Privacy Policy
Last updated: March 1, 2025
1. Data Controller
donostia.ai
Contact email: hello@donostia.ai
Activity: Artificial Intelligence agency for SMEs
Basque Country, Spain
2. Applicable Legislation
The processing of your personal data is governed by the General Data Protection Regulation (GDPR) — EU Regulation 2016/679 — and the Spanish Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD) — Organic Law 3/2018.
3. Data We Collect
Data you provide directly
- Account data: name, email address, password (stored with bcrypt hashing).
- Billing data: full name or company name, billing address, for invoicing purposes.
- Communications: messages sent through the platform chat.
Data generated by your use of the service
- Activity data: contracted projects, milestones, deliverables, invoices.
- Technical data: IP address, browser type, operating system, pages visited, and date/time of access (server logs).
- Session cookies: required to keep you logged in. See our Cookie Policy.
4. Purpose and Legal Basis
| Purpose | Legal Basis |
|---|---|
| User access and authentication management | Performance of a contract (Art. 6.1.b GDPR) |
| Provision of contracted services | Performance of a contract (Art. 6.1.b GDPR) |
| Invoicing and payment management | Legal obligation (Art. 6.1.c GDPR) |
| Service-related communications | Legitimate interest (Art. 6.1.f GDPR) |
| Commercial communications (if applicable) | Consent (Art. 6.1.a GDPR) |
| System security and fraud prevention | Legitimate interest (Art. 6.1.f GDPR) |
5. Recipients and Data Processors
We may share your data with the following service providers, who act as data processors under appropriate safeguards:
- Stripe, Inc.: payment processing. Stripe Privacy Policy.
- Resend: transactional email delivery.
- Cloudflare R2: file and document storage.
- PostgreSQL: database.
- Anthropic / OpenAI: message processing in the AI assistant (messages may be processed by AI models).
We do not share your data with third parties for commercial purposes without your explicit consent.
6. International Data Transfers
Some of our providers are located outside the European Economic Area (EEA). In such cases, we ensure that transfers are carried out under appropriate safeguards (Adequacy Decisions, Standard Contractual Clauses, or other mechanisms recognised by the GDPR).
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described and to comply with applicable legal obligations:
- Active account data: for as long as you are a user of the platform.
- Billing data: 5 years in accordance with Spanish tax legislation.
- Activity logs: 12 months, unless a longer retention period is required by law.
- Chat messages: until you delete them or cancel your account.
8. Your Rights
Under the GDPR and LOPDGDD, you have the following rights:
- Access: obtain confirmation of whether we process your data and receive a copy.
- Rectification: request the correction of inaccurate or incomplete data.
- Erasure (“right to be forgotten”): request deletion of your data when, among other reasons, it is no longer necessary for the purposes for which it was collected.
- Objection: object to the processing of your data based on legitimate interest.
- Restriction of processing: request the restriction of processing in certain circumstances.
- Portability: receive your data in a structured, commonly used format.
- Withdraw consent: at any time, when processing is based on consent.
To exercise any of these rights, write to us at hello@donostia.ai with the subject line “GDPR Rights”. We will respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
9. Security
We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:
- Passwords stored with bcrypt hashing.
- Communications encrypted via TLS/HTTPS.
- Data access restricted following the principle of least privilege.
- Session tokens with expiration and CSRF protection.
10. Minors
Our services are aimed at businesses and professionals. We do not intentionally collect data from minors under 14 years of age. If you become aware that a minor has provided data without consent, contact us so we can proceed with its deletion.
11. Changes
We may update this Privacy Policy to reflect changes in our practice or in applicable legislation. The last update date is shown at the top of this document. Significant changes will be communicated by email.
12. Contact
donostia.ai
Email: hello@donostia.ai
Basque Country, Spain