Privacy Policy

1. Data Controller

In accordance with the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), we inform you that personal data collected through this website will be processed by:

• Owner: Pablo Belmonte Hernández
• Address: Calle Arganda 30, 28005 Madrid
• Email: [email protected]

2. Data We Collect

We collect the following types of personal data:

• <strong>Identification data:</strong> name, email, password (encrypted)
• <strong>Usage data:</strong> sessions conducted, configuration preferences
• <strong>Session content:</strong> conversations with the AI, summaries and private letters, encrypted with XChaCha20-Poly1305 in the database
• <strong>Payment data:</strong> managed by Stripe. We do not store card data.

3. Purpose of Processing

Your personal data will be processed for the following purposes:

• Provision of the AI-powered relationship improvement service
• Management of your user account
• Billing and collection for contracted services
• Service-related communications
• Compliance with legal obligations

4. Legal Basis for Processing

The processing of your data is based on:

• <strong>Contract performance:</strong> provision of the contracted service
• <strong>Consent:</strong> for sending commercial communications
• <strong>Legitimate interest:</strong> for improving our services
• <strong>Legal obligation:</strong> compliance with tax and accounting regulations

5. Data Retention

Personal data will be retained as long as the contractual relationship is maintained. After termination, they will be kept for the legally established periods (5 years for tax data). AI conversations, summaries and private letters are stored encrypted with XChaCha20-Poly1305 (authenticated AEAD encryption) while your account is active. The encryption key lives outside the database. When you delete your account, the encrypted data is permanently erased.

6. Data Recipients

Your data may be shared with:

• <strong>Service providers:</strong> hosting (DigitalOcean, EU), payment processing (Stripe), AI services (Google Gemini)
• <strong>Public authorities:</strong> when required by law
• All our providers comply with adequate data protection guarantees (GDPR or Standard Contractual Clauses)

7. Your Rights

You have the right to:

• <strong>Access:</strong> know what data we hold about you
• <strong>Rectification:</strong> correct inaccurate data
• <strong>Erasure:</strong> request deletion of your data
• <strong>Objection:</strong> object to the processing of your data
• <strong>Restriction:</strong> request restriction of processing
• <strong>Portability:</strong> receive your data in a structured format

To exercise these rights, you can contact us at [email protected].

8. Data Security

We implement appropriate technical and organizational measures to ensure the security of your data, including:

• At-rest encryption of conversations, summaries and private letters with XChaCha20-Poly1305 (AEAD)
• SSL/TLS encryption in all communications
• Password hashing with secure algorithms (bcrypt)
• Restricted access to personal data
• Servers located in the European Union

9. Complaints

If you believe that the processing of your data does not comply with the regulations, you can file a complaint with the Spanish Data Protection Agency (www.aepd.es).

10. Changes

We reserve the right to modify this privacy policy to adapt it to legislative changes. We will notify you of any significant changes through the platform or by email.

11. Integración con Meta (Facebook e Instagram)

Let's Shine opera un programa de creadores de contenido que utiliza la Meta Graph API para detectar publicaciones públicas de creadores asociados. Cuando un creador acepta participar en nuestro programa de afiliación y publica contenido mencionándonos junto con su código, nuestro sistema consulta automáticamente la API de Meta para verificar esa publicación. En ningún caso accedemos a contenido privado, mensajes directos, ni datos personales de la audiencia del creador. Solo leemos publicaciones que el creador emite públicamente.

Los permisos que usamos son instagram_basic, instagram_manage_insights, pages_read_engagement, pages_manage_posts y pages_manage_metadata, exclusivamente sobre la Página de Facebook e Instagram Business de %site_name%.

12. Eliminar tus datos

Puedes solicitar la eliminación completa de tus datos en cualquier momento. Para ello:

• Desde la web: Mi cuenta → Eliminar cuenta. El proceso es inmediato.
• Por email: [email protected]. Respondemos en menos de 72h.

Qué eliminamos: tu perfil, mensajes, cuestionarios, respuestas, resúmenes de conversación, progreso, cualquier contenido personal.

Qué anonimizamos (por obligación legal de conservar registros fiscales): facturas y registros de pago. Se conservan desvinculados de tu identidad, sin nombre, email, ni perfil asociado.

Si tienes Facebook o Instagram vinculado a Let's Shine, también puedes solicitar la eliminación desde los ajustes de Meta. Nuestro endpoint POST /meta/data-deletion procesa la petición automáticamente. Podrás ver el estado de tu solicitud en la URL que Meta te proporcionará.