Privacy Policy
In compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), ARANOVA informs you about the processing of your personal data.
1. Data Controller
| Company name | ARANOVA |
| Tax ID (NIF) | undefined |
| Registered office | Plaza Fonz 4, local 1 |
| info@aprendly.es |
You may contact our Data Protection Officer (DPO) by email at info@aprendly.es, indicating "FAO: Data Protection Officer" in the subject line.
2. Personal Data We Process
Below we detail the personal data we collect, the purpose for which we process it, the legal basis that legitimises each processing activity, and the retention period:
| Data type | Purpose | Legal basis | Retention period |
|---|---|---|---|
| First and last name | User identification and account management | Performance of contract (Art. 6.1.b GDPR) | During contractual relationship + 5 years after termination |
| Email address | Authentication, communication, and invoice delivery | Performance of contract (Art. 6.1.b GDPR) | During contractual relationship + 5 years after termination |
| Password (encrypted hash) | Secure authentication to the platform | Performance of contract (Art. 6.1.b GDPR) | During contractual relationship |
| Name, avatar, and participant information | Collaborative platform features | Performance of contract (Art. 6.1.b GDPR) | During contractual relationship |
| Billing data (name/company name, tax ID, address) | Subscription billing and tax compliance | Legal obligation (Art. 6.1.c GDPR) | 5 years (tax obligation in Spain) |
| IP address and access logs | Platform security and fraud prevention | Legitimate interest (Art. 6.1.f GDPR) | 1 year |
| Platform usage data | Service analysis and improvement | Legitimate interest (Art. 6.1.f GDPR), with opt-out option | 2 years |
| Technical and session cookies | Service functionality | Legitimate interest (Art. 6.1.f GDPR) | Depending on type (see Cookie Policy) |
| Analytics cookies | Service usage measurement | Consent (Art. 6.1.a GDPR) | Depending on type (see Cookie Policy) |
| Enrichment data (public sources and authorised verification providers) | Identity verification, fraud prevention, experience improvement, and service personalisation | Legitimate interest (Art. 6.1.f GDPR), with right to object | During contractual relationship + 2 years after termination |
We do not collect special categories of personal data (health data, sexual orientation, religious beliefs, political affiliation, biometric data, etc.).
3. Data Recipients
Your personal data will not be disclosed to third parties, except in the following cases:
- Legal obligation: When required by law, decree, or court order.
- Service providers (data processors): We use external providers for hosting (cloud), payment processing, email delivery, and web analytics. All of them comply with GDPR and have signed the corresponding Standard Contractual Clauses (SCC) when operating outside the EU.
- Law enforcement: In the event of an investigation into unlawful activities.
4. Data Enrichment and Identity Verification
4.1 What is Data Enrichment?
ARANOVA may supplement the information provided by users with data obtained from publicly available sources for the following purposes:
- Identity verification: Confirming that the data provided by the user is accurate and corresponds to a real person or entity.
- Fraud prevention: Detecting and preventing fraudulent use of the Platform, protecting both users and the service.
- Experience improvement: Adapting and personalising the service based on relevant and up-to-date information.
- Personalisation: Offering a more relevant experience based on verified data.
4.2 Legal Basis and Balancing of Interests Test
This processing is based on the legitimate interest of ARANOVA (Art. 6.1.f GDPR) to ensure the security and integrity of the service and to improve the user experience.
In accordance with the GDPR, we have carried out a balancing of interests test which concludes that:
- The impact on users' privacy is minimal, as only data from public sources is consulted.
- The protection measures implemented (encryption, restricted access, data minimisation) significantly reduce risk.
- The controller's legitimate interest is aligned with users' interests (account security, fraud prevention).
- Users retain the right to object at all times and may request the cessation of this processing at any time.
4.3 Sources of Information
Enrichment data may come from the following sources:
- Public databases: Companies registries, official registers, and other publicly accessible databases.
- Authorised verification providers: External data verification services operating under GDPR-compliant Data Processing Agreements (DPAs).
- Publicly available information: Data that the user or entity has made public on professional platforms or official websites.
Important limitation: Only public data is consulted. Under no circumstances do we access private information, personal social media data, or any other source requiring the data subject's specific consent.
4.4 Right to Object
In accordance with Article 21 of the GDPR, you may object at any time to this data enrichment processing, without the need to provide a justification. To exercise your right to object:
- Send an email to info@aprendly.es with the subject "Objection to Data Enrichment".
- Provide your full name and the email address associated with your account.
- We will process your request within a maximum of 1 month.
Exercising this right is free of charge and will not affect the provision of the contracted service.
5. International Data Transfers
Some of our service providers may have servers located outside the European Economic Area (particularly in the United States). In such cases, ARANOVA ensures that such transfers are made only to countries that offer an adequate level of protection as determined by the European Commission, or under the appropriate safeguards set out in Articles 46 and 47 of the GDPR, such as Standard Contractual Clauses (SCC).
If you would like more information about international transfers, you may request it at info@aprendly.es.
6. Your Rights
You have the following rights regarding your personal data:
5.1 Right of access (Art. 15 GDPR)
You may request confirmation as to whether we are processing your personal data and, if so, access it along with information about the processing (purposes, categories of data, recipients, retention periods, origin of the data if not obtained from you).
5.2 Right to rectification (Art. 16 GDPR)
You may request the correction of inaccurate personal data or the completion of incomplete data.
5.3 Right to erasure — "right to be forgotten" (Art. 17 GDPR)
You may request the deletion of your personal data when, among other reasons, the data is no longer necessary for the purposes for which it was collected. However, this right is not absolute: we may retain data where a legal obligation requires it (e.g., invoices for 5 years) or for the establishment, exercise, or defence of legal claims.
5.4 Right to restriction of processing (Art. 18 GDPR)
You may request the restriction of processing of your data in the following cases:
- While we verify the accuracy of data you have contested.
- When the processing is unlawful and you oppose the erasure of the data.
- When we no longer need the data but you need it for the establishment, exercise, or defence of legal claims.
- When you have objected to processing, pending verification of whether our legitimate grounds override yours.
5.5 Right to data portability (Art. 20 GDPR)
You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where the processing is based on consent or on a contract and is carried out by automated means.
5.6 Right to object (Art. 21 GDPR)
You may object at any time to the processing of your personal data where the processing is based on our legitimate interest. In particular, you may object to the processing of your data for direct marketing purposes at any time.
5.7 Right not to be subject to automated decision-making (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not use artificial intelligence systems to make automated decisions that significantly affect our users.
How to Exercise Your Rights
To exercise any of these rights, please send an email to info@aprendly.es with the subject "GDPR Rights Request", including:
- Your full name and the email address associated with your account.
- The right you wish to exercise.
- A copy of your ID card, passport, or other identification document (to verify your identity).
We will respond to your request within a maximum of 1 month, extendable to 2 months for particularly complex or numerous requests. Exercising these rights is free of charge.
If you believe we have not properly addressed your rights, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) via its electronic headquarters (www.aepd.es).
7. Data Security
We have implemented the following technical and organisational measures to ensure the security of your personal data:
- Encryption in transit: All communications are made using TLS 1.3.
- Encryption at rest: Stored data is encrypted with AES-256.
- Controlled access: Only authorised personnel with multi-factor authentication can access data.
- Backups: Daily encrypted backups with 30-day retention.
- Regular audits: Periodic security and compliance reviews.
- Staff training: All staff receive data protection and information security training.
- Breach notification: In the event of a security breach, we will notify the AEPD within 72 hours and, if the risk to users is high, we will also notify you directly.
8. Data Retention Periods
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Data associated with your account: while the account is active.
- After account cancellation: your personal data will be deleted within 30 days, except for data we must retain due to legal obligations (invoices: 5 years; log data: 1 year).
- If you request erasure of your data, we will proceed to delete it unless a legal retention obligation applies.
9. Minors
Our services are not directed at minors under 18 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without parental or guardian consent, please contact us so we can delete it.
10. Changes to This Policy
We reserve the right to modify this privacy policy to adapt it to legislative or jurisprudential changes or changes in our internal procedures. Any substantial modification will be published on this page and, if significant, we will notify you by email.
11. Contact
If you have any questions about this privacy policy or about the processing of your personal data, you may contact us at:
- Email: info@aprendly.es
- Postal address: Plaza Fonz 4, local 1, 50015 - Zaragoza (España)
You may also contact the Spanish Data Protection Agency (www.aepd.es) for any complaint regarding the protection of your data.