Privacy Policy

1. Data Controller

The controller of personal data processed under this Privacy Policy is:

• Controller: [COMPANY NAME]
• Tax ID / VAT No.: [●]
• Registered office: [FULL ADDRESS IN SPAIN]
• Email: [PRIVACY CONTACT EMAIL]
• Commercial registry details (if applicable): [●]

For privacy-related matters, you may contact us at: [PRIVACY CONTACT EMAIL]

Data Protection Officer (if appointed): [NAME / EMAIL / “Not appointed”]

2. Scope of This Privacy Policy

This Privacy Policy applies to personal data processed when you:

• visit our website;
• create or use an account;
• start a trial;
• purchase or manage a subscription;
• contact us for support or commercial information;
• use the web application and its features;
• participate in communications related to the Service; or
• otherwise interact with us.

This Privacy Policy does not automatically govern the relationship between facilitators and their own participants, clients, or end users. In those cases, the facilitator or professional using the Service may be separately responsible for their own privacy notices and processing activities.

The EDPB’s guidance makes clear that the role of controller depends on who decides the purposes and means of processing.

3. Categories of Personal Data We Process

Depending on how you use the Service, we may process the following categories of personal data:

3.1 Identification and account data

• name and surname;
• email address;
• login credentials or authentication identifiers;
• account ID;
• preferred language or profile settings.

3.2 Subscription and transaction data

• selected plan;
• subscription status;
• billing cycle;
• invoices and payment status;
• partial payment metadata provided by our payment provider;
• tax/VAT-related information where applicable.

3.3 Communications data

• messages sent through contact forms or support channels;
• support requests;
• feedback;
• survey responses;
• email communications with us.

3.4 Technical and usage data

• IP address;
• browser type and version;
• device and operating system information;
• date/time of access;
• logs, error reports, diagnostics, and performance data;
• navigation and interaction data within the website or application.

3.5 Content you upload or create in the Service

• boards, labels, notes, figures, images, arrangements, or other materials created or uploaded by users;
• session-related information entered by facilitators;
• workspace or board metadata.

3.6 Marketing and preference data

• newsletter preferences;
• consent records;
• preferences relating to communications or cookies.

3.7 Data of participants or third parties uploaded by users

If you use the Service professionally, you may enter or upload information relating to clients, participants, or third parties. That information may contain personal data and, depending on how the Service is used, could in some cases include sensitive or special-category data. You are responsible for ensuring you have a valid legal basis and all required notices and safeguards for that use.

4. How We Collect Personal Data

We collect personal data:

• directly from you when you register, subscribe, fill in forms, contact us, or use the Service;
• automatically through your use of the website and application, including logs and similar technologies;
• from payment providers in connection with subscription status and transaction confirmation;
• from service providers supporting hosting, analytics, communications, security, or customer support; and
• from other users where they invite, share, or otherwise involve you in the use of the Service, where applicable.

5. Purposes and Legal Bases for Processing

Under the GDPR, personal data must be processed on a valid legal basis and in line with principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation, integrity/confidentiality, and accountability. The European Commission and AEPD both present these as core compliance requirements.

We process personal data for the following purposes:

5.1 To provide the Service and manage user accounts

We process identification, account, technical, and usage data to create and manage accounts, provide access to the application, authenticate users, save preferences, and deliver the contracted functionalities.

Legal basis: performance of a contract or pre-contractual measures.

5.2 To manage subscriptions, billing, and payments

We process subscription and transaction data to activate paid plans, manage renewals, issue invoices, handle billing issues, and keep accounting records.

Legal basis: performance of a contract and compliance with legal obligations.

5.3 To provide customer support and respond to requests

We process contact and communication data to answer questions, troubleshoot issues, and provide assistance.

Legal basis: performance of a contract, pre-contractual measures, and/or our legitimate interest in providing support and managing communications.

5.4 To maintain security, prevent abuse, and protect the Service

We process technical, log, and usage data to detect unauthorized access, fraud, misuse, suspicious activity, breaches of our terms, and other security incidents.

Legal basis: our legitimate interest in ensuring the security, integrity, and proper functioning of the Service, and compliance with legal obligations where applicable.

5.5 To improve the Service, performance, and user experience

We may use technical and usage data to understand how the Service is used, diagnose errors, improve features, and optimize usability.

Legal basis: our legitimate interest in improving our products and services, and consent where required for non-essential analytics or tracking technologies.

5.6 To send service-related communications

We send transactional and operational communications, such as account confirmations, billing notices, legal updates, security alerts, and changes to the Service.

Legal basis: performance of a contract and/or legal obligation.

5.7 To send marketing communications

We may send newsletters or promotional communications where permitted by law and, where required, based on your prior consent.

Legal basis: consent and/or legitimate interest where applicable under electronic communications rules.

5.8 To comply with legal obligations

We may process personal data to comply with tax, accounting, consumer, security, judicial, or regulatory obligations.

Legal basis: compliance with legal obligations.

5.9 To establish, exercise, or defend legal claims

We may process relevant data where necessary in relation to disputes, claims, investigations, or enforcement.

Legal basis: legitimate interest and, where applicable, compliance with legal obligations.

6. Roles: When Cecilios Acts as Controller or Processor

6.1 Cecilios as controller

We act as a data controller for personal data processed for our own purposes, such as:

• account registration and authentication;
• website administration;
• subscription and billing management;
• support and customer relationship management;
• service security;
• legal compliance;
• direct communications with users.

6.2 Cecilios as processor or service provider for facilitators

Where a facilitator or other professional uses Cecilios to upload, organize, or process personal data relating to their own participants, clients, or end users for that facilitator’s own purposes, Cecilios may act as a processor or service provider on behalf of that user, depending on the actual configuration and legal assessment.

6.3 In those cases, the user/facilitator is responsible for

• determining the legal basis for processing;
• providing any necessary privacy notices;
• obtaining consent where required;
• ensuring confidentiality and professional compliance; and
• entering into any required data processing agreement with us, where applicable.

The EDPB’s controller/processor guidance supports this functional role-based approach.

7. Special Categories of Personal Data

1. Cecilios is not intended to require special-category personal data for ordinary operation.
2. However, because the Service may be used in facilitation, constellation, coaching, or similar session contexts, users may choose to upload or enter information that reveals sensitive details about individuals.
3. Unless expressly agreed otherwise, users must avoid entering unnecessary sensitive data, especially data concerning health, mental health, sexuality, religion, ethnicity, political opinions, trade union membership, or other special categories under Article 9 GDPR.
4. If you upload such data, you are solely responsible for ensuring that you have a valid lawful basis and, where required, an Article 9 condition and all necessary safeguards.

8. Cookies and Similar Technologies

1. We may use cookies, pixels, local storage, SDKs, and similar technologies for technical operation, user preferences, security, analytics, and, where applicable, marketing.
2. Necessary or technical cookies may be used without consent where permitted by law because they are strictly necessary for the website or service to function.
3. Analytics, personalization, advertising, or other non-essential cookies or technologies will be used only in accordance with applicable consent requirements.
4. More detailed information about cookies, retention periods, providers, and settings will be included in our separate Privacy and Cookie Settings document and/or cookie banner settings interface.

9. Recipients of Personal Data

We may share personal data with the following categories of recipients where necessary:

• hosting and infrastructure providers;
• payment processors;
• email and communication service providers;
• analytics and diagnostics providers;
• customer support tools;
• professional advisers such as lawyers, auditors, or accountants;
• public authorities, courts, regulators, or law enforcement when legally required; and
• other recipients where you request, authorize, or enable such sharing.

We do not sell personal data as that term is commonly understood in EU privacy law.

10. International Data Transfers

1. You have indicated that the app and data are hosted in Spain 100%. Our primary hosting and storage operations for the Service are therefore intended to be located in Spain.
2. However, some service providers we use for payments, communications, analytics, support, or security may process limited personal data outside Spain or outside the European Economic Area (“EEA”), depending on the provider arrangement in place at a given time.
3. Where personal data is transferred outside the EEA, we will implement appropriate safeguards required by applicable law, such as: an adequacy decision by the European Commission; or Standard Contractual Clauses and any supplementary measures where necessary.
4. You may request more information about applicable transfer safeguards by contacting us.

11. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including for contractual, operational, legal, tax, accounting, dispute-resolution, and security reasons.

In general:

• account data is retained while the account remains active and, thereafter, for the period necessary to handle residual obligations and potential claims;
• billing and invoice data is retained for the legally required retention periods;
• support communications may be retained for a reasonable period to manage follow-up and improve support quality;
• technical logs are retained for a limited period appropriate to security and diagnostics;
• marketing data is retained until you withdraw consent or object, as applicable;
• board/session content is retained according to the account status, user instructions, and applicable legal obligations.

You should insert your actual operational retention periods once defined internally.

12. Security Measures

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures may include access controls, authentication measures, encrypted communications, backups, logging, restricted permissions, and provider security safeguards.

However, no internet-based service can guarantee absolute security. You are also responsible for maintaining the confidentiality of your credentials and using the Service securely. The GDPR requires controllers and processors to ensure appropriate security and accountability measures.

13. Your Data Protection Rights

Under the GDPR, individuals have rights over their personal data, including the right to be informed, access, rectification, erasure, restriction, portability, and objection, with the exact scope depending on the legal basis and circumstances. The European Commission and EDPB both describe these rights and the controller’s duty to facilitate their exercise.

Subject to applicable law, you may have the right to:

• obtain confirmation as to whether we process your personal data;
• access your personal data;
• request rectification of inaccurate or incomplete data;
• request erasure of your personal data;
• request restriction of processing;
• object to certain processing based on legitimate interest;
• receive the personal data you provided in a structured, commonly used, machine-readable format and request portability where applicable;
• withdraw consent at any time, where processing is based on consent; and
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, if applicable.

To exercise your rights, contact us at: [PRIVACY CONTACT EMAIL]

We may ask you for information necessary to verify your identity before responding.

14. Right to Lodge a Complaint

If you believe the processing of your personal data does not comply with applicable law, you have the right to lodge a complaint with the competent supervisory authority. In Spain, the supervisory authority is the Agencia Española de Protección de Datos (“AEPD”).

The AEPD provides channels and practical information for exercising rights and filing complaints. You may also contact us first so we can try to resolve the issue directly.

15. Third-Party Links and External Services

The website or Service may contain links to third-party websites, tools, or services. We are not responsible for the privacy practices of third parties. We encourage you to review their privacy notices before interacting with them.

16. Children’s Data

The Service is not intended for children under 18 and should not be used by minors without appropriate legal authorization and supervision where applicable. We do not knowingly collect personal data directly from children for ordinary use of the Service. If you believe we have collected such data in error, please contact us.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or our processing practices. The updated version will be published on this page with a revised “Last updated” date. Where required by law, we will provide additional notice.

18. Contact

For any privacy-related question or request, contact:

• [COMPANY NAME]
• Email: [PRIVACY CONTACT EMAIL]
• Address: [FULL ADDRESS IN SPAIN]