Privacy PolicyPolítica de Privacidad

2. Personal data processed

Reglapp collects and processes the following categories of personal data:

2.1 Account and registration data

• Email address
• Password (stored in hashed form)
• Preferred language and account settings
• Account creation date and access logs

2.2 Profile data ("About me")

• First and last name
• Date of birth
• Nationality
• Address in Spain and country of origin
• Phone number
• Passport details (number, issue and expiry dates, issuing authority)
• Place of work and profession
• Marital status
• Names of parents

2.3 Documentation uploaded to "My Data"

Documentation required for the provision of the contracted professional services, which may include, depending on the case: passport from the country of origin, proof of residence over the last 5 years, criminal record certificate, proof of registration at the local town hall (empadronamiento), employment contract or job offer, birth certificates of children and their passports, marriage certificates, tax returns, and any other document requested by the assigned professional in connection with the engagement.

2.4 AI-chat session data

• Content of messages exchanged with the AI-chat
• Session metadata (date, time, session identifier)
• Output of the informational assessment generated by the AI

2.5 Billing and payment data

• Legal name or full name, NIF/NIE, fiscal address
• Services contracted, amounts, VAT, transaction date
• Transaction identifiers from the payment provider (full card details are not stored by Reglapp; they are processed by the PCI-DSS certified payment provider)

2.6 Client case file data

• Notes, communications and observations generated by the assigned professional
• Documents produced during service provision
• Case status and communications with public authorities

2.7 Technical and usage data

• IP address, device type, browser, operating system
• Pages visited, time spent, platform interactions
• Cookie identifiers, subject to User preferences
• Technical logs for security and debugging

2.8 Data of minors

Where the contracted service involves family regularization or other procedures concerning the User's minor children, Reglapp may process such minors' data (birth certificate, passport, identification data). Such data is processed under the parental responsibility of the User, who declares to be entitled to provide them in the minor's interest. The Reglapp platform is not directed at minors and does not collect minors' data for purposes other than the professional service contracted by their parent or legal representative.

3. Special categories of data (Art. 9 GDPR) and data relating to criminal offences (Art. 10 GDPR / Art. 10 LOPDGDD)

Certain data processed by Reglapp may require enhanced protection:

3.1 Migration status

The User's migration status in Spain (including a status of administrative irregularity) may be treated as a special category of data under Article 9 GDPR. The legal basis for processing is the explicit consent of the data subject in accordance with Article 9.2.a GDPR, obtained separately and specifically at the time of registration.

3.2 Criminal record data

The criminal record certificate required for certain immigration procedures constitutes data relating to criminal offences. Its processing is grounded, in accordance with Article 10 LOPDGDD, on the provision of professional services by a licensed gestor administrativo or lawyer, in fulfilment of administrative procedures in which the certificate is required by applicable law, and with the explicit consent of the User.

The User may object to the processing of these categories of data at any time, with the consequence that Reglapp and the assigned professional will be unable to continue providing the service that requires such data.

4. Purposes of processing and legal bases

The following table summarises the purposes of processing, the data involved and the corresponding legal basis under Article 6 GDPR:

• Account creation and management: §2.1 — Contract performance (Art. 6.1.b)
• Provision of contracted professional services (immigration, tax, gestoría): §2.2, §2.3, §2.6 — Contract performance (Art. 6.1.b)
• Processing of special categories and criminal record data: §3.1, §3.2 — Explicit consent (Art. 9.2.a) and/or Art. 10 LOPDGDD
• AI-chat sessions: §2.4 — Contract performance (Art. 6.1.b) + legitimate interest in product improvement (Art. 6.1.f)
• Billing and tax obligations: §2.5 — Compliance with legal obligation (Art. 6.1.c — Spanish Commercial Code Art. 30, General Tax Law)
• Communication with public authorities (Tax Office, Social Security, Immigration) within the service: §2.2, §2.3, §2.6 — Compliance with legal obligation applicable to the case (Art. 6.1.c)
• Technical security and fraud prevention: §2.7 — Legitimate interest (Art. 6.1.f)
• Commercial communications about own products to existing customers: §2.1, §2.5 — Legitimate interest (Art. 6.1.f) — Art. 21.2 LSSI-CE
• Personalized marketing and transfer to commercial partners: §2.1, §2.7 — Explicit and separate consent (Art. 6.1.a)
• Cookies and similar technologies: §2.7 — Consent (Art. 22.2 LSSI-CE)

5. Retention periods

Reglapp retains personal data for the time strictly necessary for the purposes of processing, in accordance with the following periods:

• Account data: while the account is active + 1 year after closure, unless a longer legal retention obligation applies.
• Case file and professional documentation: 5 years from completion of service, in line with the professional civil liability periods applicable to gestores administrativos and lawyers, and the general statute of limitations for personal actions (Art. 1964 Spanish Civil Code).
• Billing data: 6 years under Article 30 of the Spanish Commercial Code; 4 additional years for tax purposes under the General Tax Law (Art. 66).
• AI-chat session content: 30 days after the session ends, unless the User expressly requests longer retention or the content is integrated into their professional case file.
• Marketing consents: while the consent is active + 3 years after withdrawal for evidentiary purposes.
• Technical logs and security data: 90 days.
• Data of minors: same periods applicable to the parent account holder's case file; deletion upon parental request or upon the minor reaching adulthood (with prior notice).

Upon expiry of the retention periods, data is securely deleted or anonymized.

6. Recipients and categories of recipients

The User's personal data may be communicated to the following categories of recipients:

6.1 Licensed professionals (Data Processors)

Independent licensed gestores administrativos, lawyers and other licensed professionals engaged through the platform for the provision of professional services. They act as Data Processors under a Data Processing Agreement (DPA) executed in accordance with Article 28 GDPR. They receive the case file data necessary for service provision.

6.2 Technical infrastructure providers

• Hosting and infrastructure: Hetzner Online GmbH (Germany) — data hosting and servers in EU-based data centres.

6.3 Artificial intelligence providers

• OpenAI, L.L.C.: (United States) — processing of AI-chat messages through language models. Data sent through the API is not used by OpenAI to train its models, in accordance with OpenAI's policy applicable to API services.
• Google LLC: (United States) — processing of AI-chat messages through Gemini models.

6.4 Payment provider

• Stripe Payments Europe, Limited: (Ireland) — processing of payments for contracted services. Full card details are processed directly by Stripe (PCI-DSS Level 1).

6.5 Analytics and advertising

• PostHog Inc.: (with EU instance configured) — product analytics and usage behaviour.
• Meta Platforms Ireland Limited: (Meta Pixel) — advertising attribution, only with the User's consent through the cookie banner.
• TikTok Technology Limited: (TikTok Pixel) — advertising attribution, only with consent.
• Google Ireland Limited: (Google Ads) — advertising attribution, only with consent.

6.6 Commercial partners (marketing)

Where the User has provided explicit and separate consent, Reglapp may share certain data (contact details, usage profile) with selected commercial partners for personalized offers in immigration, tax, financial, insurance, relocation and related services. Categories of partners and details of communicated data are described in section 11.

6.7 Public authorities

Tax Office, Social Security, Immigration and other competent authorities, where the professional service so requires and in accordance with the User's consent or compliance with a legal obligation.

6.8 Reglapp's own advisors and service providers

Legal, tax and accounting advisors of Reglapp for internal management of the company, subject to confidentiality obligations.

7. International data transfers

As a result of the use of the providers indicated in section 6, part of the processing may involve international transfer outside the European Economic Area, particularly to the United States:

• OpenAI L.L.C.: (USA)
• Google LLC: (USA)
• Meta Platforms, Inc.: (USA) — only when the User consents
• TikTok / ByteDance: (USA / Ireland) — only when the User consents
• Google Ads / Google LLC: (USA) — only when the User consents
• Stripe, Inc.: (USA, parent company of Stripe Payments Europe Limited) — for technical payment processing

International transfers are made on the basis of:

• a): Standard Contractual Clauses (SCC) approved by the European Commission under Decision (EU) 2021/914, executed with each provider; and/or
• b): EU-U.S. Data Privacy Framework (Adequacy Decision of 10 July 2023) where the provider is certified under that framework.

The User may request a copy of the applicable safeguards by writing to privacy@reglapp.com.

Recommendation to the User: as conversations with the AI-chat may be processed in the United States, Users are advised not to share unnecessary sensitive personal data through the chat. For sensitive matters, it is recommended to contact the assigned professional directly through the platform's secure environment.

8. Automated decision-making and artificial intelligence

Reglapp uses an AI assistant (AI-chat) to provide Users with preliminary information about their situation and potential applicable administrative routes.

• The AI-chat is for informational purposes only. Its responses may contain inaccuracies and do not constitute legal, tax or professional advice.
• Reglapp does not adopt decisions producing legal effects or similarly significant effects based solely on automated processing (Art. 22 GDPR). All binding professional decisions are reviewed and adopted by a human licensed professional.
• In compliance with Article 50 of Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act), the User is expressly informed that they are interacting with an AI system.

9. User rights

Under GDPR and LOPDGDD, the User may exercise the following rights:

• Access (Art. 15 GDPR): obtain confirmation of processing and a copy of the data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure / "right to be forgotten" (Art. 17): request deletion when data is no longer necessary or consent has been withdrawn.
• Restriction of processing (Art. 18):
• Data portability (Art. 20): receive data in a structured, commonly used format.
• Objection (Art. 21): object to processing based on legitimate interest.
• Not to be subject to automated decisions (Art. 22):
• Withdrawal of consent (Art. 7.3): the User may withdraw consent at any time without retroactive effect on previous processing.

How to exercise rights: by request to privacy@reglapp.com indicating the right to be exercised and providing identification documentation. Reglapp will respond within one month from receipt of the request, extendable by two additional months in particularly complex cases (Art. 12.3 GDPR).

Right to lodge a complaint with the Supervisory Authority: if the User considers that their rights have not been properly addressed, they may lodge a complaint with the Spanish Data Protection Agency (AEPD):

• Website: https://www.aepd.es
• Electronic office: https://sedeagpd.gob.es
• Postal address: C/ Jorge Juan, 6, 28001 Madrid

Before lodging a complaint with the AEPD, it is recommended to first contact privacy@reglapp.com to seek direct resolution.

10. Withdrawal of consent

Where processing is based on consent, the User may withdraw it at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

Withdrawal of consent for data essential to service provision (special categories, criminal records, transfer to professionals) may prevent continuation of the contracted service. Reglapp will inform the User of the consequences before giving effect to the withdrawal and, where applicable, will notify the assigned professional, who shall suspend processing of the data relating to the affected case.

11. Marketing and commercial communications

11.1 Communications about own products to existing customers

Reglapp may send the User commercial communications regarding its own products and services similar to those previously contracted, on the basis of the legitimate interest recognized in Article 21.2 of LSSI-CE. The User may object at any time through the unsubscribe link included in each communication or by writing to privacy@reglapp.com.

11.2 Personalized marketing and communication to commercial partners

Where the User has provided explicit and separate consent through the specific checkbox provided for that purpose, Reglapp may communicate certain data (contact details, platform usage profile, declared preferences) to categories of selected commercial partners for personalized offers in the following areas: complementary immigration services, tax and financial advice, banking and insurance products, relocation services, telecommunications, housing and related services.

Reglapp will not communicate to such partners data from the professional case file, uploaded documentation or special category data.

The User may withdraw this consent at any time through the account settings or by writing to privacy@reglapp.com. Withdrawal does not affect the ability to continue using Reglapp's main services.

12. Cookies and similar technologies

The Website uses its own and third-party cookies in accordance with Article 22.2 LSSI-CE. Strictly necessary cookies are installed automatically; the rest require the User's prior consent, expressed through the cookie management panel available on the Website.

For detailed information about cookies (categories, purposes, retention periods, third parties), please consult the Cookies Policy at /cookies.

13. Security measures

Reglapp has implemented technical and organisational measures appropriate to the risk of processing, in accordance with Article 32 GDPR, including:

• Encryption in transit (TLS 1.2+) and at rest of sensitive data
• Cryptographic hashing of passwords
• Access control based on the need-to-know principle
• Storage in infrastructure located in the European Union (Germany)
• Periodic backups and recovery procedures
• Records of Processing Activities (RoPA) and internal incident response procedures
• Periodic staff training on data protection

In the event of a personal data breach posing a high risk to the rights and freedoms of the User, Reglapp will notify the breach to the AEPD within 72 hours (Art. 33 GDPR) and, where applicable, to the affected User without undue delay (Art. 34 GDPR).

14. Modifications to the Policy

Reglapp may modify this Privacy Policy to adapt it to legislative or jurisprudential developments or changes in its processing practices. Substantial modifications will be notified to the User with reasonable advance notice via email or prominent notice on the platform. The date of the last update is shown at the top of the document.

Where the modification affects processing based on consent, Reglapp will request a new consent from the User.

15. Languages

This Privacy Policy is published in Spanish, English and Russian. In case of discrepancy or conflict between the language versions, the Spanish version shall prevail.