Data Protection Impact Assessment (DPIA)

Public executive summary. The full document is kept in Bilbao AI S.L.'s Security File and is available to the Supervisory Authority (Spanish AEPD) upon request.

1. Scope and legal obligation

Article 35 GDPR mandates a DPIA whenever processing — by its nature, scope or purposes — is likely to result in a high risk to the rights and freedoms of natural persons. Afini.ai processes special categories of data (Art. 9 GDPR: psychological traits, values, attachment, humour, time orientation, life context) and applies automated algorithms to them. This DPIA is therefore a living document: it is reviewed at least annually and whenever a new layer, a new model or a substantive change in the legal basis is introduced.

2. Data map

Identification (email, language), payment data (handled by Stripe — Bilbao AI never stores PAN or banking data), psychometric questionnaire responses, conversations with the AI, declared layers (vital, rhythms, trajectory, hobbies, etc.), LLM proxy usage metrics and audit events. Processors: Stripe (payments), Anthropic (LLM under DPA — processes only, never trains on your content), Resend (transactional email), Holded (Spanish e-invoicing TicketBAI), Railway (European hosting), Cloudflare (CDN/WAF), Sentry (European error monitoring).

3. Identified risks

Sensitive inference risk: combining layers may reveal psychological states the user did not explicitly declare.
Re-identification risk: pseudonymised data could be linked back to the subject if cross-referenced with external sources.
Secondary use risk: third parties might use the AfiniTwin or narratives for purposes other than those consented to.
Algorithmic bias risk: LLM models could reproduce biases when interpreting the profile.
International transfer risk: although the main processing is European, Anthropic's API processes content under a DPA with EU Standard Contractual Clauses (SCCs).

4. Mitigations

Encryption in transit (TLS 1.2+) and at rest (AES-256) across all layers; database segregation in European infrastructure (Railway eu-west).
Granular and revocable consent per layer with an audit trail for each change (see the Consents tab in your dashboard).
Minimisation: each AI conversation only receives the strictly necessary subset of the profile; content is never used to train models.
Bias audits on proxy prompts and periodic human review of generated narratives.
Aggressive anonymisation in logs and metrics: salted IP hashes, no conversation content, limited retention (90 days in Sentry, 30 days in application logs).
Documented breach notification procedure (Art. 33 GDPR) within 72 hours with full chain of custody.

5. Review and governance

The DPIA is reviewed at least once a year and mandatorily whenever a new layer, a new model or a high-impact feature (e.g. third-party export) is introduced. The Data Controller approves each review and the date is logged in the Security File. Professional users and companies may request access to the extended summary upon signing a confidentiality agreement.

Are you a professional or a company? Request the DPA

If you intend to process your clients' data through Afini.ai, Art. 28 GDPR requires you to sign a Data Processing Agreement (DPA). We send you the template within 48 hours.

Download DPA (PDF)Download editable DPA (DOCX)Contact us with questions

Template prepared for counter-signing: download it, fill in your details in the signature section, sign it and send it to privacidad@afini.ai. We will counter-sign it and return the sealed PDF within 48 hours.

Supplement v2.0 (May 9, 2026): advertising and analytics integrations

As of May 9, 2026, Afini.ai activates the following advertising and analytics integrations in a controlled manner, all of them conditional on prior user consent expressed via the four-category cookie banner (Google Consent Mode v2, default value denied):

Google Tag Manager (GTM) as a tag container — no identifiers until consent.
Google Analytics 4 (GA4) with cookies _ga, _ga_*; IP anonymized in the EEA; 14-month retention.
Google Ads Conversion Tracking with cookies _gcl_au, _gcl_aw, _gcl_dc; 30-day attribution window.
Google Ads Enhanced Conversions — transmission to Google of the SHA-256 hash of the user’s email to improve attribution.
Google Ads Offline Conversions — server-to-server call from the Stripe checkout.session.completed webhook to the Google Ads API (ConversionUploadService), conditional on marketing consent.
Advertising audiences — Remarketing Lists for Search Ads, Customer Match (with SHA-256 hashed email via UserDataService) and Similar Audiences. Personality scores and the cognitive profile are never used to build these audiences.
Plausible Analytics (cookieless, no consent required) — hosted in the European Union (Estonia), aggregated metrics exempt under EDPB Guidelines 03/2023.

New recipient: Google LLC (USA / global network). Applicable safeguards: EU-U.S. Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs) + Transfer Impact Assessment performed in accordance with Schrems II.

Outcome of the DPIA update: residual risk remains moderate-low. Added mitigating measures are (1) Consent Mode v2 with default-denied value, (2) server-side gate on the Stripe→Google Ads call based on the user’s marketing consent flag, (3) explicit policy not to segment by personality, (4) cookie banner with three equally prominent buttons and revocation reopenable from the footer.

For full detail (specific cookies, retention periods, legal bases, table of recipients and transfers), see the Privacy Policy and the Cookie Policy in their v2.0 version.

Last updated: 6 May 2026 (v2.0 — 9 de mayo de 2026)