING_PROVIDER]: error reporting (e.g. Sentry).

6. International transfers

We prioritise EU-based processing. Where a transfer outside the EEA is necessary, it is covered by the European Commission Standard Contractual Clauses and any additional safeguards required by case law.

7. Your rights

Under GDPR and LOPDGDD you can exercise the following rights free of charge: access, rectification, erasure, restriction, portability, objection, and the right not to be subject to fully automated decisions with legal effects. Write to [PRIVACY_EMAIL]. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es).

8. Security

We apply technical and organisational measures appropriate to the risk (encryption in transit, access controls, audit logs, least-privilege roles, backups). No system is perfectly secure; we will notify affected users and, where required, the AEPD of personal data breaches in line with Art. 33 GDPR.

9. Children

The service is not directed to children under 14. If you believe a minor has provided data, contact us and we will delete it.

10. Cookies

See our Cookie Policy for details and to manage your choices.

11. Changes

We may update this policy. Material changes will be notified. The date at the top shows the latest revision.

12. Contact

Privacy questions: [PRIVACY_EMAIL].

Privacy Policy