Privacy policy

1. Who we are

EsferaUp SL (in formation), based in Barcelona, Catalonia. NIF pending. Controller: the founding team. Privacy contact: [email protected].

Data Protection Officer (DPO): to be appointed before public launch, per LOPDGDD Art. 34. In the meantime, all requests are handled directly by the founding team.

2. What data we collect

We collect data from the admin adult (name, email, optional phone), data about children linked to the account (name, date of birth, photos and notes you add) and usage data (sessions, devices, language) to make the app work.

Some data falls under Art. 9 (special categories): health observations, crisis episodes, specialist assessments. These are encrypted with a per-family key (envelope encryption, AES-256-GCM).

3. Why we use it

To give you access to your timeline, register UPs (units of progress), generate Memories and hypothetical Patterns, offer Activa plans you purchase and — if you enable it — receive 360° observations from external places (schools, specialists).

We never use the data to train third-party AI models or for advertising. We don't perform automated profiling with legal effects (GDPR Art. 22).

4. Legal basis

• Performance of contract (Art. 6.1.b): to provide the app once you've opened an account.
• Consent (Art. 6.1.a + Art. 9.2.a): for health data, marketing communications and sharing with 360° places.
• Legal obligations (Art. 6.1.c): billing, court orders.

5. Children's data (GDPR Art. 8)

In Spain, the digital consent threshold is 14 years (LOPDGDD Art. 7). Below that age, the adult holder of parental authority acts as controller and provides verifiable consent.

Children under 14 don't have their own account: they only appear in the adult's profile. From age 14 they can create their own linked account with consent from both sides.

6. Your rights (Art. 15-22)

You have the right to access, rectify, delete, object, restrict processing and port your data. You can exercise them from within the app (Settings → Privacy) or by emailing [email protected].

Reply within one month (extendable to three if the request is complex, per Art. 12.3 GDPR).

7. Data retention

We retain data while your account is active. On closure, data is deleted in 30 days, except what we're legally required to keep (invoices: 5 years per Spanish tax law; security audit logs: 3 years).

8. Data processors

We work with providers who process data on our behalf under contract (DPA). All are EU-resident or have equivalent guarantees: DigitalOcean Frankfurt (hosting), Google Cloud KMS EU (keys), Sentry EU (error telemetry), Stripe EU (web payments), Apple and Google (in-app purchases).

9. International transfers

All primary processing (server, database, file storage) is in the European Union. When a provider has some infrastructure outside (e.g. Apple or Google for push notifications), we apply the Standard Contractual Clauses (SCC) approved by the European Commission.

10. Cookies

This site only uses strictly necessary technical cookies and Cloudflare Web Analytics, which uses no cookies or fingerprinting. See the Cookie policy for details.

11. Contact and complaints

For any question: [email protected]. If you believe we haven't responded properly, you can file a complaint with the Spanish Data Protection Agency (AEPD).