Privacy Policy

1. Data Controller

In accordance with the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), we inform you that personal data collected through this website will be processed by:

• Owner: Pablo Belmonte Hernández
• Address: Calle Arganda 30, 28005 Madrid
• Email: [email protected]

2. Data We Collect

We collect the following types of personal data:

• <strong>Identification data:</strong> name, email, password (encrypted)
• <strong>Usage data:</strong> sessions conducted, configuration preferences
• <strong>Session content:</strong> conversations with the AI, summaries and private letters, encrypted with XChaCha20-Poly1305 in the database
• <strong>Payment data:</strong> managed by Stripe. We do not store card data.

3. Purpose of Processing

Your personal data will be processed for the following purposes:

• Provision of the AI-powered relationship improvement service
• Management of your user account
• Billing and collection for contracted services
• Service-related communications
• Compliance with legal obligations

4. Legal Basis for Processing

The processing of your data is based on:

• <strong>Contract performance:</strong> provision of the contracted service
• <strong>Consent:</strong> for sending commercial communications
• <strong>Legitimate interest:</strong> for improving our services
• <strong>Legal obligation:</strong> compliance with tax and accounting regulations

5. Data Retention

Personal data will be retained as long as the contractual relationship is maintained. After termination, they will be kept for the legally established periods (5 years for tax data). AI conversations, summaries and private letters are stored encrypted with XChaCha20-Poly1305 (authenticated AEAD encryption) while your account is active. The encryption key lives outside the database. When you delete your account, the encrypted data is permanently erased.

6. Data Recipients

Your data may be shared with:

• <strong>Service providers:</strong> hosting (DigitalOcean, EU), payment processing (Stripe), AI services (Google Gemini)
• <strong>Public authorities:</strong> when required by law
• All our providers comply with adequate data protection guarantees (GDPR or Standard Contractual Clauses)

7. Your Rights

You have the right to:

• <strong>Access:</strong> know what data we hold about you
• <strong>Rectification:</strong> correct inaccurate data
• <strong>Erasure:</strong> request deletion of your data
• <strong>Objection:</strong> object to the processing of your data
• <strong>Restriction:</strong> request restriction of processing
• <strong>Portability:</strong> receive your data in a structured format

To exercise these rights, you can contact us at [email protected].

8. Data Security

We implement appropriate technical and organizational measures to ensure the security of your data, including:

• At-rest encryption of conversations, summaries and private letters with XChaCha20-Poly1305 (AEAD)
• SSL/TLS encryption in all communications
• Password hashing with secure algorithms (bcrypt)
• Restricted access to personal data
• Servers located in the European Union

9. Complaints

If you believe that the processing of your data does not comply with the regulations, you can file a complaint with the Spanish Data Protection Agency (www.aepd.es).

10. Changes

We reserve the right to modify this privacy policy to adapt it to legislative changes. We will notify you of any significant changes through the platform or by email.

11. Meta integration (Facebook and Instagram)

Brillemos runs a content creators program that uses the Meta Graph API to detect public posts from associated creators. When a creator joins our affiliate program and publishes content mentioning us along with their code, our system automatically queries the Meta API to verify that post. We never access private content, direct messages, or personal data of the creator's audience. We only read posts that the creator publishes publicly.

The permissions we use are instagram_basic, instagram_manage_insights, pages_read_engagement, pages_manage_posts and pages_manage_metadata, exclusively over the %site_name% Facebook Page and Instagram Business account.

12. Delete your data

You can request the complete deletion of your data at any time. To do so:

• From the web: My account → Delete account. The process is immediate.
• By email: [email protected]. We reply within 72h.

What we delete: your profile, messages, questionnaires, answers, conversation summaries, progress, any personal content.

What we anonymise (by legal obligation to keep tax records): invoices and payment records. They are kept disconnected from your identity, with no name, email, or associated profile.

If you have Facebook or Instagram linked to Brillemos, you can also request the deletion from your Meta settings. Our endpoint POST /meta/data-deletion processes the request automatically. You will see the status of your request at the URL Meta provides.