Privacy policy

1. Data controller

The controller of the personal data collected via tarifa.life is:

Tarifa Life, sole proprietorship
Tarifa, Andalusia, Spain
Contact: info@tarifa.life

2. Data collected and purposes

2.1 At registration

Email, first name, last name, password (hashed, never in plain text)
For Google OAuth accounts: email address, name and profile photo
Role (user, school owner, restaurant owner, etc.)

Purpose: to create and manage your account, allow you to log in, and contact you about important notifications.

Legal basis: performance of the contract (Terms of Use) and legitimate interest.

2.2 When using the service

Published content: stories (photos, videos), reviews, messages, marketplace listings
Technical metadata: IP address, user agent, date and time of actions
Geographic location: only if you explicitly enable it to search for a place
History of notifications and read/unread status
Preferences (language, subscriptions to spots and venues)

Purpose: to provide the service, moderation, security, fraud prevention.

Legal basis: performance of the contract and legitimate interest in providing a secure service.

2.3 During a payment

Amount, date, currency, status
Billing address and VAT number (for professionals)
No bank data is stored by tarifa.life. Bank card information is processed exclusively by Stripe Payments Europe Ltd.

Purpose: execution of transactions, accounting, tax obligations.

Legal basis: performance of the contract and legal obligation (10-year retention of accounting records).

2.4 Conversations with the AI assistant

Content of the messages exchanged
Responses of the AI model
Model used (Haiku, Opus)
Escalation status (yes/no)

Purpose: to ensure the continuity of the conversation, escalate to a human if necessary, and improve the service.

Legal basis: legitimate interest in providing support.

Conversations are transmitted to the AI model provider Anthropic PBC (USA) for processing. Anthropic does not retain API requests beyond the time needed for processing (except in exceptional cases of detected abuse).

2.5 Push notifications (PWA)

Web push subscription endpoint, cryptographic keys (p256dh, auth)
User agent of the device

Purpose: to send you push notifications if you have accepted them.

Legal basis: your consent (at the moment you grant the notification permission in your browser). You can withdraw your consent at any time by disabling notifications in your browser or PWA settings.

3. Processors and recipients

We use the following processors to provide the service:

Vercel Inc. (USA) — web hosting. Transfer outside the EU governed by the Standard Contractual Clauses (SCCs) approved by the European Commission.
Supabase Inc. (Singapore; data stored in the EU, in Ireland) — database, authentication, file storage.
Stripe Payments Europe Ltd. (Ireland, EU) — payment processing.
Resend Inc. (USA) — sending of transactional emails. Transfer outside the EU governed by the SCCs.
Anthropic PBC (USA) — AI models for the support chatbot. Transfer outside the EU governed by the SCCs. Requests are not used to train the models (zero-retention API).
Google LLC (USA) — public venue data (Maps, Places API). Google OAuth if you log in via Google.

We never sell your personal data to third parties and do not use it for advertising purposes beyond the operation of the service.

4. Retention period

Active account: for as long as the account exists, plus 12 months after the last activity, then deletion unless legal obligations apply.
Accounting data (invoices, transactions): 10 years after the end of the tax year (Spanish legal obligation).
Chat conversations: 90 days, then automatic deletion.
Technical logs (IP, user agent): 12 months maximum.
Stories: automatically deleted at midnight (Europe/Madrid time) on the day of publication, except in exceptional cases of a report.
Marketplace messages: kept for the duration of the conversation, plus 12 months after it is closed, for the resolution of any dispute.

5. Your rights

In accordance with the GDPR, you have the following rights:

Right of access: to obtain confirmation that your data is being processed and to receive a copy of it.
Right to rectification: to correct inaccurate data.
Right to erasure ("right to be forgotten"): to request the deletion of your data.
Right to restriction: to restrict the processing of your data.
Right to portability: to retrieve your data in a structured and readable format.
Right to object: to object to the processing of your data on legitimate grounds.
Right to withdraw your consent at any time where the processing is based on it.
Right to lodge a complaint with the competent supervisory authority (in Spain: AEPD — Agencia Española de Protección de Datos).

To exercise these rights, write to info@tarifa.life specifying your request. We will respond within 30 days.

6. Security

We implement reasonable technical and organisational measures to protect your data: TLS encryption for all communications, bcrypt hashing of passwords, role-based restricted access to the database, access logging, daily backups and regular updating of dependencies.

Despite these measures, no system is entirely foolproof. In the event of a data breach affecting your information, we will notify the AEPD within 72 hours in accordance with Article 33 of the GDPR and will notify you without delay if the incident poses a high risk to your rights.

7. Cookies and trackers

See our dedicated Cookie Policy for the details.

8. Minors

The service is not intended for minors under the age of 16. If you are under 16, you must obtain the consent of your parents or guardians to use the Platform.

9. Changes to the policy

This policy may be amended to reflect legal or technical developments. The applicable version is the one published on the Site. In the event of a substantial change, we will inform you by email or by in-app notification.

10. Contact

For any question relating to your personal data or to this policy: info@tarifa.life.

1. Data controller

The controller of the personal data collected via tarifa.life is:

Tarifa Life, sole proprietorship
Tarifa, Andalusia, Spain
Contact: info@tarifa.life

2. Data collected and purposes

2.1 At registration

Email, first name, last name, password (hashed, never in plain text)
For Google OAuth accounts: email address, name and profile photo
Role (user, school owner, restaurant owner, etc.)

Purpose: to create and manage your account, allow you to log in, and contact you about important notifications.

Legal basis: performance of the contract (Terms of Use) and legitimate interest.

2.2 When using the service

Published content: stories (photos, videos), reviews, messages, marketplace listings
Technical metadata: IP address, user agent, date and time of actions
Geographic location: only if you explicitly enable it to search for a place
History of notifications and read/unread status
Preferences (language, subscriptions to spots and venues)

Purpose: to provide the service, moderation, security, fraud prevention.

Legal basis: performance of the contract and legitimate interest in providing a secure service.

2.3 During a payment

Amount, date, currency, status
Billing address and VAT number (for professionals)
No bank data is stored by tarifa.life. Bank card information is processed exclusively by Stripe Payments Europe Ltd.

Purpose: execution of transactions, accounting, tax obligations.

Legal basis: performance of the contract and legal obligation (10-year retention of accounting records).

2.4 Conversations with the AI assistant

Content of the messages exchanged
Responses of the AI model
Model used (Haiku, Opus)
Escalation status (yes/no)

Purpose: to ensure the continuity of the conversation, escalate to a human if necessary, and improve the service.

Legal basis: legitimate interest in providing support.

2.5 Push notifications (PWA)

Web push subscription endpoint, cryptographic keys (p256dh, auth)
User agent of the device

Purpose: to send you push notifications if you have accepted them.

3. Processors and recipients

We use the following processors to provide the service:

Vercel Inc. (USA) — web hosting. Transfer outside the EU governed by the Standard Contractual Clauses (SCCs) approved by the European Commission.
Supabase Inc. (Singapore; data stored in the EU, in Ireland) — database, authentication, file storage.
Stripe Payments Europe Ltd. (Ireland, EU) — payment processing.
Resend Inc. (USA) — sending of transactional emails. Transfer outside the EU governed by the SCCs.
Anthropic PBC (USA) — AI models for the support chatbot. Transfer outside the EU governed by the SCCs. Requests are not used to train the models (zero-retention API).
Google LLC (USA) — public venue data (Maps, Places API). Google OAuth if you log in via Google.

We never sell your personal data to third parties and do not use it for advertising purposes beyond the operation of the service.

4. Retention period

Active account: for as long as the account exists, plus 12 months after the last activity, then deletion unless legal obligations apply.
Accounting data (invoices, transactions): 10 years after the end of the tax year (Spanish legal obligation).
Chat conversations: 90 days, then automatic deletion.
Technical logs (IP, user agent): 12 months maximum.
Stories: automatically deleted at midnight (Europe/Madrid time) on the day of publication, except in exceptional cases of a report.
Marketplace messages: kept for the duration of the conversation, plus 12 months after it is closed, for the resolution of any dispute.

5. Your rights

In accordance with the GDPR, you have the following rights:

Right of access: to obtain confirmation that your data is being processed and to receive a copy of it.
Right to rectification: to correct inaccurate data.
Right to erasure ("right to be forgotten"): to request the deletion of your data.
Right to restriction: to restrict the processing of your data.
Right to portability: to retrieve your data in a structured and readable format.
Right to object: to object to the processing of your data on legitimate grounds.
Right to withdraw your consent at any time where the processing is based on it.
Right to lodge a complaint with the competent supervisory authority (in Spain: AEPD — Agencia Española de Protección de Datos).

To exercise these rights, write to info@tarifa.life specifying your request. We will respond within 30 days.

6. Security

7. Cookies and trackers

See our dedicated Cookie Policy for the details.

8. Minors

The service is not intended for minors under the age of 16. If you are under 16, you must obtain the consent of your parents or guardians to use the Platform.

9. Changes to the policy

10. Contact

For any question relating to your personal data or to this policy: info@tarifa.life.

1. Data controller

2. Data collected and purposes

2.1 At registration

2.2 When using the service

2.3 During a payment

2.4 Conversations with the AI assistant

2.5 Push notifications (PWA)

3. Processors and recipients

4. Retention period

5. Your rights

6. Security

7. Cookies and trackers

8. Minors

9. Changes to the policy

10. Contact

Privacy Policy

1. Data controller

2. Data collected and purposes

2.1 At registration

2.2 When using the service

2.3 During a payment

2.4 Conversations with the AI assistant

2.5 Push notifications (PWA)

3. Processors and recipients

4. Retention period

5. Your rights

6. Security

7. Cookies and trackers

8. Minors

9. Changes to the policy

10. Contact