🔒 Privacy Policy

RkiveAI España S.L.
Effective Date: July 17, 2025

---

1. Introduction

RkiveAI España S.L. (“RkiveAI”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data you share with us. This Privacy Policy explains:

• 📂 What categories of personal data we collect
• 🔐 Why and how we process your data (our “legal bases”)
• 🤝 With whom we share data
• ⏳ How long we retain various types of data
• ✅ Your rights under applicable data protection laws (including the GDPR)
• 📞 How to contact us or the supervisory authority with questions or complaints

By using any of our services (the “Services”), you agree to the collection and use of your personal data as described here. If you do not agree with any part of this policy, please do not use our Services.

---

2. Who We Are & Contact Details

Data Controller:

RkiveAI España S.L.
Attn: Data Protection Officer
Paseo de la Castellana 91, Planta 4, Puerta 1. Madrid, Spain. 28046.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, you can contact our Data Protection Officer (DPO) at legal@rkiveai.com.

If you remain unsatisfied after contacting us, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

AEPD
C/Jorge Juan, 6, 28001 Madrid, Spain
🌐 https://www.aepd.es

---

3. Definitions

• “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (e.g., name, email address, IP address, device ID).
• “Special Categories of Personal Data” means sensitive data (e.g., race, ethnicity, health) which we do not intentionally collect.
• “Processing” means any operation performed on personal data—collection, storage, use, disclosure, alteration, or deletion.
• “Data Subject” means any identified or identifiable natural person whose personal data we process (e.g., a registered user).
• “GDPR” means the European Union’s General Data Protection Regulation (Regulation EU 2016/679).

---

4. Information We Collect

We collect and process various categories of personal data in order to provide, maintain, improve, and secure our Services. Broadly, we group these into:

1. Account & Profile Data
2. User-Generated Content
3. Technical, Usage & Device Data
4. Communications & Support Data

4.1 Account & Profile Data (Collected Directly)

When you register or update your account, we may collect:

• 📧 Contact details: Full name, email address, phone number (if provided), billing/shipping address, invoicing details, VAT or tax identifiers (if applicable).
• 🔑 Authentication data: Username, hashed password, social login tokens (if you connect via Google/Facebook/etc.).
• 📝 Profile and preferences: Profile picture (if uploaded), language preference, time zone, notification settings, and any opt-ins you select (e.g., marketing communications).

Legal bases: Performance of a contract (to create and manage your account); Legitimate interest (to prevent fraud, enforce Terms).

4.2 User-Generated Content & Uploaded Files

When you use our AI features, you may upload or enter:

• 📄 Documents, images, videos, text, or other media you feed into the AI (collectively “Your Content”).
• 🤖 AI-Generated Outputs such as transcriptions, summaries, or other results.
• 🕓 Metadata about your actions (e.g., revision history, file names).

Legal bases: Performance of a contract (to deliver the AI service you requested); Legitimate interest (to improve the service, troubleshoot).

4.3 Technical, Usage & Device Data (Automatically Collected)

Our systems (and third-party analytics providers) automatically collect:

• 💻 Device and browser data: IP address, device identifiers (e.g., UUIDs), browser type and version, operating system, screen resolution, and language settings.
• 📊 Log data: Timestamps of log-ins, log-outs, API calls, pages visited, files accessed, and errors encountered.
• 📈 Usage analytics: Feature usage, clickstream data, session duration, and performance metrics.
• 🍪 Cookies and similar tracking technologies: For session management, preferences, analytics, and (if you consent) marketing.

Legal bases: Legitimate interest (to maintain, secure, and improve our Services, and to prevent abuse); Consent (for cookies and marketing tracking).

4.4 Communications & Support Data

If you contact us (e.g., support tickets, emails, chat transcripts):

• 📥 Communications content: Your emails, chat messages, or call recordings (if any).
• 🏷️ Support metadata: Subject lines, timestamps, case numbers, and resolution status.

Legal bases: Performance of a contract (to provide support); Legitimate interest (to improve support, resolve disputes).

---

5. How We Use Your Personal Data

5.1 To Provide & Improve the Services

• 🚀 Deliver core functionality. Authenticate your account, generate AI outputs, process payments, and host your files.
• 📈 Improve performance. Analyze usage patterns and system logs to optimize speed, reliability, and features.
• 🧩 Customize your experience. Store preferences (e.g., language, UI settings) and suggest relevant features based on your usage.
• 🛡️ Prevent abuse and fraud. Monitor for unusual activity, enforce our Terms of Service, and protect against unauthorized access.

Legal bases: Performance of a contract; Legitimate interest (service quality, security).

5.2 Billing, Payments & Refunds

• 💳 Process payments. We use [Apple Pay, Google Pay and Stripe] to securely handle all subscription and transaction fees. We collect your billing details and store only partial card data as permitted under PCI DSS.
• 🧾 Manage invoices and taxes. Issue invoices, calculate VAT or other applicable taxes, and retain records for audit compliance.

Legal bases: Performance of a contract; Compliance with legal obligations (tax law).

5.3 Communications & Marketing

• 📬 Transactional messages. Send you essential account notifications (e.g., password reset, billing receipts, security alerts).
• 🚧 Service updates. Inform you about major feature releases, scheduled maintenance, or policy changes.
• 💌 Promotional messages (optional). With your prior consent, we may send newsletters, special offers, or surveys. You can unsubscribe at any time via the link in our emails or by changing your account settings.

Legal bases:

• Transactional: Performance of a contract; Legitimate interest (to keep you informed of critical changes).
• Promotional: Consent (opt-in).

5.4 Research & Development

• 🧪 Aggregate & anonymize. We may combine and anonymize usage data to analyze trends, test new features, and develop our AI models.
• 🤖 Machine learning training. Where permitted, we may use anonymized or pseudonymized data to improve the accuracy and performance of our models.

Legal bases: Legitimate interest (product enhancement).

---

6. Data Sharing & Disclosure

We do not sell or rent your personal data. We share data only as described below or with your explicit consent.

6.1 Service Providers & Subprocessors

We engage third parties to perform certain functions on our behalf, including:

• 🌩️ Cloud hosting & infrastructure. Acts as our data processor for storage, compute, and backups.
• 📊 Analytics providers. Provide anonymized/aggregated usage insights.
• 💳 Payment processors. Process and confirm your subscription payments.
• 📬 Email delivery. Send transactional and promotional emails.
• 🛎️ Customer support tools. Manage support tickets and chat.

Before granting access to your data, we ensure that each service provider:

• 📝 Signs a Data Processing Agreement (DPA) committing to GDPR-level security and confidentiality.
• 👀 Will only process data in accordance with our instructions.
• 🚫 Will not use your data for their own purposes.

6.2 Legal & Compliance Obligations

We may disclose personal data if required by law, regulation, or valid subpoena or court order. This includes:

• 🏛️ Responding to lawful requests by public authorities (e.g., court, regulators).
• 🧾 Complying with tax, financial, or accounting audits.
• 🕵️ Preventing, investigating, or taking action regarding illegal activities, suspected fraud, or threats to our rights/persons/property.

6.3 Business Transfers

If RkiveAI is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring party. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.4 Aggregated & Anonymized Data

We may share aggregated, anonymized, or de-identified data with partners, investors, or the public (e.g., usage statistics, performance metrics) so long as no individual can be identified.

---

7. International Data Transfers

All customer data is stored and processed primarily on servers located in the European Union. If we ever transfer data outside the EU/EEA (e.g., to support providers in other regions), we will do so only under appropriate safeguards, such as:

1. ✅ Standard Contractual Clauses (SCCs): Approved by the European Commission.
2. ✅ Binding Corporate Rules (BCRs): Where applicable within our corporate group.
3. ✅ Adequacy decisions: If a country is recognized by the EU as providing adequate protection.

We will inform you in advance if we ever rely on such transfers and what mechanisms we use.

---

8. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law. Below is a general overview; exact retention periods depend on context:

Category	Retention Period
Account & Profile Data	Duration of your active account + up to 3 years after account closure
Billing & Transaction Records	At least 10 years (required by tax and financial regulations in Spain/EU)
Support & Communications Logs	Up to 5 years, unless subject to a longer legal hold
Usage & Analytics (anonymized)	Up to 5 years (or until data is fully anonymized)
Security & Audit Logs	Indefinitely, to detect and investigate fraud or abuse

After the retention period ends, we will securely delete or anonymize the data.

---

9. Cookies & Tracking Technologies

We use cookies, web beacons, and similar technologies to recognize your browser or device, remember preferences, and help us understand site usage. You can control cookie settings via your browser; however, disabling certain cookies may affect service functionality.

9.1 Types of Cookies We Use

1. 🍪 Essential (Strictly Necessary) Cookies
   • Required for basic site functionality (e.g., account authentication, shopping cart).
   • Cannot be disabled if you want to use the core Services.
2. 📈 Performance & Analytics Cookies
   • Collect anonymized data on how you use our Services (e.g., page visits, feature usage).
   • Help us optimize speed and user experience.
   • Generally set by third-party analytics providers.
3. 🎯 Functional Cookies
   • Remember your preferences (e.g., language, region) to personalize your experience.
4. 📢 Advertising & Marketing Cookies (if enabled)
   • Track your browsing behavior across websites to serve more relevant ads (when you have consented).
   • You can opt out of these.

When you first visit, we display a cookie banner explaining these categories and asking for your consent (where required by law). You can manage consent at any time through your account settings or by clearing cookies in your browser.

---

10. Security Measures

We implement industry-standard administrative, technical, and physical safeguards to protect personal data, including:

• 🔒 Encryption in Transit & At Rest: All data is encrypted via TLS (HTTPS) during transmission; sensitive data is encrypted at rest (e.g., billing details).
• 👨‍💻 Access Controls: Role-based access for employees, multi-factor authentication (MFA) for privileged accounts, and regular access reviews.
• 🛡️ Vulnerability Management: Regular security audits, penetration tests, and patch management to address known vulnerabilities.
• 🚨 Incident Response Plan: Documented procedures to detect, investigate, and respond to security incidents; we will notify affected users and authorities in accordance with GDPR breach notification timelines (within 72 hours when feasible).
• 🗑️ Data Minimization: Only collect data necessary for stated purposes and delete or anonymize it when no longer needed.

Despite these measures, no system can be 100% secure. You acknowledge and accept the residual risks when transmitting personal data over the internet.

---

11. Your Rights Under GDPR

If you are located in the European Union or the UK, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at legal@rkiveai.com. We will respond within one month (or as required by law).

1. 📥 Right of Access. You can request a copy of the personal data we hold about you and certain details about our processing.
2. ✏️ Right to Rectification. You can ask us to correct inaccurate or incomplete data (e.g., update your email if it changed).
3. 🗑️ Right to Erasure (Right to Be Forgotten). You can request deletion of your personal data when it’s no longer needed for its original purpose, except where we have a legal obligation to retain it (e.g., tax records).
4. ⏸️ Right to Restriction of Processing. You can request that we temporarily stop processing your data (e.g., contest accuracy) while we verify it.
5. 📤 Right to Data Portability. You can request a copy of your data in a structured, machine-readable format (e.g., JSON or CSV) to transmit to another controller.
6. 🚫 Right to Object. Where we process your data based on legitimate interest, you can object, and we must stop unless we can demonstrate compelling legitimate grounds. You also have the right to opt out of direct marketing at any time.
7. 🔓 Right to Withdraw Consent. If we rely on your consent (e.g., for marketing emails or non-essential cookies), you may withdraw consent at any time. Withdrawal will not affect processing that occurred before you withdrew.
8. 📣 Right to Lodge a Complaint. You can file a complaint with a supervisory authority—e.g., the Spanish Data Protection Agency (AEPD)—if you believe our processing violates applicable law.

---

12. Children’s Privacy

Our Services are not directed at children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we learn that we have unintentionally collected data from a minor, we will delete it as soon as possible. If you believe that a minor has provided us with personal data, please contact us at legal@rkiveai.com.

---

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• 🆕 We will post the updated version on our website with a new “Effective Date.”
• 📣 If the changes are material (e.g., new processing purposes, new data-sharing practices), we will provide advance notice (via email or in-app notification) at least 30 days before the changes take effect.

Your continued use of the Services after the Effective Date constitutes acceptance of the revised Privacy Policy. If you do not agree with any changes, you must stop using the Services and may request account deletion as described below.

---

14. How to Delete Your Account & Data

If you wish to have all personal data deleted:
🔗 https://www.rkiveai.com/en/data-deletion

---

15. Third-Party Links & External Sites

Our Services may contain links to third-party websites, plug-ins, or services that we do not control. Once you click on a third-party link, you will be subject to that third party’s privacy policy. We encourage you to read the privacy notices of any sites you visit. We are not responsible for the content or practices of external sites.

---

16. International Users

If you are accessing our Services from outside the European Economic Area (EEA), note that we transfer and store data within the EEA. By using the Services, you consent to the transfer of your information to the EEA and acknowledge that EU data protection laws may differ from those where you reside. We rely on appropriate safeguards (e.g., Standard Contractual Clauses) if any personal data is transferred outside the EEA.

---

17. Miscellaneous

• ❌ No Automated Decision-Making. We do not use your personal data for fully automated decisions that produce legal or similarly significant effects on you.
• 🛑 No Sale of Data. We do not sell your personal data to third parties.
• 📌 Data Controller & Processor Roles. RkiveAI acts as the data controller for data you directly provide to us. In cases where we allow integrations (e.g., connecting your Google Drive), the third party may be a separate data controller for data processed on their platform.

---

18. Global Privacy Notice

RkiveAI España S.L. (“we,” “us,” or “our”) is headquartered in Madrid, Spain, and primarily processes data under the EU GDPR. Because we serve users worldwide, this notice explains your rights if you are located in other jurisdictions:

1. European Economic Area (EEA) / UK:

   • Your rights are described in Section 11 (“Your Rights Under GDPR”) of our Privacy Policy.
   • We rely on standard contractual clauses (SCCs) to transfer data outside the EEA.

2. California (CCPA/CPRA)

   • We do not sell or share your personal information for cross-context behavioral advertising.
   • California residents have the right to request:
     1. The categories of personal data we’ve collected and the purposes for which we use it.
     2. Deletion of personal data (subject to legal retention obligations).
     3. Opt-out of any future sale or sharing (if that ever occurs).
   • To exercise these rights, email legal@rkiveai.com with “CCPA Request” in the subject line. We will verify your California residency and respond within 45 days.

3. Brazil (LGPD)

   • We collect personal data to provide and improve our AI services. We may share it with third-party subprocessors (e.g., AWS, Stripe, Google Analytics) under binding data-processing agreements.
   • Brazilian residents have the right to confirm processing, access, correct, delete, or port their personal data, and to withdraw consent at any time.
   • To submit an LGPD request, email legal@rkiveai.com with “LGPD Request” in the subject line. We will verify your identity or residency and respond within 15 days.

4. Other Jurisdictions:

   • If your local law grants additional rights (e.g., South Africa’s POPIA, Japan’s APPI), you may exercise them by emailing legal@rkiveai.com.
   • We will verify your location and respond within the shorter of your local statutory timeframe or 30 days.

How to Contact Us for Any International Request:

• 📧 Email legal@rkiveai.com with “Data Request – [Your Country]” in the subject line.
• 📑 Provide the following: (a) your name and contact information; (b) the nature of your request (e.g., “I wish to delete my data under CCPA,” or “I want a copy under LGPD”); (c) proof of your identity or residency if applicable.
• 📤 We will route your request to the correct internal team and respond within the time required by your local law (or 30 days if shorter).

If we need to share your data with third-party vendors (e.g., AWS, payment processors) outside your region, we rely on appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules) to ensure an adequate level of protection.

---

By continuing to use our Services, you acknowledge that you have read and understood this Policy and agree to be bound by its terms.