Privacy Policy

Controller: José Rosa Cobos

NIF/CIF: 74895363A

Address: Calle Espirea N1

Contact email: privacidad@longevitymap.co

2.1 Data provided directly by the user:

Full name (upon registration), email address, profile picture (if using Google OAuth), city (optional), data entered in My Protocol (health goals, budget, location), review content (text, ratings, optional photos), and biomarker data (only if voluntarily provided by the user in reviews).

2.2 Data collected automatically:

IP address (anonymized), browser and device type, pages visited and time spent, and actions performed (searches, clicks, appointment requests).

2.3 Payment data:

Credit card data is processed directly by Stripe and never passes through our servers nor is stored in our database. We only store the Stripe customer ID to manage the subscription.

Some data that the user may voluntarily provide (health goals in My Protocol, biomarkers in reviews) may be considered health data under GDPR (Art. 9). This data is processed exclusively with the user's explicit consent (Art. 9.2.a GDPR), used only for the stated purpose (generating personalized recommendations, enriching reviews), stored with enhanced security measures, and never sold or shared with third parties for marketing purposes.

The user may request the deletion of this data at any time.

Service provision (legal basis: contract performance, Art. 6.1.b): managing your account, processing appointment requests, generating AI recommendations, displaying reviews.

Service improvement (legal basis: legitimate interest, Art. 6.1.f): anonymous usage analytics, scoring algorithm improvement, review fraud detection.

Communications (legal basis: consent, Art. 6.1.a): sending transactional emails (confirmations, reminders) and, only with consent, newsletters and offers.

We share data only with the following data processors (Art. 28 GDPR). We commit to signing a DPA (Data Processing Agreement) with each of them before any effective processing of personal data in production.

Database and storage

Supabase Inc. — PostgreSQL database and file storage. Region: EU (Frankfurt, Germany). Data processed: all account data, reviews, appointments, protocols. Web: supabase.com/privacy.

Vercel Inc. — application hosting and CDN. Region: global edge with EU-preferred compute (Frankfurt). Data processed: server logs, visitor IPs, request payloads. Web: vercel.com/legal/privacy-policy.

Upstash Inc. — cache and rate limiting (serverless Redis). Region: EU. Data processed: rate-limit counters (hashed IP, user id), TTL < 24h, no request bodies. Web: upstash.com/privacy.

Cloudinary Ltd. — image storage and optimization (clinic photos, avatars, review photos). Region: global CDN. Data processed: files uploaded by users and clinics. Web: cloudinary.com/privacy.

Payments

Stripe Payments Europe Ltd. — payment processing and subscriptions. PCI DSS Level 1 certified. Data processed: name, email, card data (handled directly between browser and Stripe, never reaches our servers), transaction history. International transfer to the US protected by SCCs. Web: stripe.com/privacy.

Communications

Resend Inc. — transactional email delivery (verification, appointment confirmations, notifications). Data processed: recipient email and name, email content. Web: resend.com/legal/privacy-policy.

Authentication and AI

Google Ireland Ltd. — OAuth authentication. Data processed: email and name from the Google profile when the user chooses to sign in with Google. Web: policies.google.com/privacy.

Anthropic Ireland Ltd. — automated processing for recommendation generation (Claude API). Only the data strictly necessary is processed, applying data minimization and avoiding directly identifiable information. Anthropic does not use API data to train models. Web: anthropic.com/legal/privacy.

Error monitoring

Functional Software, Inc. (Sentry) — production error monitoring to detect and fix failures. Data processed: stack traces, error routes, user-agent, browser version. We apply strict minimization: automatic PII collection is disabled (sendDefaultPii:false), we filter cookies, authentication headers, forwarded IP (x-forwarded-for) and emails before sending, and limit trace sampling to 10%. International transfer to the US protected by SCCs. Web: sentry.io/privacy.

Clinics: when requesting an appointment, we share with the selected clinic: name, email, phone (if provided), requested treatment, preferred date, and any notes from the user. This sharing is necessary for service provision (Art. 6.1.b GDPR). The patient's phone number is only revealed to the clinic after appointment confirmation.

We never sell data to third parties for marketing or advertising purposes.

You have the right to: Access (Art. 15) — request a copy of all your personal data. Rectification (Art. 16) — correct inaccurate data. Erasure (Art. 17) — request the deletion of your data ("right to be forgotten"). Restriction (Art. 18) — restrict the processing of your data. Portability (Art. 20) — receive your data in a structured format. Objection (Art. 21) — object to the processing of your data. Withdraw consent at any time.

To exercise any right: privacidad@longevitymap.co. Response time: 30 days.

You may also file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es

Patient user accounts: while the account is active. Upon voluntary deletion, personal data is anonymized immediately and only published reviews (unlinked from the user) and records of completed appointments (for legal accounting obligations, 5 years) are retained.

Clinic accounts: while the account is active. Voluntary deletion requires a minimum inactivity window of 6 months with no recent appointments or pending deposits, to protect patients who already booked and ensure correct delivery of contracted services (Art. 17.3.b GDPR — compliance with legal obligation). After that period, the clinic's contact details are anonymized and the profile is no longer public.

Payment data (Stripe IDs and invoicing): during the contractual relationship plus the legal tax retention period (5 years, Art. 30 Spanish Commercial Code).

Published reviews: indefinitely as part of the platform's public content, unless the author expressly requests erasure (Art. 17 GDPR).

Audit logs (administrative actions, magic-link accesses): 12 months, to meet traceability requirements in the event of security incidents.

Server logs: 30 days. Analytics: anonymized data, indefinite retention.

We implement technical and organizational measures to protect your data: encryption in transit (HTTPS/TLS), encryption at rest for sensitive data, role-based access control, automatic backups, and regular security audits.

Some of our providers may process data outside the EEA (Stripe, Anthropic, Sentry — USA). In these cases, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

Data Protection Officer (if applicable): privacidad@longevitymap.co

LongevityMap maintains a directory of longevity clinics as a sector-wide information service to the public. Some clinics appear in the directory without having created an account first, based on publicly accessible business information. This section explains that practice in accordance with Articles 6, 13 and 14 GDPR.

11.1 What we publish about these clinics. Identifying and contact data of a healthcare/business professional activity: trade name, postal address, city, public phone, public email (if the clinic publishes it on its own website), website URL, public social networks, list of treatments offered, photographs published on the clinic's own channels or on Google Business Profile, public opening hours, sanitary registration number (when listed in official registers) and CIF/NIF (when listed in public commercial information). We do not publish data relating to the private life of specific individuals beyond the name and professional title of healthcare staff that the clinic itself publicly announces.

11.2 Sources. The clinics' own public websites, Google Maps / Google Business Profile, public regional sanitary registers, specialised press and professional directories. The origin marker is stored in the importSource field of the record and is available for audit.

11.3 Legal basis (Art. 6.1.f GDPR · legitimate interest). We operate a sector-wide directory of commercial information aimed at the public looking for longevity clinics. Clinics are legal entities or healthcare staff acting in a professional capacity, not in their private sphere. The information processed is limited to the public professional/business dimension and is not used for individual profiling or automated decisions with legal effects. We have carried out the balancing test between our legitimate interest (operating a transparent sector service that helps patients compare options) and the rights of the data subjects (clinics and practitioners), concluding that our legitimate interest prevails provided the effective right of objection and erasure described in point 11.5 is guaranteed.

11.4 Purposes. (a) Publishing the clinic profile in the public LongevityMap directory. (b) Allowing users to find, compare and contact clinics. (c) Enabling the clinic itself to claim its profile to manage it directly.

11.5 Right of objection and erasure (Arts. 17 and 21 GDPR). Clinics and practitioners whose data appears published may at any time request removal from the directory via: (i) the public form at /contact, (ii) email to privacidad@longevitymap.co or (iii) the claim process accompanied by revocation. We manually verify legitimacy (matching of the email domain with the clinic's website, sanitary registration number or other documentary evidence) within a maximum of 30 days from the request (Art. 12.3 GDPR). Once verified, we mark the record as visibilityStatus = REMOVED and stop publishing it immediately. The auditable record of the request is kept in the activity log as proof of compliance (Art. 30 GDPR).

11.6 Retention period. While the clinic remains published in the directory. After a verified removal request, the flow described in 11.5 applies. The record remains marked as REMOVED to prevent subsequent automatic re-imports (persistent opt-out).

11.7 International transfers. Data hosting follows the same terms described in points 5 and 9. No additional specific transfers are made for the data of listed clinics.

11.8 How to verify what we publish about your clinic. The full profile is always the clinic's own public page at longevitymap.co. If you want to see the internal metadata (import date, source, audit record), request it by email to privacidad@longevitymap.co, providing proof of affiliation with the clinic (Art. 15 GDPR).