Privacy Policy

1. Identification of the Controller

This Privacy Policy governs the processing of personal data carried out through:

(i) the website www.temprofit.com
(ii) the TEMPROFIT application and/or platform
(iii) the associated services

This Policy also applies to any interaction, use, transaction or relationship that the User maintains with the Controller through those environments (hereinafter, the "Services").

The Controller may modify this Policy at any time. Updated versions will be available on the Platform, indicating the last update date.

In the event of substantial changes, the Controller will notify the User in accordance with applicable law.

Continued use of the Services implies acceptance of the current version of the Policy.

The data controller is:

TRESOJOTAS
Address: Calle Alamedilla 12, block 1 floor 3A, ZIP 28045, Madrid, Spain
Email: hola@tresojotas.com
(hereinafter, the "Controller")

2. Scope, Acceptance and Sources of Information

Accessing, registering and using the Platform implies that the User has read, understood and accepted this Privacy Policy.

The User declares that the data provided is true, accurate and up to date, and undertakes to keep it duly updated.

The Controller mainly collects personal information directly from the User. However, it may obtain personal data through third parties to the extent necessary for the provision of the Services, including, but not limited to:

(i) providers of financial services and/or open banking or banking aggregation, which allow access to financial account information, subject to the User's express consent where applicable;
(ii) other users of the Platform, as part of collaborative features, invitations or referral programs;
(iii) advertising networks and partners;
(iv) analytics and measurement providers;
(v) social media platforms and networks.

The processing of data from third parties will be carried out in accordance with applicable law and, where appropriate, on the basis of the User's consent or another valid legal basis.

3. Legal Basis for Processing

In accordance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish personal data protection law, the Controller will process the User's personal data only when there is a valid legal basis for doing so.

In particular, the legal bases for processing will be the following:

(i) Performance of the contractual relationship: Processing is necessary for the provision of the Services requested by the User, including registration on the Platform, account management, access to features, payment processing and compliance with the Terms and Conditions.

(ii) Legitimate interest of the Controller: The Controller may process personal data for the development and improvement of the Services, the operational management of the business, Platform security, fraud prevention, User support, usage analysis, incident detection, defence of legal rights and compliance with quality and security standards. In these cases, the Controller guarantees that it has carried out the relevant balancing test, ensuring that such interests do not override the rights and freedoms of the User.

(iii) Compliance with legal obligations: Processing may be carried out when necessary to comply with legal obligations applicable to the Controller, including requirements from administrative, judicial or regulatory authorities, as well as tax, accounting or security obligations.

(iv) User's consent: Where processing is not based on the above grounds, the User's prior, free, specific, informed and unambiguous consent will be requested, especially in relation to: integration with third-party services (for example, financial data aggregation providers); commercial communications where required by applicable law; any processing that requires it under the GDPR. The User may withdraw consent at any time, without affecting the lawfulness of processing prior to its withdrawal.

4. Communication and Disclosure of Data

The Controller may disclose personal data when necessary for the provision of the Services, compliance with legal obligations or the protection of legitimate interests, in accordance with the GDPR.

In particular, data may be disclosed to:

(i) Service providers (data processors): including providers of technology infrastructure, hosting and databases; authentication and storage providers (for example, Supabase); payment processors (for example, Stripe); technical support and customer service providers; security and fraud prevention providers. These third parties act as data processors and are subject to contractual obligations of confidentiality, security and processing in accordance with the Controller's instructions, in line with Article 28 of the GDPR.

(ii) Analytics and marketing providers: to analyse the use of the Platform, improve the Services and, where appropriate, carry out marketing activities in accordance with applicable law.

(iii) Third-party services integrated by the User: If the User decides to integrate external services, data may be communicated to those providers, subject to the User's consent. The User acknowledges that these third parties will act in accordance with their own privacy policies.

(iv) Other authorised users: In connection with collaborative features, referrals or shared use, the Controller may share certain information with other users, to the extent that the User so authorises.

(v) Corporate transactions: In the event of a merger, acquisition, restructuring, sale of assets or similar situations, personal data may be transferred as part of the transaction, ensuring compliance with applicable law.

(vi) Legal compliance and protection of rights: The Controller may disclose personal data when necessary to comply with legal obligations; respond to requests from authorities; enforce the Terms and Conditions; protect the rights, property or safety of the Controller, Users or third parties; prevent fraud or security risks.

(vii) User's consent: Outside the above scenarios, any disclosure of data will only take place with the User's prior consent.

5. Personal Data Collected

The Controller may process the following categories of personal data, to the extent necessary for the provision of the Services and in accordance with applicable law:

a) Identification data: First and last name; email address; account identifiers; access credentials (managed using appropriate security mechanisms, without access to plain-text passwords by the Controller).

b) Usage and activity data: Information relating to the User's interaction with the Platform; activity logs, system events and behaviour within the Platform; preferences, settings and usage patterns.

c) Economic and financial data: Information voluntarily entered by the User into the Platform; data linked to the organisation, management, visualisation or analysis of personal or professional financial information; information from, where applicable, integrations with third-party services authorised by the User.

d) Technical and browsing data: IP address; device identifiers; type of browser, operating system and configuration; connection and browsing data.

The User acknowledges and accepts that: (i) the Platform may involve the processing of economic, financial or personal information, the uploading of which is voluntarily performed by the User; (ii) the Controller acts exclusively as a provider of a technological management tool and does not validate, verify or guarantee the accuracy, lawfulness or suitability of the information entered; (iii) the User is solely responsible for the data entered, including any personal data of third parties, and must have a sufficient legal basis for its processing under the GDPR and other applicable laws; (iv) the User fully assumes the risks arising from the entry, storage and use of such information on the Platform; (v) the Controller will not be liable for any improper processing of personal data by the User, nor for the consequences arising from the uploading of inaccurate, unlawful or unauthorised information; (vi) the User undertakes to hold the Controller harmless against any claim, sanction or liability that may arise from the breach of the obligations set forth herein.

Likewise, the User acknowledges that the Platform is not, in principle, intended for the processing of special categories of personal data within the meaning of Article 9 of the GDPR, unless the User has a sufficient legal basis for doing so and assumes the corresponding responsibility.

6. Purpose of Processing

The User's personal data will be processed by the Controller for the following purposes, to the extent necessary for the provision of the Services and in accordance with applicable law:

(i) Management of registration and the User account: Enable the registration, authentication, verification and administration of the User's account, and ensure correct access to the Platform and its features.

(ii) Provision of the Services: Enable the operation of the Platform, including the storage, organisation, visualisation, analysis and management of the information entered by the User, as well as the provision of associated technological tools.

(iii) Management of the contractual relationship: Manage the legal relationship with the User, including operational communications, service-related notifications, incident management, technical support and compliance with the Terms and Conditions.

(iv) Management of subscriptions, payments and billing: Process payments, manage subscriptions, renewals, cancellations and any economic operation linked to the Services, through authorised external providers.

(v) Improvement, development and optimisation of the Platform: Analyse the use of the Platform, compile statistics, detect errors, correct bugs, develop new features and improve the User's experience, all through the use of aggregated or, where appropriate, anonymised data.

(vi) Security, fraud prevention and system protection: Detect, prevent and mitigate unauthorised access, misuse, fraudulent activities or behaviour that may compromise the security, integrity or availability of the Platform, the data or other users.

(vii) Compliance with legal and regulatory obligations: Comply with legal obligations applicable to the Controller, including requests from judicial, administrative or regulatory authorities, as well as tax, accounting or security obligations.

(viii) Handling queries, requests and exercise of rights: Manage communications with the User, respond to queries, requests, complaints and handle the exercise of personal data protection rights.

(ix) Informational and, where applicable, commercial communications: Send communications related to the functioning of the Platform, updates, improvements or changes to the Services. Likewise, where there is a sufficient legal basis, commercial or promotional communications may be sent, and the User may object at any time in accordance with applicable law.

The Controller guarantees that personal data will be processed in an adequate, relevant manner and limited to what is necessary in relation to the purposes indicated, in accordance with the data minimisation principle set out in the GDPR.

Under no circumstances will the Controller use personal data to provide financial, accounting, tax or investment advice, or for automated decision-making with legal effects on the User.

7. User Rights Regarding Data Protection

7.1 Recognised rights

The User may request the Controller to:

(i) Right of access: Obtain confirmation as to whether or not personal data concerning them is being processed, and access such data and the information relating to its processing.

(ii) Right of rectification: Request the modification of inaccurate or incomplete personal data.

(iii) Right of erasure ("right to be forgotten"): Request the deletion of personal data when, among other reasons, it is no longer necessary for the purposes for which it was collected.

(iv) Right to restrict processing: Request the restriction of the processing of data in certain cases, in which case the Controller will only retain it for the exercise or defence of claims.

(v) Right to data portability: Receive the personal data provided to the Controller in a structured, commonly used and machine-readable format, and transmit it to another controller where technically feasible.

(vi) Right to object: Object to the processing of personal data in certain circumstances, in particular when processing is based on the Controller's legitimate interest or has direct marketing purposes.

(vii) Right not to be subject to automated decisions: Not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect the User, except in the cases provided for by applicable law.

Likewise, the User has the right to withdraw any consent given at any time, without affecting the lawfulness of the processing based on prior consent.

7.2 Exercise of rights

The User may exercise their rights at any time by submitting a request to the Controller through the following channel:

Email: hola@tresojotas.com

The request must contain, as a minimum: the User's first and last name; the email address associated with the account; the right to be exercised; a clear description of the request; documentation enabling identity verification, where necessary.

7.3 Representation through third parties

The User may appoint a third party to exercise their rights on their behalf. In such case, written authorisation signed by the User, or a document proving the corresponding legal representation, must be provided.

7.4 Response time

The Controller will respond to requests within a maximum period of one (1) month, which may be extended by a further two (2) months in cases of particular complexity, in accordance with Article 12 of the GDPR.

7.5 Limitations

The exercise of rights may be limited where necessary to: comply with legal obligations; ensure the provision of the service; protect the rights of third parties; prevent fraud or abuse; maintain the security of the Platform.

7.6 Right to file a complaint

If the User considers that the processing of their personal data does not comply with applicable law, they may file a complaint with the competent supervisory authority. In Spain, the supervisory authority is the Spanish Data Protection Agency (AEPD) — www.aepd.es

8. Data Retention

The Controller will retain personal data for the time strictly necessary for the provision of the Services, the performance of the contractual relationship and the fulfilment of the purposes described in this Policy, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Spanish law.

In particular:

• Data associated with the User's account may be retained for a maximum of twelve (12) months from the end of the subscription or trial period, unless the User requests its deletion earlier.
• In the event of account deletion, the Controller may retain certain minimum data (such as the email address) solely for the purpose of demonstrating the deletion of the data and preventing misuse or fraudulent recreation of accounts.
• Without prejudice to the above, the Controller may retain personal data for the periods necessary to comply with legal, tax or regulatory obligations, as well as to formulate, exercise or defend claims.

9. Applications, Integrations and Third-Party Services

The Platform may allow integration with third-party applications, tools, plugins or services. If the User decides to use such integrations, they expressly authorise the disclosure of the data necessary for their operation.

The User acknowledges and accepts that such third parties will act as independent controllers of the data they receive, and that such processing will be governed by their own terms and privacy policies.

10. Protection of Minors

The Platform is not directed at minors. The Services may not be used by persons under eighteen (18) years of age, as set out in the Terms and Conditions.

The Controller does not knowingly collect personal data from minors. In the event that data from a minor is detected as having been collected without due authorisation, it will be deleted without undue delay.

If any person becomes aware that a minor has provided personal data through the Platform, they may report it to: hola@tresojotas.com

11. Recipients and Assignments

The Controller will not sell or assign personal data to third parties, except in the following cases: compliance with legal obligations; requests from competent authorities; technology providers necessary for the provision of the service.

Among them:

• Supabase (database, authentication and storage)
• Hostinger (infrastructure and hosting)
• Stripe (payment processing)

These providers act as data processors and operate under their own privacy policies.

12. International Transfers

Given the use of global technology providers, international data transfers may occur. The Controller adopts reasonable measures to ensure an adequate level of protection in accordance with the GDPR, including standard contractual clauses and the selection of providers with international standards.

13. Information Security

For more information, please refer to our Information Security Policy.

14. Cookies and Similar Technologies

The Platform may use cookies and similar technologies for: technical functioning, usage analysis and improvement of the experience. The User may configure their preferences through the browser or the cookie banner.

15. Modification

The Controller may modify this Policy at any time. Changes will be published on the Platform and will take effect upon publication.

16. Contact

For any data protection queries: hola@tresojotas.com