legal.back

Privacy Policy

Last updated: 20 March 2026

Table of Contents

  1. Data controller and territorial scope
  2. Data Protection Officer
  3. What data we collect
  4. How we use your data (treatment purposes)
  5. Legal basis for treatment
  6. Data recipients
  7. International data transfers
  8. Data retention periods
  9. Your rights
  10. Data of minors
  11. Especially sensitive data and special categories
  12. Automated decisions, profiling and artificial intelligence
  13. Treatment principles and impact assessment
  14. Technical and organizational security measures
  15. Cookie policy and local storage
  16. Links to third parties
  17. Jurisdiction-specific information
  18. Modifications to this policy
  19. Applicable law and jurisdiction
  20. Contact

1. Data controller and territorial scope

The data controller for your personal data is:

  • Legal name: Bilbao AI S.L.
  • Tax ID: B-13759758
  • Registered address: Calle Diputación 8, floor 4, Department 5, 48008 Bilbao (Bizkaia), Spain
  • Email: info@afini.ai
  • Websites: https://test.afini.ai · https://afini.ai

Bilbao AI S.L. (hereinafter, "Afini", "us" or "the Platforms") is owner and controller of personality assessment and cognitive profile services accessible through these websites.

Territorial scope: Afini offers its services to users worldwide. This Privacy Policy has been designed to comply with data protection regulations applicable in each jurisdiction where we operate, including — without limitation — the European Union, the European Economic Area, the United Kingdom, the United States of America, Canada, Brazil, Australia and Japan. In case of conflict between provisions of different jurisdictions, the rule offering a higher level of protection to the user will apply.

2. Data Protection Officer

Given the size of the organization and the nature of data treated, Afini is not required to appoint a Data Protection Officer (DPO) in accordance with article 37 of the GDPR. However, you may direct any inquiries related to the protection of your personal data to: info@afini.ai.

3. What data we collect

We collect and treat the following categories of personal data, according to the service used and the moment of interaction:

3.1. Data provided when purchasing or starting a test (test.afini.ai)

  • Name or pseudonym
  • Email address
  • Age (optional)
  • Biological sex (optional, for normative calibration)
  • Gender (optional)
  • Country of residence (optional)
  • Pronoun preference (optional)

3.2. Data provided when registering (afini.ai)

  • Email address (required, for magic link authentication)
  • Name or pseudonym (required)
  • Calibration demographic data (age, biological sex, country — optional, for normative precision)

3.3. Data generated during assessments

  • Individual responses to each questionnaire item (Likert scale 1-5)
  • Timestamp of start and completion of each assessment
  • Assessment version and type completed

3.4. Result and cognitive profile data

  • Scores for the 5 major personality traits (Openness, Conscientiousness, Extraversion, Agreeableness, Emotional Stability)
  • Scores for the 30 personality facets (in Advanced and Complete versions)
  • Scores from additional instruments on afini.ai (attachment scales, humor styles, and others as the service evolves)
  • Compiled cognitive profile (JSON structure integrating scores from all assessed layers)
  • Compiled system prompt (textual version of the profile used for AI model injection)
  • Narrative personality report generated by AI

3.5. AI interaction data (afini.ai)

  • Content of conversations with the AI model (user messages and system responses)
  • Usage accounting: number of output tokens consumed per month (technical data for quota control). Input tokens do not count toward monthly limit
  • Number of daily requests to the AI service
Important: Afini retains AI conversation content for a maximum of 90 days after cognitive profile extraction, to enable profile recalibration with improved models. After this period, transcripts are automatically deleted. Users may request immediate deletion of their transcripts at any time from their dashboard. Conversations are not used to train AI models and are not shared with the model provider (Anthropic) for training purposes.

3.6. Payment data

Afini DOES NOT store, process or have access to your credit or debit card data, bank account number or any other financial data.

Payments are managed entirely by Stripe, Inc., which acts as an independent payment processor and is responsible for treating financial data in accordance with its own Privacy Policy and PCI-DSS regulations.

Afini only receives from Stripe confirmation of successful payment (transaction status and Stripe session identifier). We do not receive card or payment method data.

3.7. Technical data we do NOT collect

Afini DOES NOT persistently store:

  • User's IP address (transiently processed in memory for rate limiting / abuse prevention, but not recorded in databases or logs)
  • Browser fingerprint
  • Precise geolocation data
  • Device identifiers
  • Navigation data or history of pages visited inside or outside the Platforms
  • Tracking, analytics or advertising cookies

4. How we use your data (treatment purposes)

We treat your personal data exclusively for the following purposes:

PurposeData usedLegal basis
---------------------------------
Generate your Big Five personality profileTest responses, test versionContract execution
Generate and send your results reportName, email, scoresContract execution
Allow you to access your results via personal linkEmail, session tokenContract execution
Process service payment (via Stripe)Payment confirmationContract execution
Redeem an invitation code (voucher)Voucher code, name, emailContract execution
Compile your multilayered cognitive profile (afini.ai)Scores from all completed assessmentsContract execution
Inject your profile into the AI model to personalize interaction (afini.ai)Compiled cognitive profileContract execution + Consent
Quantify AI service usage for quota control (afini.ai)Tokens consumed, daily requestsContract execution
Manage your subscription (afini.ai)Email, plan, subscription statusContract execution
Authenticate you via magic link (afini.ai)EmailContract execution
Respond to your inquiries or requestsEmail, nameLegitimate interest
Comply with legal and tax obligationsBilling dataLegal obligation

What we do NOT do with your data:

  • DO NOT sell your data to third parties. Ever. Under no circumstances.
  • DO NOT share your personality profile, your responses, your results or your cognitive profile with third parties.
  • DO NOT perform advertising profiling or commercial segmentation based on your personality.
  • DO NOT use your data to send you advertising, newsletters or unsolicited commercial communications.
  • DO NOT create behavioral profiles based on your navigation.
  • **DO NOT cedeyour data to advertising networks, data brokers or marketing platforms.
  • DO NOT use your data to train artificial intelligence models or for research without your explicit and independent consent.
  • DO NOT share the content of your AI conversations with the model provider or any third party.

5. Legal basis for treatment

The treatment of your data is based on the following legal bases in accordance with article 6.1 of the GDPR:

a) Contract execution (art. 6.1.b GDPR): Treatment is necessary for provision of the service you contracted: personality assessments, report generation, cognitive profile compilation and personalized AI interaction. Purchasing the test, redeeming an invitation code (voucher) or contracting a subscription constitutes service acceptance. b) Consent (art. 6.1.a GDPR): For optional demographic data (age, gender, country), the legal basis is your free, specific, informed and unequivocal consent, manifested by voluntarily providing them. Cognitive profile injection into the AI model additionally requires your explicit consent, which is requested separately when activating the AI interaction service. You may revoke this consent at any time by writing to info@afini.ai, without affecting the legality of treatment based on prior consent withdrawal. c) Legitimate interest (art. 6.1.f GDPR): For attending to inquiries and requests you send us by email, based on our legitimate interest in maintaining appropriate communication with service users. d) Legal obligation (art. 6.1.c GDPR): For compliance with tax and accounting obligations in accordance with current Spanish law (General Tax Law, Commercial Code).

6. Data recipients

Your personal data may be communicated to the following recipients, only to the extent necessary for the described purposes:

RecipientPurposeLocationGuarantees
-----------------------------------------
Stripe, Inc.Payment processingUSA / EUData Privacy Framework (DPF), standard contractual clauses
Railway Corp.API hosting and PostgreSQL databaseUSA / EUStandard contractual clauses, complementary technical measures
Cloudflare, Inc.Website frontend hosting and distribution (Cloudflare Workers)USA / Global networkData Privacy Framework (DPF), standard contractual clauses
Anthropic PBCAI model provider (LLM) for report generation and personalized interactionUSAData Privacy Framework (DPF), standard contractual clauses, Anthropic Usage Policy (data not used for training)
Resend, Inc.Transactional email sendingUSAStandard contractual clauses
Treatment by Anthropic: When the AI model processes your cognitive profile or generates a report, content is sent to Anthropic's servers for real-time processing. Anthropic does not retain request content for model training when using the commercial API (in accordance with their Usage Policy). The profile is sent with each request and discarded by Anthropic after generating the response. We do not share your data with any other third party. We do not use web analytics services (such as Google Analytics), do not use advertising networks, do not integrate tracking SDKs and do not cede data to any other service providers, group companies or business partners.

In case an administrative or judicial authority requires us to communicate data in accordance with applicable law, we will proceed exclusively within the applicable legal framework.

7. International data transfers

Some of our service providers may treat data outside the European Economic Area (EEA). In all cases, we guarantee that such transfers have adequate safeguards in accordance with Chapter V of the GDPR:

  • Stripe, Inc. (USA): Adheres to the EU-U.S. Data Privacy Framework (DPF), European Commission adequacy decision of 10 July 2023. Additionally, Stripe applies standard contractual clauses (SCCs) approved by the European Commission.
  • Railway Corp. (USA): Transfers covered by standard contractual clauses (SCCs) in accordance with European Commission Implementing Decision 2021/914, supplemented with additional technical measures (encryption in transit and at rest).
  • Cloudflare, Inc. (USA / global network): Adheres to the EU-U.S. Data Privacy Framework (DPF). Additionally, Cloudflare applies standard contractual clauses (SCCs) and complementary technical measures.
  • Anthropic PBC (USA): Adheres to the EU-U.S. Data Privacy Framework (DPF). Data sent to Anthropic's commercial API is processed in real time and not retained for training. Additional guarantees: encryption in transit (TLS 1.3), API request data processing without persistence.
  • Resend, Inc. (USA): Transfers covered by standard contractual clauses (SCCs).

Afini has conducted a Transfer Impact Assessment (TIA) in accordance with EU Court of Justice doctrine (case C-311/18, Schrems II) for each of the described transfers, concluding that the contractual and technical guarantees implemented ensure a level of protection substantially equivalent to that guaranteed by the GDPR. These assessments are reviewed periodically and are available to the supervisory authority upon request.

In no case are data transferred to countries lacking an adequate level of protection without the safeguards required by the GDPR.

For United Kingdom users: Data transfers outside the United Kingdom are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to EU SCCs, as provided by the Information Commissioner's Office (ICO). The United Kingdom recognizes the EU-U.S. Data Privacy Framework Extension as a basis for transfers to the USA. For Canadian users: Data transfers outside Canada are made in accordance with PIPEDA principles (Section 4.1.3), ensuring that service providers offer comparable protection levels through binding contractual agreements. For Brazilian users: International transfers are covered by article 33 safeguards of the LGPD, including specific contractual clauses and compliance with adequate protection standards certified by ANPD.

8. Data retention periods

We retain your data for the following periods:

Data typeRetention periodReason
-------------------------------------
Individual test responses (test.afini.ai)Deleted from server once results report is generated. Not permanently stored.Data minimization
Assessment responses (afini.ai)Retained while user account is active, to allow profile recalibration. Deletion upon request.Contract execution
Aggregated scores and resultsWhile you maintain your active access link (test.afini.ai) or active account (afini.ai). You may request deletion at any time.Contract execution
Compiled cognitive profile (afini.ai)While user account is active. Deleted 90 days after account cancellation.Contract execution
Compiled system prompt (afini.ai)Same as cognitive profile.Contract execution
AI conversation content (afini.ai)Retained up to 90 days after profile extraction, to enable recalibration with improved models. Users may request immediate deletion at any time. Automatically deleted after 90 days.Contract performance + Consent
Token accounting (afini.ai)12 months from registration, renewable by subscription period.Contract execution
Personality reportWhile you maintain your active access link or active account.Contract execution
Name and emailMaximum 12 months from test completion (test.afini.ai) or from account cancellation (afini.ai), unless you request earlier deletion.Contract execution
Billing/payment confirmation data5 years from transaction date.Legal obligation (article 30 Commercial Code; article 70 General Tax Law)
Voucher/invitation data12 months from redemption or expiration.Legitimate interest (audit and control)

After the indicated periods, data will be securely deleted or irreversibly anonymized.

Minimization principle: We only retain data strictly necessary for each purpose and for the minimum time required. Early deletion: Regardless of the above periods, you may request deletion of any of your data at any time by writing to info@afini.ai, without needing to wait for the indicated periods to elapse. We will respond to your request within a maximum of one month. Account deletion (afini.ai): When you request account deletion, the following will be deleted: your cognitive profile, compiled system prompt, scores from all assessments and your identification data. Billing data will be retained for the mandatory legal period (5 years).

9. Your rights

In accordance with the GDPR (articles 15 to 22) and LOPDGDD (articles 12 to 18), you have the following rights:

a) Right of access (art. 15 GDPR): Obtain confirmation of whether we treat your data and, if so, access them and information about the treatment. b) Right of rectification (art. 16 GDPR): Request correction of inaccurate or incomplete personal data. c) Right to deletion ("right to be forgotten") (art. 17 GDPR): Request deletion of your data when, among other cases, it is no longer necessary for the purpose for which it was collected, you withdraw consent, or the data has been unlawfully treated. d) Right to restrict treatment (art. 18 GDPR): Request that treatment of your data be restricted in certain circumstances (for example, while data accuracy or treatment legality is verified). e) Right to portability (art. 20 GDPR): Receive your personal data in a structured, commonly used and machine-readable format (JSON or CSV), and transmit them to another data controller. In the case of afini.ai, this right includes the ability to obtain your cognitive profile in portable JSON format. f) Right of opposition (art. 21 GDPR): Object to treatment of your data on grounds related to your particular situation, when treatment is based on legitimate interest. g) Right not to be subject to automated individual decisions (art. 22 GDPR): Not be subject to a decision based solely on automated treatment, including profiling, that produces legal effects or significantly affects you. h) Right to withdraw consent for profile injection into AI (specific to afini.ai): You may request at any time that your cognitive profile cease to be injected into the AI model, while maintaining access to the rest of your account functionality.

How to exercise your rights:

  • Send an email to info@afini.ai indicating the right you wish to exercise, together with a copy of your ID, passport or other document proving your identity.
  • We will respond to your request within a maximum of one month from receipt (extendable to two months in cases of special complexity, in accordance with art. 12.3 GDPR).
  • Exercise of these rights is free, unless requests are manifestly unfounded or excessive (art. 12.5 GDPR).

Right to lodge a complaint with the supervisory authority:

If you believe that treatment of your data violates data protection regulations, you have the right to lodge a complaint with the competent supervisory authority in your country of residence:

  • Spain — AEPD (Spanish Data Protection Agency): www.aepd.es · C/ Jorge Juan 6, 28001 Madrid · Tel: 901 100 099 / 912 663 517
  • United Kingdom — ICO (Information Commissioner's Office): ico.org.uk
  • European Union — Other DPAs: Consult your Member State authority at edpb.europa.eu
  • Brazil — ANPD: www.gov.br/anpd
  • Canada — OPC: www.priv.gc.ca
  • Australia — OAIC: www.oaic.gov.au
  • United States — FTC: www.ftc.gov
  • Japan — PPC: www.ppc.go.jp

For any other jurisdiction, contact us at info@afini.ai and we will indicate the competent authority.

10. Data of minors

Afini's service is not directed at minors under 16 years old. We do not intentionally collect data from minors under 16. If you are under 16, do not use this service or provide us with personal data.

If you are a parent, guardian or legal representative and have knowledge that a minor under 16 in your care has provided personal data to Afini, contact us at info@afini.ai and we will immediately delete such data.

The 16-year age limit is established in accordance with article 7 of LOPDGDD, which sets 14 years as the minimum age for consent in Spain. However, given the especially sensitive nature of personality data, Afini applies a reinforced protection threshold of 16 years.

Note on international thresholds: Different jurisdictions establish different minimum ages for digital consent (13 years in the USA under COPPA, 13 years in Canada under PIPEDA, 16 years in the Netherlands and Germany, 15 years in France, 14 years in Austria and Italy, etc.). Afini uniformly applies the 16-year threshold for all jurisdictions, thus guaranteeing the maximum level of protection regardless of user location.

11. Especially sensitive data and special categories

Data derived from personality assessments and cognitive profile, depending on their interpretation and context, could approximate the category of data concerning psychological health or psychological profile, categories enjoying reinforced protection under article 9 of the GDPR.

Afini adopts an approach of maximum caution:

  • We treat personality assessment results and compiled cognitive profile with a level of protection equivalent to that of special categories of data, regardless of whether they technically qualify as such.
  • Your assessment results and cognitive profile are strictly private: only you have access to them through your personal link or user account.
  • We do not share, sell, cede or make your personality results or cognitive profile available to third parties under any circumstance.
  • We do not use results or profile to make decisions affecting you (employment, insurance, credit or any other nature).
  • We do not aggregate or anonymize personality data to create studies, statistics or derivative products without explicit and independent user consent.
  • The cognitive profile injected into the AI model is used exclusively to personalize the user's own interaction, never to classify them, segment them or make automated decisions affecting them.

12. Automated decisions, profiling and artificial intelligence

12.1. Personality profile creation

Afini's service automatically generates personality profiles from your responses to psychometric questionnaires. These profiles are based on validated scientific models (Big Five, attachment theory, humor styles, etc.) and are calculated using standardized and publicly documented statistical scoring algorithms.

12.2. Compiled cognitive profile and AI injection (afini.ai)

On the afini.ai platform, results from all assessments are compiled into a structured cognitive profile (JSON format). This profile is converted into a system prompt (context instructions) that is injected into each AI model conversation to personalize interaction.

Transparency regarding operation:
  • You know at all times which dimensions make up your profile (traits, facets, attachment scales, humor styles, etc.) and its completeness level.
  • The profile is injected as system context in the AI model, with prompt caching techniques activated to optimize token usage and reduce interaction cost.
  • The AI model receives personalization instructions but does not retain the profile between sessions.
  • You can consult, download and request deletion of your profile at any time.

12.3. Scope of automated decision

  • Profiles generated have an exclusively informative and self-knowledge purpose. They are not used to make any decision producing legal effects on you or significantly affecting you in a similar manner.
  • Profiles are not used for: personnel selection, credit evaluation, insurance premium determination, service access, or any other decision-making process that could affect your rights or interests.
  • No user scoring, classification, ranking or categorization system exists beyond individual self-knowledge profile generation.

12.4. Your rights regarding automated decisions and AI use

In accordance with article 22 of the GDPR, you have the right to:

  • Obtain human intervention for review of your profile.
  • Express your point of view about the results.
  • Challenge the results of the generated profile.
  • Request that your profile not be injected into the AI model (while maintaining access to other account functionality).
  • Obtain an explanation of the meaning of each profile dimension and how it influences AI interaction.

The result you receive is exclusively informative and has no binding, diagnostic or clinical value. You are free to use it, ignore it or interpret it as you see fit.

To exercise any of these rights, contact us at info@afini.ai.

13. Treatment principles and impact assessment

13.1. Governing principles (art. 5 GDPR)

Treatment of your data is governed at all times by the following principles:

  • Lawfulness, fairness and transparency: We treat your data lawfully, fairly and transparently, always informing you about how and why we use it.
  • Purpose limitation: Your data is only collected for determined, explicit and legitimate purposes, and will not be treated in a manner incompatible with such purposes.
  • Data minimization: We only collect data adequate, relevant and strictly necessary for treatment purposes.
  • Accuracy: We will keep your data current and adopt reasonable measures to suppress or promptly rectify inaccurate data.
  • Storage period limitation: We retain your data only for the time necessary for treatment purposes.
  • Integrity and confidentiality: We treat your data ensuring adequate security, including protection against unauthorized or unlawful treatment and against accidental loss, destruction or damage.

13.2. Data Protection Impact Assessment (DPIA)

Given that treatment of personality and cognitive profile data may pose an elevated risk to the rights and freedoms of data subjects, Afini has conducted a Data Protection Impact Assessment (DPIA) in accordance with article 35 of the GDPR. This assessment covers both the test.afini.ai service and the AI cognitive profile service of afini.ai.

The assessment has concluded that residual risk from treatment is moderate-low, thanks to the following mitigating measures: deletion of individual responses after report generation (test.afini.ai), exclusive user access to their results and profile, absence of third-party sharing, comprehensive data encryption, non-persistence of AI conversations, non-training policy of AI provider (Anthropic commercial API), and transparency regarding profile composition and injection.

14. Technical and organizational security measures

Afini implements appropriate technical and organizational measures in accordance with article 32 of the GDPR to guarantee an adequate level of security to the risk:

Technical measures:

  • Encryption of all communications via HTTPS/TLS 1.2+ (encryption in transit).
  • Database encryption at rest provided by infrastructure provider (Railway/PostgreSQL). Afini periodically evaluates implementing additional column-level encryption for particularly sensitive data (conversations, cognitive profiles).
  • Database access restricted via secure credentials and encrypted connections.
  • Logical separation of each user's data (session isolation).
  • Unique and unpredictable access tokens for results access.
  • Absence of financial data storage (delegated entirely to Stripe).
  • Self-service account and data deletion from user dashboard (GDPR Art. 17).
  • Authentication via magic link with rate limiting (afini.ai) — no stored passwords.
  • Communication with Anthropic API encrypted end-to-end (TLS 1.3).
  • Token accounting via atomic database operations (race condition prevention).

Organizational measures:

  • Access to administration systems limited exclusively to authorized personnel.
  • Data minimization principle: only strictly necessary data are collected and retained.
  • Purpose limitation principle: data are only used for the stated purposes.
  • Periodic review of security measures.
  • Security breach notification protocol in accordance with articles 33 and 34 of the GDPR: in case of breach, we will notify the AEPD within a maximum of 72 hours and, if applicable, affected users without undue delay.

15. Cookie policy and local storage

For detailed information about cookie use on these websites, consult our Cookie Policy.

15.1. Cookies

The Platforms use a minimal amount of cookies, limited to what is strictly necessary for service operation and secure payment processing:

  • We do not use own tracking cookies.
  • We do not use analytics cookies (there is no Google Analytics, Hotjar, Mixpanel or other analytics service).
  • We do not use advertising or retargeting cookies.
  • We do not use social network cookies.
  • Stripe, our payment gateway, may set technical cookies during the payment process for fraud prevention.

15.2. Browser local storage (localStorage)

We use browser local storage exclusively for:

  • Storing your session token that allows you to access your in-progress test, your results and your user account.
  • Storing your language preference.
  • These tokens are technical identifiers necessary for service operation and do not contain personal data.
  • We do not use localStorage for tracking, profiling or any purpose other than essential service functionality.

15.3. Do Not Track (DNT)

Afini respects the Do Not Track (DNT) signal in your browser. However, given that we perform no tracking or tracing whatsoever, this signal has no additional practical effect on our service.

16. Links to third parties

The Platforms may contain links to third-party websites (for example, Stripe for payment processing, Anthropic as AI technology provider). Afini is not responsible for the privacy practices or content of such external websites. We recommend you consult the privacy policies of any third-party website you visit.

17. Jurisdiction-specific information

This section contains additional information required by regulations in certain jurisdictions. If you reside in any of the countries or regions indicated below, the provisions of this section apply in addition to (and not instead of) the general provisions of this Privacy Policy.

17.1. United Kingdom (UK GDPR + Data Protection Act 2018)

Under United Kingdom law (UK GDPR and Data Protection Act 2018), your data protection rights are equivalent to those provided in the GDPR. The legal basis, data retention and access rights apply in accordance with British law. You may lodge complaints with the ICO (Information Commissioner's Office).

17.2. United States of America

For users in the United States, in addition to this Privacy Policy, the Children's Online Privacy Protection Act (COPPA) applies for minors under 13, as well as state privacy laws of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA) and Connecticut (CTDPA), among others. You have the right to access, rectify and delete your data, as well as to object to processing. Afini does not sell personal information as defined by the CCPA/CPRA.

17.3. Canada (PIPEDA and provincial legislation)

For users in Canada, your data are treated in accordance with PIPEDA (Personal Information Protection and Electronic Documents Act) and applicable provincial legislation (including Quebec's Law 25). You have the right to access your data, request their correction, and learn how they are used.

17.4. Brazil (LGPD — Lei Geral de Proteção de Dados)

For users in Brazil, your data are treated in accordance with LGPD (Lei Geral de Proteção de Dados — Law No. 13.709/2018). You have the right to access your data, request their correction, portability and deletion. You may lodge complaints with ANPD (Autoridade Nacional de Proteção de Dados).

17.5. Australia (Privacy Act 1988 + APPs)

For users in Australia, your data are treated in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access your data, request their correction, and lodge complaints with the OAIC (Office of the Australian Information Commissioner).

17.6. Japan (APPI — Act on the Protection of Personal Information)

For users in Japan, your data are treated in accordance with the APPI (Act on the Protection of Personal Information). You have the right to access, rectify, delete and request limitation of treatment of your data. You may lodge complaints with the PPC (Personal Information Protection Commission).

18. Modifications to this policy

Afini reserves the right to modify this Privacy Policy at any time to adapt it to legislative or case law developments or our own business practice changes.

Any substantial modification will be communicated through the Platforms themselves (via visible notice on the website) and, if we have your email address, via informative email.

The date of last update is always indicated at the beginning of this document. We recommend you consult this policy periodically.

19. Applicable law and jurisdiction

This Privacy Policy is governed by Spanish and European law as the main regulatory framework, and additionally by data protection legislation applicable in each jurisdiction where our users reside:

Main regulations (controller's seat):

  • Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation — GDPR).
  • Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (LOPDGDD).
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
  • Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Regulation / AI Act).

Additional regulations applicable according to user jurisdiction:

  • United Kingdom: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
  • United States: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA); Virginia Consumer Data Protection Act (VCDPA); Colorado Privacy Act (CPA); Connecticut Data Privacy Act (CTDPA); and other applicable state privacy laws. Children's Online Privacy Protection Act (COPPA) in relation to minors.
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA); Law 25 (Quebec); and applicable provincial legislation.
  • Brazil: Lei Geral de Proteção de Dados (LGPD — Law No. 13.709/2018).
  • Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs).
  • Japan: Act on the Protection of Personal Information (APPI).

In case of conflict between provisions of different jurisdictions, the rule offering a higher level of protection to the user will apply.

For any dispute arising from this policy, the Courts and Tribunals of Bilbao shall be competent, with express waiver of any other jurisdiction that might correspond, without prejudice to the rights recognized by current legislation to consumers and users in their respective jurisdictions of residence, including the inalienable right to access the courts of their domicile in jurisdictions where law provides for it.

20. Contact

For any inquiry, request to exercise rights or complaint related to the protection of your personal data:

  • Email: info@afini.ai
  • Postal address: Bilbao AI S.L. — Calle Diputación 8, floor 4, Department 5, 48008 Bilbao (Bizkaia), Spain

*Last updated: 20 March 2026*

legal.lastUpdated: legal.date

privacy.pageTitle