Privacy Policy
Internal version: v2.0
Last updated: May 9, 2026
Replaces: v1.x (May 6, 2026)
>
Material changes from v1.x: Incorporates the use of Google Tag Manager, Google Analytics 4 and Google Ads (including Enhanced Conversions with SHA-256 hash of the email address and server-side upload of offline conversions from the Stripe webhook), all subject to the user's prior consent managed through Google Consent Mode v2 with default value denied. Rewrites the paragraphs that claimed not to use analytics or advertising, since that statement ceased to be accurate after the activation of the GTM container and the advertising integrations.
Table of Contents
- Data controller and territorial scope
- Data Protection Officer
- What data we collect
- How we use your data (processing purposes)
- Legal basis for processing
- Data recipients
- International data transfers
- Data retention periods
- Your rights
- Data of minors
- Especially sensitive data and special categories
- Automated decisions, profiling and artificial intelligence
- Advertising, conversion measurement and web analytics
- Processing principles and impact assessment
- Technical and organizational security measures
- Cookie policy and local storage
- Links to third parties
- Jurisdiction-specific information
- Modifications to this policy
- Applicable law and jurisdiction
- Contact
1. Data controller and territorial scope
The controller of your personal data is:
- Legal name: Bilbao AI S.L.
- Tax ID: B-13759758
- Registered address: Calle Diputación 8, floor 4, Department 5, 48008 Bilbao (Bizkaia), Spain
- Email: info@afini.ai
- Websites: https://test.afini.ai · https://afini.ai
Bilbao AI S.L. (hereinafter "Afini", "we" or "the Platforms") owns and operates the personality assessment and cognitive profile services accessible through these websites.
Territorial scope: Afini offers its services to users worldwide. This Privacy Policy has been designed to comply with applicable data protection regulations in every jurisdiction where we operate, including —without limitation— the European Union, the European Economic Area, the United Kingdom, the United States of America, Canada, Brazil, Australia and Japan. In case of conflict between provisions of different jurisdictions, the rule offering the highest level of protection to the user will apply.2. Data Protection Officer
Given the size of the organization and the nature of the data processed, Afini is not required to appoint a Data Protection Officer (DPO) under article 37 of the GDPR. However, you may direct any inquiry related to the protection of your personal data to: info@afini.ai.
3. What data we collect
We collect and process the following categories of personal data, depending on the service used and the moment of interaction:
3.1. Data provided when purchasing or starting a test (test.afini.ai)
- Name or pseudonym
- Email address
- Age (optional)
- Biological sex (optional, for normative calibration)
- Gender (optional)
- Country of residence (optional)
- Pronoun preference (optional)
3.2. Data provided when registering (afini.ai)
- Email address (required, for magic link authentication)
- Name or pseudonym (required)
- Calibration demographic data (age, biological sex, country — optional, for normative precision)
3.3. Data generated during assessments
- Individual responses to each questionnaire item (Likert scale 1–5)
- Timestamp of start and completion of each assessment
- Version and type of assessment completed
3.4. Result and cognitive profile data
- Scores for the five major personality traits (Openness, Conscientiousness, Extraversion, Agreeableness, Emotional Stability)
- Scores for the thirty personality facets (in Advanced and Complete versions)
- Scores from additional instruments on afini.ai (attachment scales, humor styles, values and other layers as the service evolves)
- Compiled cognitive profile (JSON structure integrating the scores from all assessed layers)
- Compiled system prompt (textual version of the profile used for AI model injection)
- Narrative personality report generated by AI
3.5. AI interaction data (afini.ai)
- Content of conversations with the AI model (user messages and system responses)
- Usage accounting: number of output tokens consumed per month (technical data for plan quota control). Input tokens do not count toward the monthly limit
- Number of daily requests to the AI service
3.6. Payment data
Afini DOES NOT store, process or have access to your credit or debit card data, bank account number or any other financial data.
Payments are managed entirely by Stripe, Inc., which acts as an independent payment processor and is responsible for processing financial data in accordance with its own Privacy Policy and PCI-DSS regulations.
Afini only receives from Stripe a confirmation of successful payment (transaction status, Stripe session identifier and amount paid, in currency and cents). We do not receive card or payment method data.
3.7. Technical data and advertising/analytics measurement (with your consent)
When you grant consent to the "analytics" or "marketing" categories in our cookie banner, the corresponding tools may additionally process:
- Technical cookie identifiers generated by Google (
_ga,_ga_<container_id>,_gcl_au,_gcl_aw,_gcl_dc) that associate events with your browser. - IP address, collected and processed by Google for the purpose of approximate geolocation and fraud prevention. In the European Economic Area, Google applies IP anonymization by default before storage (truncation of the last octet in IPv4 or the last 80 bits in IPv6).
- Browser User-Agent string.
- Source and destination URL within the Platform itself (navigation events).
- Advertising campaign identifiers (GCLID, *Google Click Identifier*) if you arrived at the Platform from an ad.
- SHA-256 hash of your email address transmitted to Google for Enhanced Conversions (improving advertising conversion attribution). The hash is a derived identifier and does not allow your email to be recovered in plain text by direct inversion, but for GDPR purposes it is considered pseudonymized personal data.
If you reject the "analytics" and "marketing" categories, or if you do not respond to the cookie banner, none of these data are transmitted to Google: the Google Tag Manager container operates in Consent Mode v2 with default value denied (denied), and Google services only receive *cookieless pings* without identifiers.
3.8. Technical data we DO NOT collect under any circumstances
Afini DOES NOT collect —with or without consent—:
- Browser fingerprint
- Precise geolocation data (GPS, Bluetooth)
- Device identifiers (IDFA, AAID)
- Biometric data
- Special categories of data under article 9 GDPR (except those derived from the personality assessment results themselves, processed in accordance with section 11)
4. How we use your data (processing purposes)
We process your personal data exclusively for the following purposes:
| Purpose | Data used | Legal basis |
|---|
| Generate your Big Five personality profile | Test responses, test version | Contract performance |
| Generate and send your results report | Name, email, scores | Contract performance |
| Allow you to access your results via personal link | Email, session token | Contract performance |
| Process service payment (via Stripe) | Payment confirmation, amount, session identifier | Contract performance |
| Redeem an invitation code (voucher) | Voucher code, name, email | Contract performance |
| Compile your multilayered cognitive profile (afini.ai) | Scores from all completed assessments | Contract performance |
| Inject your profile into the AI model to personalize interaction (afini.ai) | Compiled cognitive profile | Contract performance + Consent |
| Quantify AI service usage for quota control (afini.ai) | Tokens consumed, daily requests | Contract performance |
| Manage your subscription (afini.ai) | Email, plan, subscription status | Contract performance |
| Authenticate you via magic link (afini.ai) | Contract performance |
| Respond to your inquiries or requests | Email, name | Legitimate interest |
| Comply with legal and tax obligations | Billing data | Legal obligation |
| Measure advertising conversions and attribute purchases to campaigns (Google Ads, including Enhanced Conversions and Offline Conversions sent from our backend) | SHA-256 hash of the email, campaign identifier (GCLID), transaction amount and currency, purchase identifier | Consent |
| Aggregated statistical analysis of service usage (Plausible Analytics) | Pages visited, aggregated country, aggregated browser — without cookies or identifiers | Legitimate interest (cookie-free web analytics in accordance with EDPB Guidelines 03/2023) |
| Detailed navigation behavior analysis (Google Analytics 4) | Google cookie identifiers, anonymized IP, navigation events | Consent |
| Technical management of advertising and analytics tags (Google Tag Manager) | Container technical identifiers; no own user identifiers | Consent (the container load is deferred until consent or runs with all Consent Signals set to denied) |
- WE DO NOT sell your data to third parties. Ever. Under any circumstance.
- WE DO NOT share your personality profile, your responses, your results or your cognitive profile with third parties, including Google.
- WE DO NOT perform advertising segmentation based on your personality, your traits, your facets or any inference derived from the test. The Google Ads audiences we use —including *remarketing* audiences based on visits to the Platform, *Customer Match* based on commercial email lists, and *Similar Audiences* derived from the previous ones— are built exclusively on conversion events, visits to specific pages and standard Google advertising attributes (keyword, search intent, generic geographic location, device). Under no circumstance are your personality scores, your cognitive profile or your responses to the questionnaires used to build these audiences.
- WE DO NOT use your data to send you newsletters or unsolicited commercial communications.
- WE DO NOT create our own behavioral advertising profiles based on your navigation inside or outside the Platform.
- WE DO NOT transfer your data to additional advertising networks beyond Google Ads, nor to *data brokers*, nor to marketing platforms.
- WE DO NOT use your data to train artificial intelligence models or for research without your explicit and independent consent.
- WE DO NOT share the content of your AI conversations with the model provider or any third party.
- WE DO NOT transmit to Google (or any other advertising provider) your cognitive profile, your scores, your responses to the questionnaires or the content of your AI conversations.
5. Legal basis for processing
The processing of your data is based on the following legal bases under article 6.1 of the GDPR:
a) Contract performance (art. 6.1.b GDPR): The processing is necessary for providing the service you contracted: personality assessments, report generation, cognitive profile compilation and personalized AI interaction. Purchasing the test, redeeming an invitation code (voucher) or contracting a subscription constitutes acceptance of the service. b) Consent (art. 6.1.a GDPR): For optional demographic data (age, gender, country), the legal basis is your free, specific, informed and unambiguous consent, expressed by voluntarily providing them. Cognitive profile injection into the AI model additionally requires your explicit consent, which is requested separately when activating the AI interaction service. The use of analytics cookies (Google Analytics 4) and advertising cookies (Google Ads, including Enhanced Conversions and Offline Conversions) likewise requires your prior consent, granted through the cookie banner. You may withdraw any of these consents at any time, either by writing to info@afini.ai or by reopening the cookie banner from the "Manage cookies" link in the footer, without this affecting the lawfulness of processing based on consent prior to its withdrawal. c) Legitimate interest (art. 6.1.f GDPR): For attending to inquiries and requests you send us by email, based on our legitimate interest in maintaining appropriate communication with users of our service. Also for aggregated and *cookie-free* usage analytics through Plausible Analytics, in accordance with EDPB Guidelines 03/2023 on the technical scope of article 5.3 of the ePrivacy Directive: Plausible does not store information on the user's terminal equipment, does not use persistent unique identifiers and only provides aggregated metrics, so its use does not require prior consent under the cookie regime. d) Legal obligation (art. 6.1.c GDPR): For compliance with tax and accounting obligations under current Spanish law (General Tax Law, Commercial Code).6. Data recipients
Your personal data may be communicated to the following recipients, only to the extent necessary for the described purposes:
| Recipient | Purpose | Location | Guarantees |
|---|
| Stripe, Inc. | Payment processing | USA / EU | Data Privacy Framework (DPF), standard contractual clauses |
| Railway Corp. | API and PostgreSQL database hosting | USA / EU | Standard contractual clauses, complementary technical measures |
| Cloudflare, Inc. | *Frontend* hosting and distribution (Cloudflare Workers) and DDoS mitigation | USA / Global network | Data Privacy Framework (DPF), standard contractual clauses |
| Anthropic PBC | AI model provider (LLM) for report generation and personalized interaction | USA | Data Privacy Framework (DPF), standard contractual clauses, no-training policy on commercial API requests |
| Resend, Inc. | Transactional email sending | USA | Standard contractual clauses |
| Holded Technologies, S.L. | Issuance of simplified invoices (TicketBAI/BATUZ) without buyer's personal data | European Union (Spain) | Data processor under article 28 GDPR |
| Plausible Insights OÜ | Aggregated *cookie-free* web analytics | European Union (Estonia) | Processing within the EEA; no international transfer |
| Google LLC | Tag management (Google Tag Manager), web analytics (Google Analytics 4), advertising conversion measurement (Google Ads) including Enhanced Conversions and server-side upload of Offline Conversions from the Stripe webhook, *remarketing*, *Customer Match* and *Similar Audiences* audiences | USA / Global network | Data Privacy Framework (DPF), standard contractual clauses, IP anonymization in EEA, Consent Mode v2 with default value denied, transmission conditional on your consent |
| Sentry (Functional Software, Inc.) | Technical error traceability in backend and frontend | USA | Standard contractual clauses, automatic PII *scrubbing* in payloads |
7. International data transfers
Some of our service providers may process data outside the European Economic Area (EEA). In all cases, we guarantee that such transfers have adequate safeguards under Chapter V of the GDPR:
- Stripe, Inc. (USA): Adheres to the EU-U.S. Data Privacy Framework (DPF), European Commission adequacy decision of 10 July 2023. Additionally, Stripe applies standard contractual clauses (SCCs) approved by the European Commission.
- Railway Corp. (USA): Transfers covered by standard contractual clauses (SCCs) under European Commission Implementing Decision 2021/914, supplemented with additional technical measures (encryption in transit and at rest).
- Cloudflare, Inc. (USA / global network): Adheres to the EU-U.S. Data Privacy Framework (DPF). Additionally, Cloudflare applies standard contractual clauses (SCCs) and complementary technical measures.
- Anthropic PBC (USA): Adheres to the EU-U.S. Data Privacy Framework (DPF). Data sent to Anthropic's commercial API is processed in real time and not retained for training. Additional guarantees: encryption in transit (TLS 1.3), processing without persistence of API request data.
- Resend, Inc. (USA): Transfers covered by standard contractual clauses (SCCs).
- Google LLC (USA / global network): Adheres to the EU-U.S. Data Privacy Framework (DPF). Additionally, Google applies standard contractual clauses (SCCs). Transfers to Google take place on two levels:
1. *Client-to-Google*, executed by the user's browser when loading the Google Tag Manager container and the Google Analytics 4 and Google Ads pixels, conditional on your consent through Google Consent Mode v2 with default value denied.
2. *Server-to-Google*, executed by our backend on Railway when triggering the checkout.session.completed Stripe webhook: we send to the Google Ads API endpoint (ConversionUploadService) the data described in section 6, exclusively when the "marketing" category of the banner has been consented to and the event corresponds to a finalized purchase.
3. *Server-to-Google* for managing advertising audience lists (Customer Match): periodic upload of email lists in SHA-256 hash format to the Google Ads API (UserDataService) to keep our advertising audiences alive. This upload only includes email addresses of users who have consented to the "marketing" category at some point and for whom there is no record of subsequent revocation.
- Sentry (Functional Software, Inc., USA): Transfers covered by standard contractual clauses (SCCs). Error *payloads* are filtered to remove PII before sending.
Afini has performed a Transfer Impact Assessment (TIA) under the doctrine of the EU Court of Justice (case C-311/18, *Schrems II*) for each of the described transfers, concluding that the contractual and technical guarantees implemented ensure a level of protection substantially equivalent to that guaranteed by the GDPR. These assessments are reviewed periodically and are available to the supervisory authority upon request.
In no case are data transferred to countries that lack an adequate level of protection without the safeguards required by the GDPR.
For United Kingdom users: Data transfers outside the United Kingdom are covered by the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to EU SCCs, as provided by the Information Commissioner's Office (ICO). The United Kingdom recognizes the EU-U.S. Data Privacy Framework Extension as a basis for transfers to the USA. For Canadian users: Data transfers outside Canada are made in accordance with PIPEDA principles (Section 4.1.3), ensuring that service providers offer comparable protection levels through binding contractual agreements. For Brazilian users: International transfers are covered by article 33 safeguards of the LGPD, including specific contractual clauses and compliance with adequate protection standards certified by ANPD.8. Data retention periods
We retain your data for the following periods:
| Data type | Retention period | Reason |
|---|
| Individual test responses (test.afini.ai) | Deleted from the server once the results report is generated. Not permanently stored. | Data minimization |
| Assessment responses (afini.ai) | Retained while the user account is active, to allow profile recalibration. Deletion upon request. | Contract performance |
| Aggregated scores and results | While you maintain your active access link (test.afini.ai) or active account (afini.ai). You may request their deletion at any time. | Contract performance |
| Compiled cognitive profile (afini.ai) | While the user account is active. Deleted 90 days after account cancellation. | Contract performance |
| Compiled system prompt (afini.ai) | Same as the cognitive profile. | Contract performance |
| AI conversation content (afini.ai) | Only during the active session. Not persistently stored after session end. | Data minimization |
| Token accounting (afini.ai) | 12 months from registration, renewable per subscription period. | Contract performance |
| Personality report | While you maintain your active access link or active account. | Contract performance |
| Name and email | Maximum 12 months from test completion (test.afini.ai) or from account cancellation (afini.ai), unless you request earlier deletion. | Contract performance |
| Billing/payment confirmation data | 5 years from the transaction date. | Legal obligation (art. 30 Commercial Code; art. 70 General Tax Law) |
| Voucher/invitation data | 12 months from redemption or expiration. | Legitimate interest (audit and control) |
| Cookie consent record | 13 months from the last expression of consent. | Legal obligation (art. 22 LSSI-CE; AEPD Guidelines 2023) |
| Google Analytics 4 cookies and data | Maximum 14 months from the user's last event (configuration applied in GA4 *User and Event Data Retention*). | Reasonable minimum configuration; data is anonymized upon expiration |
| Google Ads cookies and data (Enhanced Conversions and attribution) | 90 days for _gcl_* identifiers; 30 days the default conversion attribution window. | Standard Google Ads configuration; window extendable up to 90 days if you activate conversion modeling |
| *Remarketing* and *Customer Match* lists in Google Ads | Up to 540 days from the last activity or from the upload of the record (maximum allowed by Google). We delete any list as soon as a user revokes consent or exercises the right to erasure. | Maximum period allowed by Google Ads configuration |
| Plausible Analytics data | No individual identifiers are stored; aggregated events are retained for up to 5 years for historical trend analysis. | Legitimate interest (aggregated analytics) |
| Sentry error traces | 90 days. | Legitimate interest (debugging) |
After the indicated periods, data will be securely deleted or irreversibly anonymized.
Minimization principle: We only retain data strictly necessary for each purpose and for the minimum time required. Early deletion: Regardless of the above periods, you may request deletion of any of your data at any time by writing to info@afini.ai, without needing to wait for the indicated periods to elapse. We will respond to your request within a maximum of one month. Account deletion (afini.ai): When you request account deletion, the following will be deleted: your cognitive profile, the compiled system prompt, the scores from all assessments and your identification data. Billing data will be retained for the mandatory legal period (5 years).9. Your rights
In accordance with the GDPR (articles 15 to 22) and LOPDGDD (articles 12 to 18), you have the following rights:
a) Right of access (art. 15 GDPR): Obtain confirmation of whether we process your data and, if so, access them and information about the processing. b) Right of rectification (art. 16 GDPR): Request correction of inaccurate or incomplete personal data. c) Right to erasure ("right to be forgotten") (art. 17 GDPR): Request deletion of your data when, among other cases, they are no longer necessary for the purpose for which they were collected, you withdraw consent, or the data have been unlawfully processed. d) Right to restrict processing (art. 18 GDPR): Request that processing of your data be restricted in certain circumstances (for example, while data accuracy or processing legality is verified). e) Right to portability (art. 20 GDPR): Receive your personal data in a structured, commonly used and machine-readable format (JSON or CSV), and transmit them to another controller. In the case of afini.ai, this right includes the ability to obtain your cognitive profile in portable JSON format. f) Right of opposition (art. 21 GDPR): Object to processing of your data on grounds related to your particular situation, when processing is based on legitimate interest. In particular, you may object to the processing of your data for aggregated analytics purposes with Plausible. g) Right not to be subject to automated individual decisions (art. 22 GDPR): Not be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects you. h) Right to withdraw consent for profile injection into AI (specific to afini.ai): You may request at any time that your cognitive profile cease to be injected into the AI model, while maintaining access to the rest of your account functionality. i) Right to withdraw consent for analytics and advertising cookies: You may revoke your consent for Google Analytics 4 and Google Ads at any time by reopening the cookie banner from the "Manage cookies" link in the footer. Your new choice will immediately replace the previous one, will disable the corresponding identifiers in Google Consent Mode, and will suppress the associated cookies in the next load cycle. How to exercise your rights:- Send an email to info@afini.ai indicating the right you wish to exercise, together with a copy of your ID, passport or other document proving your identity.
- We will respond to your request within a maximum of one month from receipt (extendable to two months in cases of special complexity, under art. 12.3 GDPR).
- The exercise of these rights is free, unless requests are manifestly unfounded or excessive (art. 12.5 GDPR).
If you believe that the processing of your data violates data protection regulations, you have the right to lodge a complaint with the competent supervisory authority in your country of residence:
- Spain — AEPD (Spanish Data Protection Agency): www.aepd.es · C/ Jorge Juan 6, 28001 Madrid · Tel: 901 100 099 / 912 663 517
- United Kingdom — ICO (Information Commissioner's Office): ico.org.uk
- European Union — Other DPAs: Consult your Member State authority at edpb.europa.eu
- Brazil — ANPD: www.gov.br/anpd
- Canada — OPC: www.priv.gc.ca
- Australia — OAIC: www.oaic.gov.au
- United States — FTC: www.ftc.gov
- Japan — PPC: www.ppc.go.jp
For any other jurisdiction, contact us at info@afini.ai and we will indicate the competent authority.
10. Data of minors
Afini's service is not directed at minors under 16 years old. We do not intentionally collect data from minors under 16. If you are under 16, do not use this service or provide us with personal data.
If you are a parent, guardian or legal representative and have knowledge that a minor under 16 in your care has provided personal data to Afini, contact us at info@afini.ai and we will immediately delete such data.
The 16-year age limit is established under article 7 of LOPDGDD, which sets 14 years as the minimum age for consent in Spain. However, given the especially sensitive nature of personality data, Afini applies a reinforced protection threshold of 16 years.
Note on international thresholds: Different jurisdictions establish different minimum ages for digital consent (13 years in the USA under COPPA, 13 years in Canada under PIPEDA, 16 years in the Netherlands and Germany, 15 years in France, 14 years in Austria and Italy, etc.). Afini uniformly applies the 16-year threshold for all jurisdictions, thus guaranteeing the maximum level of protection regardless of user location.11. Especially sensitive data and special categories
The data derived from personality assessments and the cognitive profile, depending on their interpretation and context, could approach the category of data relating to psychological health or psychological profile, categories that enjoy reinforced protection under article 9 of the GDPR.
Afini takes a maximum caution approach:
- We treat the results of personality assessments and the compiled cognitive profile with a level of protection equivalent to that of special categories of data, regardless of whether they are technically classified as such.
- The results of your assessments and your cognitive profile are strictly private: only you have access to them through your personal link or your user account.
- We do not share, sell, transfer or make available to third parties your personality results or your cognitive profile under any circumstance. This expressly includes Google: neither Google Analytics, nor Google Ads, nor Google Tag Manager, nor any other advertising platform receives at any time your cognitive profile, your personality scores or your responses to the questionnaires.
- We do not use the results or the profile to make decisions that affect you (employment, insurance, credit or any other nature).
- We do not aggregate or anonymize personality data to create studies, statistics or derived products without explicit and independent user consent.
- The cognitive profile injected into the AI model is used exclusively to personalize the user's own interaction, never to classify them, segment them or make automated decisions affecting them.
- We do not perform personalized advertising based on personality. The Google Ads campaigns we run may include *remarketing* audiences (users who have already visited the Platform), *Customer Match* audiences (built from commercial email lists) and *Similar* audiences derived from the previous ones. Under no circumstance are these audiences built or enriched with your personality scores, your cognitive profile, your facets, your responses to the questionnaires or any other inference derived from psychometric assessments. The line is absolute: article 9 GDPR data does not leave Afini, not even in aggregated or pseudonymized form, towards any advertising platform.
12. Automated decisions, profiling and artificial intelligence
12.1. Personality profile creation
Afini's service automatically generates personality profiles from your responses to psychometric questionnaires. These profiles are based on validated scientific models (Big Five, attachment theory, humor styles, values, etc.) and are calculated using standardized and publicly documented statistical scoring algorithms.
12.2. Compiled cognitive profile and AI injection (afini.ai)
On the afini.ai platform, results from all assessments are compiled into a structured cognitive profile (JSON format). This profile is converted into a *system prompt* (context instructions) that is injected into each AI model conversation to personalize interaction.
Transparency regarding operation:- The user knows at all times which dimensions make up their profile (traits, facets, attachment scales, humor styles, values, etc.) and its completeness level.
- The profile is injected as system context in the AI model, with caching techniques (*prompt caching*) activated to optimize token usage and reduce interaction cost.
- The AI model receives the personalization instructions but does not retain the profile between sessions.
- The user can consult, download and request deletion of their profile at any time.
12.3. Scope of the automated decision
- Generated profiles have an exclusively informative and self-knowledge purpose. They are not used to make any decision producing legal effects on you or significantly affecting you in a similar manner.
- Profiles are not used for: personnel selection, credit evaluation, insurance premium determination, service access, or any other decision-making process that could affect your rights or interests.
- No user *scoring*, classification, *ranking* or categorization system exists beyond the generation of the individual self-knowledge profile.
12.4. Your rights regarding automated decisions and AI use
In accordance with article 22 of the GDPR, you have the right to:
- Obtain human intervention for review of your profile.
- Express your point of view about the results.
- Challenge the results of the generated profile.
- Request that your profile not be injected into the AI model (while maintaining access to other account functionality).
- Obtain an explanation of the meaning of each profile dimension and how it influences AI interaction.
The result you receive is exclusively informative and has no binding, diagnostic or clinical value. You are free to use it, ignore it or interpret it as you see fit.
To exercise any of these rights, contact us at info@afini.ai.
13. Advertising, conversion measurement and web analytics
This section details how the advertising and analytics integrations we activate only with your consent work.
13.1. Google Tag Manager (GTM)
Google Tag Manager is a *container* (not a measurement tool itself) that allows us to add, edit and disable measurement and advertising tags without modifying the source code of the site. The container loads with all consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage, security_storage) at default value denied through Google Consent Mode v2. No tag inside the container fires with identifiers until your browser transmits a consent update.
13.2. Google Analytics 4 (GA4)
When you grant consent to the "analytics" category, the cookies _ga and _ga_<container_id> are activated to identify your browser between pages and sessions. GA4 allows us to analyze aggregated navigation behavior within the Platform. Your IP address is anonymized by default in the EEA (IPv4/IPv6 truncation) before storage by Google. User and event data retention in GA4 is set to 14 months.
13.3. Google Ads — Conversion Tracking
When you grant consent to the "marketing" category, the identifiers _gcl_au, _gcl_aw and _gcl_dc are activated to associate the purchase with the advertising campaign that brought you. The conversion is measured when the payment is completed in Stripe.
13.4. Google Ads — Enhanced Conversions
Additionally, when you grant consent to the "marketing" category, we transmit to Google a SHA-256 hash of your email address (computed in the browser, normalized to lowercase and without spaces) along with the transaction data. The hash is a derived identifier: it does not allow your email to be recovered in plain text, but technically it remains pseudonymized personal data for GDPR purposes. Its sole purpose is to improve conversion attribution when the user is signed in to their Google account with the same email.
13.5. Google Ads — Offline Conversions (Stripe → Google Ads, server-to-server)
To cover cases in which the user's browser does not fire the conversion pixel (because they close the tab after paying, because their browser blocks the pixel, etc.), our backend fires a server-to-server call to the Google Ads API (ConversionUploadService) from the checkout.session.completed Stripe webhook handler. This call includes the same fields described in the previous section (SHA-256 hash of the email + GCLID + amount + currency + opaque purchase identifier). It is a transfer that runs exclusively when the "marketing" category of the banner has been consented to and the event corresponds to a finalized purchase. An opaque identifier (order_id) is used to deduplicate against the event fired by the browser and avoid conversions counted twice.
13.6. Plausible Analytics (without consent, *cookie-free*)
Plausible Analytics is a web analytics service hosted within the European Union (Estonia) that does not use cookies, does not store persistent unique identifiers and does not allow tracking individual users between sessions. It only provides aggregated metrics (page views, countries, browsers, traffic sources) and therefore does not require your prior consent under EDPB Guidelines 03/2023 on the technical scope of article 5.3 of the ePrivacy Directive. If you prefer not to appear even in these aggregated metrics, you can activate the "Do Not Track" option of your browser (Plausible respects the DNT signal) or use extensions such as uBlock Origin that block plausible.io.
13.7. Advertising audiences and *remarketing*
Afini may use the following Google Ads advertising audience features, always conditional on your prior consent to the "marketing" category:
- *Remarketing* audiences (Remarketing Lists for Search Ads): lists of users who have previously visited our Platforms, built using the
_gcl_*cookies and other standard Google Ads identifiers. They serve to show you relevant ads when you again search for terms related to our service. - Customer Match: lists of email addresses, transmitted to Google in SHA-256 hash format, that allow us to target campaigns to people already in our commercial database (for example, former customers to whom we offer a new product). The use of Customer Match requires demonstrating to Google that we have a legal basis for it, which in our case is your explicit consent to the "marketing" category of the cookie banner, or, if you provided your email in another commercial context, your separate consent for advertising use.
- *Similar Audiences*: audiences automatically generated by Google from the previous ones, expanding reach toward statistically similar advertising profiles. The generation is performed by Google in its systems; we do not transfer additional data for this purpose.
If we activate additional advertising formats requiring new types of cookies or new transfers (for example, Display campaigns, YouTube or other Google Network inventory), we will update this policy and reopen the consent banner for affected users.
13.8. Inhibition and revocation
You can:
- Inhibit at the source: reject the "analytics" and "marketing" categories in the cookie banner when it first appears.
- Revoke at any time: reopen the banner from the "Manage cookies" link in the footer and uncheck the categories. Your new choice will take effect in the next page load cycle.
- Block at the browser level: install a tag blocker (uBlock Origin, Privacy Badger) or disable JavaScript for
googletagmanager.com,google-analytics.comandgoogleadservices.com. - Disable personalized advertising in your Google account: access https://adssettings.google.com/ and disable the corresponding option.
14. Processing principles and impact assessment
14.1. Governing principles (art. 5 GDPR)
The processing of your data is governed at all times by the following principles:
- Lawfulness, fairness and transparency: We process your data lawfully, fairly and transparently, always informing you about how and why we use it.
- Purpose limitation: Your data is only collected for determined, explicit and legitimate purposes, and will not be processed in a manner incompatible with such purposes.
- Data minimization: We only collect data that is adequate, relevant and strictly necessary for the processing purposes.
- Accuracy: We will keep your data current and adopt reasonable measures to suppress or promptly rectify inaccurate data.
- Storage period limitation: We retain your data only for the time necessary for the processing purposes.
- Integrity and confidentiality: We process your data ensuring adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
14.2. Data Protection Impact Assessment (DPIA)
Given that the processing of personality and cognitive profile data may pose an elevated risk to the rights and freedoms of data subjects, Afini has conducted a Data Protection Impact Assessment (DPIA) under article 35 of the GDPR. This assessment covers both the test.afini.ai service and the AI cognitive profile service of afini.ai, and includes specific analysis of the advertising integrations described in section 13.
The assessment has concluded that residual risk from processing is moderate-low, thanks to the following mitigating measures: deletion of individual responses after report generation (test.afini.ai), exclusive user access to their results and profile, absence of profile sharing with third parties (including Google), comprehensive data encryption, non-persistence of AI conversations, no-training policy of the AI provider (Anthropic commercial API), Google Consent Mode v2 with default value denied, advertising segmentation without use of personality inferences, and transparency regarding profile composition and injection.
The DPIA is available for consultation at https://afini.ai/legal/dpia.
15. Technical and organizational security measures
Afini implements appropriate technical and organizational measures under article 32 of the GDPR to guarantee an adequate level of security to the risk:
Technical measures:- Encryption of all communications via HTTPS/TLS 1.2+ (encryption in transit).
- Database encryption at rest (AES-256).
- Database access restricted via secure credentials and encrypted connections.
- Logical separation of each user's data (session isolation).
- Unique and unpredictable access tokens for results access.
- Absence of financial data storage (delegated entirely to Stripe).
- Audit of access to administration endpoints.
- Authentication via magic link with *rate limiting* (afini.ai) — no stored passwords.
- Communication with the Anthropic API encrypted end-to-end (TLS 1.3).
- Communication with the Google Ads API encrypted end-to-end (TLS 1.3) and authenticated via OAuth 2.0 with rotated *refresh token*.
- Token accounting via atomic database operations (race condition prevention).
- Restrictive Content Security Policy (CSP) with explicit *whitelist* of allowed origins.
- Access to administration systems limited exclusively to authorized personnel.
- Data minimization principle: only strictly necessary data are collected and retained.
- Purpose limitation principle: data are only used for the purposes declared in this policy.
- Periodic review of security measures.
- Security breach notification protocol under articles 33 and 34 of the GDPR: in case of breach, we will notify the AEPD within a maximum of 72 hours and, if applicable, affected users without undue delay.
16. Cookie policy and local storage
For detailed information about cookie use, consult our Cookie Policy.
Summary: The Platforms use:- Necessary cookies for service operation (session, language, consent record, fraud prevention via Stripe and Cloudflare).
- Analytics and advertising cookies (Google Analytics 4, Google Ads) only with your prior consent, managed through Google Consent Mode v2 with default value
denied. - Aggregated cookie-free analytics through Plausible Analytics, which does not require consent as it does not install identifiers on your equipment.
- Browser localStorage to technically store: session token, language preference, active profile in afini.ai and local consent record.
You may revoke consent to analytics and advertising cookies at any time by reopening the banner from the "Manage cookies" link in the footer.
Do Not Track (DNT): Plausible Analytics respects the browser's DNT signal. Google Tag Manager and Google services do not respect DNT on their own, but our integration with Consent Mode v2 ensures that no Google identifier is set until you confirm your consent.17. Links to third parties
The Platforms may contain links to third-party websites (for example, Stripe for payment processing, Anthropic as AI technology provider, Google for its advertising terms of service). Afini is not responsible for the privacy practices or content of such external websites. We recommend you consult the privacy policies of any third-party website you visit.
18. Jurisdiction-specific information
This section contains additional information required by regulations in certain jurisdictions. If you reside in any of the countries or regions indicated below, the provisions of this section apply in addition to (and not instead of) the general provisions of this Privacy Policy.
18.1. United Kingdom (UK GDPR + Data Protection Act 2018)
Under United Kingdom law (UK GDPR and Data Protection Act 2018), your data protection rights are equivalent to those provided in the GDPR. The legal basis, data retention and access rights apply in accordance with British law. You may lodge complaints with the ICO (Information Commissioner's Office).
18.2. United States of America
For users in the United States, in addition to this Privacy Policy, the Children's Online Privacy Protection Act (COPPA) applies for minors under 13, as well as state privacy laws of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA) and Connecticut (CTDPA), among others. You have the right to access, rectify and delete your data, as well as to object to processing. Afini does not sell personal information as defined by the CCPA/CPRA and does not share information for *contextual* or behavioral cross-advertising purposes without your consent. The transmission of email hash to Google Ads for Enhanced Conversions, conditional on your opt-in to the banner, could be considered "sharing" under the CPRA — you may object by exercising your right to reject the "marketing" category of the cookie banner.
18.3. Canada (PIPEDA and provincial legislation)
For users in Canada, your data are processed in accordance with PIPEDA (Personal Information Protection and Electronic Documents Act) and applicable provincial legislation (including Quebec's Law 25). You have the right to access your data, request their correction, and learn how they are used.
18.4. Brazil (LGPD — Lei Geral de Proteção de Dados)
For users in Brazil, your data are processed in accordance with LGPD (Lei Geral de Proteção de Dados — Law No. 13.709/2018). You have the right to access your data, request their correction, portability and deletion. You may lodge complaints with ANPD (Autoridade Nacional de Proteção de Dados).
18.5. Australia (Privacy Act 1988 + APPs)
For users in Australia, your data are processed in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access your data, request their correction, and lodge complaints with the OAIC (Office of the Australian Information Commissioner).
18.6. Japan (APPI — Act on the Protection of Personal Information)
For users in Japan, your data are processed in accordance with the APPI (Act on the Protection of Personal Information). You have the right to access, rectify, delete and request limitation of processing of your data. You may lodge complaints with the PPC (Personal Information Protection Commission).
19. Modifications to this policy
Afini reserves the right to modify this Privacy Policy at any time to adapt it to legislative or case law developments or our own business practice changes.
Any substantial modification will be communicated through the Platforms themselves (via visible notice on the website) and, if we have your email address, via informative email.
The date of last update is always indicated at the beginning of this document. We recommend you consult this policy periodically.
20. Applicable law and jurisdiction
This Privacy Policy is governed by Spanish and European law as the main regulatory framework, and additionally by data protection legislation applicable in each jurisdiction where our users reside:
Main regulations (controller's seat):- Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation — GDPR).
- Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (LOPDGDD).
- Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
- Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Regulation — AI Act).
- Directive 2002/58/EC (ePrivacy Directive), as transposed into Spanish legislation through article 22.2 LSSI-CE.
- United Kingdom: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
- United States: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA); Virginia Consumer Data Protection Act (VCDPA); Colorado Privacy Act (CPA); Connecticut Data Privacy Act (CTDPA); and other applicable state privacy laws. Children's Online Privacy Protection Act (COPPA) in relation to minors.
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA); Law 25 (Quebec); and applicable provincial legislation.
- Brazil: Lei Geral de Proteção de Dados (LGPD — Law No. 13.709/2018).
- Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs).
- Japan: Act on the Protection of Personal Information (APPI).
In case of conflict between provisions of different jurisdictions, the rule offering a higher level of protection to the user will apply.
For any dispute arising from this policy, the Courts and Tribunals of Bilbao shall be competent, with express waiver of any other jurisdiction that might correspond, without prejudice to the rights recognized by current legislation to consumers and users in their respective jurisdictions of residence, including the inalienable right to access the courts of their domicile in jurisdictions where law provides for it.
21. Contact
For any inquiry, request to exercise rights or complaint related to the protection of your personal data:
- Email: info@afini.ai
- Postal address: Bilbao AI S.L. — Calle Diputación 8, floor 4, Department 5, 48008 Bilbao (Bizkaia), Spain
*Last updated: May 9, 2026*
13. How Afini learns
From May 2026 Afini incorporates a system of declared layers fed by three possible paths:
- Manual forms: you type directly into the dashboard.
- Conversational modules: guided chats with the AI where Afini extracts relevant pieces.
- Passive extraction: during a free conversation, Afini detects mentions that may be relevant to your profile.
Detected clues pass through a two-axis system — confidence (how sure we are) and sensitivity (how delicate the category) — that decides their destination: auto-injection, passive notification or discoveries tray. High-sensitivity or medium-confidence clues always go to the tray for you to decide.
14. The declared layers
Your extended cognitive profile has 8 declared layers:
- Canon (declared_aesthetic): works and authors that mark you.
- Negative space (declared_negative): what you reject, taboos, antimodels.
- Meta-preferences (declared_meta): how you want the AI to talk to you.
- Mental frame (declared_mental): idols, schools, stances on big topics.
- Operational equipment (declared_operational): languages, jargons, areas of competence and conscious ignorance.
- Rhythms and geography (declared_rhythmic): your chronotype, work window, geographic anchors.
- Vital context (declared_structural): family role, professional role, health constraints — no specific names of third parties.
- Intellectual trajectory (declared_narrative): your cognitive history in 1500 words or less.
Each layer has its table, its decay policy and its sensitivity level. You can view, edit and delete any item from the dashboard.
15. Your right to review and delete (GDPR Art. 22 / EU AI Act Art. 50)
- Discoveries tray: all clues detected passively wait for your nod before being injected into the profile. Nothing enters without you seeing it if sensitivity is high.
- GDPR Art. 22: we do not make automated decisions with legal effects about you. What the system does is inject context to an LLM as a prompt — the actual decision is still yours and the AI's, not the system's.
- EU AI Act Art. 50.2: layer items coming from passive extraction are marked aiGenerated=true in your portable JSON. The extraction/inference distinction is always visible.
- Right to erasure:
DELETE /v1/account/datadeletes ALL your tables — including declared layers, tray candidates, digests, extraction runs and preferences. - Methodology aside: we publish at
/dashboard/methodologythe exact operating rule that decides where each clue goes, with numeric thresholds, table by category and real JSON.
16. Data we never capture
- Specific names of third parties (children, partners, bosses, etc.) in
vital_context. A server-side anti-PII validator rejects any attempt with HTTP 422. - Credit card numbers or banking credentials.
- Content of files you upload not in permitted formats.
- Exact GPS location —
geographic_anchorsaccepts cities or regions, not coordinates. - Data of users under 16.
14. In-chat learning (Phase 6, May 2026)
Starting in May 2026, Professional plan users can enable two additional automatic learning mechanics in free chat:
Inline microbuttons. While you chat, the AI can offer you discreet microbuttons (✓ accept / ✗ dismiss) to add to your profile assertions it detects as stable and clear. They are only offered for three specific layers: your aesthetic canon, your negative space (dislikes) and your meta-preferences (how you want to be treated). The five most sensitive layers (mental frame, operational equipment, life context, rhythms, trajectory) always require you to declare them — they are never proposed automatically. Extended passive extraction. Every five chat turns, a lightweight model (Haiku) reviews your messages to identify (a) life facts that can go directly to your Memory, and (b) assumptions about the three allowlisted layers that enter your Discoveries tray for you to accept or reject. Any high-sensitivity assumption is silently discarded. Your control. You can disable either mechanic at any time from Settings → Automatic extraction. If you disable them, data already saved stays in your profile and is managed normally from Memory and Discoveries. This settings page is available even without a Professional plan, so you can see what would be offered on each tier. Human confirmation always. No microbutton saves anything until you accept it. No passively extracted assumption is injected into your profile without first going through your Discoveries tray. User autonomy over what the AI learns is absolute: GDPR art. 22 and AI Act art. 50 are respected by design, not by footnote.