Privacy Policy

Last updated: April 19, 2026

1. Data Controller

Data Controller: Maestring (sole trader, Spain). Contact: privacy@maestring.com.

2. Data We Process

• Account: email, name, avatar (via Google OAuth or magic link).
• Study: question responses, timings, FSRS metrics, PDFs you upload.
• Payments: Stripe customer ID (we do not store card data).
• Technical: IP address, user-agent, error logs (Sentry).
• Analytics (with consent): product events via PostHog.

3. Purposes and Legal Basis

• Service delivery (contract performance, Art. 6(1)(b) GDPR).
• Billing (contract performance).
• Transactional emails (legitimate interest, Art. 6(1)(f)).
• Product analytics (consent, Art. 6(1)(a) — cookie banner).

4. Sub-processors

• Supabase (database hosting, auth) — EU.
• Vercel (app hosting) — global.
• Stripe (payments) — Ireland/US (standard contractual clauses).
• Anthropic and OpenAI (AI generation, embeddings) — US. Only anonymous IDs and text from PDFs you upload are sent; no personally identifiable data.
• Resend (transactional email) — US.
• Sentry (error tracking) — US.
• PostHog (analytics, optional) — EU.
• Upstash (rate limiting) — EU.

5. Retention

Account and study data: retained while your account is active. After cancellation, deleted within 30 days unless a legal obligation applies (billing records: 6 years).

6. Your Rights

Access, rectification, erasure, objection, restriction, and portability. You can delete your account directly from Settings → Delete account, or write to privacy@maestring.com. Complaints to the supervisory authority: aepd.es.

7. Cookies

We use strictly necessary cookies (session, CSRF). Analytics (PostHog) are only activated if you accept the banner. We do not use advertising cookies.

8. Security

Encryption in transit (TLS) and at rest (Supabase/Postgres). Row-level security per user on all tables. Sentry for incident detection.

9. Changes

Material changes are notified by email at least 30 days in advance.