Data Protection Policy
In accordance with Article 30 of the GDPR, ARANOVA maintains the following register of personal data processing activities carried out in the provision of the Aprendly service.
1. Register of Processing Activities
1.1 User Account Management
| Field | Detail |
|---|---|
| Controller | ARANOVA, undefined, Plaza Fonz 4, local 1 |
| Purpose | Registration, authentication, and management of user accounts |
| Data subjects | Registered users of Aprendly |
| Data categories | Name, email, password (hash), profile data |
| Legal basis | Performance of contract (Art. 6.1.b GDPR) |
| Erasure period | Duration of account + 30 days after cancellation |
| Recipients | Cloud infrastructure providers (data processors) |
1.2 Billing and Payment Management
| Field | Detail |
|---|---|
| Controller | ARANOVA, undefined, Plaza Fonz 4, local 1 |
| Purpose | Invoicing, payment collection, and tax compliance |
| Data subjects | Customers with active subscriptions |
| Data categories | Name/company name, tax ID, billing address, payment data |
| Legal basis | Legal obligation (Art. 6.1.c GDPR) and performance of contract (Art. 6.1.b GDPR) |
| Erasure period | 5 years (tax obligation in Spain) |
| Recipients | Financial institutions, payment gateways (Stripe), tax advisors |
1.3 Security and Logging
| Field | Detail |
|---|---|
| Controller | ARANOVA, undefined, Plaza Fonz 4, local 1 |
| Purpose | Security monitoring, intrusion detection, and fraud prevention |
| Data subjects | All platform visitors and users |
| Data categories | IP address, timestamp, user-agent, requested URL, response code |
| Legal basis | Legitimate interest (Art. 6.1.f GDPR) |
| Erasure period | 1 year |
1.4 Usage Analytics
| Field | Detail |
|---|---|
| Controller | ARANOVA, undefined, Plaza Fonz 4, local 1 |
| Purpose | Statistical analysis of platform usage for service improvement |
| Data subjects | Users who have given consent |
| Data categories | Anonymised browsing data, interaction events |
| Legal basis | Consent (Art. 6.1.a GDPR) |
| Erasure period | 2 years |
| Recipients | Google LLC (Google Analytics) |
2. Data Protection Measures
- Data minimisation: Only strictly necessary data is collected.
- Purpose limitation: Data is used exclusively for declared purposes.
- Transparency: Users are informed through the Privacy Policy.
- Security: See the Information Security Policy for full details.
3. Sub-processors
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| Arsys Internet S.L. | Primary cloud infrastructure and hosting | Spain | GDPR (EU jurisdiction) |
| Amazon Web Services (AWS) | Secondary cloud infrastructure — S3 image storage with CDN and backups | Spain (eu-south-2) | SCC + GDPR certified |
| Google Cloud Platform | Secondary cloud infrastructure — BigData (Cloud Storage, BigQuery) and OAuth authentication | Spain (European region) | SCC + GDPR certified |
| Stripe Inc. | Card payment processing | USA | SCC + DPF |
| Redsys Servicios de Procesamiento S.L. | Card payment processing (Spanish banking gateway) | Spain | GDPR (EU jurisdiction) |
| Google LLC | Web analytics (Google Analytics) | USA | SCC + DPF |
All sub-processors have signed Standard Contractual Clauses (SCC) approved by the European Commission, or are subject to EU jurisdiction for European providers (Arsys and Redsys). The notification system is proprietary and subject to the same security measures and policies described herein.
4. Data Protection Officer
The DPO can be contacted at info@aprendly.es with the subject "FAO: Data Protection Officer".
5. Review
This policy is reviewed annually. Last reviewed: 20 June 2026.