Privacy Policy

Controller: José Rosa Cobos

NIF/CIF: 74895363A

Address: Calle Espirea N1

Contact email: privacidad@longevitymap.co

2.1 Data provided directly by the user:

Full name (upon registration), email address, profile picture (if using Google OAuth), city (optional), data entered in My Protocol (health goals, budget, location), review content (text, ratings, optional photos), and biomarker data (only if voluntarily provided by the user in reviews).

2.2 Data collected automatically:

IP address (anonymized), browser and device type, pages visited and time spent, and actions performed (searches, clicks, appointment requests).

2.3 Payment data:

Credit card data is processed directly by Stripe and never passes through our servers nor is stored in our database. We only store the Stripe customer ID to manage the subscription.

Some data that the user may voluntarily provide (health goals in My Protocol, biomarkers in reviews) may be considered health data under GDPR (Art. 9). This data is processed exclusively with the user's explicit consent (Art. 9.2.a GDPR), used only for the stated purpose (generating personalized recommendations, enriching reviews), stored with enhanced security measures, and never sold or shared with third parties for marketing purposes.

The user may request the deletion of this data at any time.

Service provision (legal basis: contract performance, Art. 6.1.b): managing your account, processing appointment requests, generating AI recommendations, displaying reviews.

Service improvement (legal basis: legitimate interest, Art. 6.1.f): anonymous usage analytics, scoring algorithm improvement, review fraud detection.

Communications (legal basis: consent, Art. 6.1.a): sending transactional emails (confirmations, reminders) and, only with consent, newsletters and offers.

We share data only with the following data processors, all of which have signed a DPA (Data Processing Agreement):

Supabase (database) — EU servers (Frankfurt). Vercel (hosting) — global CDN with EU processing. Stripe (payments) — PCI DSS certified. Resend (emails) — recipient email only. Anthropic (automated processing) — Only the data strictly necessary for generating recommendations is processed, applying data minimization principles and avoiding, whenever possible, the processing of directly identifiable user information. Google (OAuth authentication) — login data only.

Clinics: when requesting an appointment, we share with the clinic: name, email, phone number (if provided), requested treatment, and preferred date. This is necessary for service provision.

We never sell data to third parties for marketing or advertising purposes.

You have the right to: Access (Art. 15) — request a copy of all your personal data. Rectification (Art. 16) — correct inaccurate data. Erasure (Art. 17) — request the deletion of your data ("right to be forgotten"). Restriction (Art. 18) — restrict the processing of your data. Portability (Art. 20) — receive your data in a structured format. Objection (Art. 21) — object to the processing of your data. Withdraw consent at any time.

To exercise any right: privacidad@longevitymap.co. Response time: 30 days.

You may also file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es

Account data: while the account is active + 12 months after cancellation. Payment data (Stripe ID): while the contractual relationship exists + legal tax retention period (5 years). Reviews: indefinitely (they form part of the platform's public content), unless erasure is requested. Analytics: anonymized data, indefinite retention. Server logs: 90 days.

We implement technical and organizational measures to protect your data: encryption in transit (HTTPS/TLS), encryption at rest for sensitive data, role-based access control, automatic backups, and regular security audits.

Some of our providers may process data outside the EEA (Stripe, Anthropic — USA). In these cases, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

Data Protection Officer (if applicable): privacidad@longevitymap.co