Privacy Policy

1. Data Controller

In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPD-GDD), the data controller for your personal data is:

• Controller: Guillem Rubio Chacón
• Tax ID (NIF): 43563759B
• Address: Av. Pallaresa 32, Santa Coloma de Gramenet, Barcelona 08921
• Email: info.aprolio@gmail.com
• Website: https://aprolio.com

2. Data We Collect

Depending on how you use our service, we may collect the following categories of personal data:

• Identification and contact data: full name and email address provided during registration.
• Account data: agency name, profile photo and user settings within the platform.
• Usage data: activity within the platform (projects created, deliverables managed, comments, accesses). Stored in Google Firestore and used solely to provide the contracted service.
• Billing and payment data: managed entirely by Stripe, Inc. Aprolio does not store credit card numbers or complete payment information.
• Client data (third-party data): name and email of end-clients that Aprolio users invite to the platform. The Aprolio user acts as data controller for this data; Aprolio acts as data processor.
• Technical data: session data managed by Firebase Authentication (Google LLC). Strictly necessary for the service to function.

3. Purpose and Legal Basis

4. Retention Period

• Account and usage data: while the account is active and up to 3 years after cancellation.
• Billing data: 5 years, as required by Spanish tax regulations.
• Access and audit logs: 1 year.
• Invited client data: until the agency user deletes them or cancels their account, plus a 90-day technical retention period.

5. Recipients and International Transfers

Your data may be shared with the following data processors, with whom Aprolio maintains appropriate data processing agreements:

• Google LLC (Firebase) — Authentication, database (Firestore) and file storage. Google LLC participates in the EU-US Data Privacy Framework and offers adequate safeguards under Article 46 GDPR. More information at firebase.google.com/support/privacy.
• Stripe, Inc. — Payment processing and subscription management. Stripe acts as independent data controller for payment data. Privacy policy at stripe.com/privacy.

No data is sold or shared with third parties for commercial purposes without prior user consent.

6. Your Rights

Under the GDPR and LOPD-GDD, you have the right to:

• Access: obtain confirmation as to whether we process your data and access it.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data when it is no longer necessary or you withdraw consent.
• Restriction: request that we suspend processing in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on legitimate interest or for direct marketing purposes.
• Not to be subject to automated decisions: not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, contact us at info.aprolio@gmail.com stating the right you wish to exercise and attaching a copy of your identity document. We will respond within one month.

7. Security

Aprolio implements appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration, including: secure authentication via Firebase Authentication, TLS/HTTPS encryption, strict database access rules, and backend access restricted via keys managed from secure environments.

8. Complaints

If you believe that the processing of your data does not comply with applicable regulations, you may lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es, or with the supervisory authority in your country of residence.