TechVision Mallorca SL | UBEX.ai
Last Updated: 29th May 2026 | Version: 2.0
This Privacy Policy has been drafted in full compliance with all applicable European Union, Spanish national, and Balearic Islands regional legislation. TechVision Mallorca SL is committed to the highest standards of data protection and privacy as required by law.
The following legal instruments govern this Privacy Policy:
| Legal Instrument | Jurisdiction | Scope |
|---|---|---|
| Regulation (EU) 2016/679 - GDPR | European Union | Primary data protection regulation - directly applicable in all EU member states |
| Spanish Organic Law 3/2018 - LOPDGDD | Spain | National implementation and supplement to GDPR - Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales |
| Spanish Royal Decree 1720/2007 | Spain | Supplementary data protection regulations and technical security measures |
| Law 34/2002 - LSSI-CE | Spain | Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico - governs online services, e-commerce, and electronic communications |
| ePrivacy Directive 2002/58/EC | European Union | Electronic communications privacy, cookies, and tracking technologies |
| Regulation (EU) 2024/1689 - EU AI Act | European Union | Regulation of artificial intelligence systems and their providers |
| Regulation (EU) 2022/2065 - DSA | European Union | Digital Services Act - platform accountability and transparency |
| Regulation (EU) 2022/1925 - DMA | European Union | Digital Markets Act - fair digital markets |
| Regulation (EU) 2018/1725 | European Union | Data protection for EU institutions - reference standard |
| Spanish Law 9/2014 on Telecommunications | Spain | Electronic communications infrastructure and data |
| Spanish Law 34/2014 - General Tax Law | Spain | Financial data retention obligations |
| PCI-DSS v4.0 Standards | International | Payment card industry data security standards |
| ISO/IEC 27001 Principles | International | Information security management reference standards |
| Balearic Islands Regional Guidelines | Balearic Islands, Spain | Regional data protection guidelines as issued and supervised by the AEPD |
The Data Controller responsible for your personal data is:
TechVision Mallorca SL Calle Bartomeu Ferra 16, A 07141 Marratxí, Mallorca Balearic Islands, Kingdom of Spain European Union
Company Identification:
CIF (Tax Identification Number): B72772940 Legal Form: Sociedad Limitada (SL) - Spanish Private Limited Company Registered in: Mercantile Registry of Mallorca (Registro Mercantil de Mallorca), Balearic Islands, Spain Operational Product: UBEX.ai - AI Workflow Automation Platform
For all matters relating to this Privacy Policy, data protection, or the exercise of your rights:
Primary Contact:
📧 adelina@ubex.ai 🌐 https://www.ubex.ai 📬 TechVision Mallorca SL Calle Bartomeu Ferra 16, A 07141 Marratxí, Mallorca Balearic Islands, Spain
We aim to respond to all data protection inquiries within 30 days as required by GDPR Article 12(3). In complex cases, this period may be extended by a further two months, and we will notify you accordingly.
TechVision Mallorca SL has conducted a thorough assessment of its data processing activities in accordance with GDPR Article 37. Given the nature of our AI platform operations - which involve systematic processing of user data through multiple AI model providers at scale - we have designated our Chief Executive Officer as the internal responsible person for all data protection matters.
Internal Data Protection Responsible Person:
Adelina Bolota, Chief Executive Officer TechVision Mallorca SL 📧 adelina@ubex.ai
All data subject requests, privacy inquiries, consent withdrawals, and data protection concerns should be directed to this contact. We treat all such communications with strict confidentiality and in full compliance with GDPR timelines and obligations.
As a company registered and operating in Spain, TechVision Mallorca SL falls under the jurisdiction of the Spanish data protection supervisory authority:
Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain 🌐 https://www.aepd.es 📧 internacional@aepd.es 📞 +34 901 100 099 / +34 91 266 35 17
You have the right to lodge a complaint with the AEPD at any time if you believe your data protection rights have been violated. See Section 13.10 for full details on how to exercise this right.
This Privacy Policy applies to all of the following:
This Policy applies to:
All data processing activities carried out by TechVision Mallorca SL within the European Union All data processing activities affecting EU residents, regardless of where the processing takes place All services delivered through https://www.ubex.ai globally, with EU data protection standards applied as the baseline In accordance with GDPR Article 3, this Policy applies to any individual located in the European Union who uses our services, even if they access our platform from outside the EU.
This Policy does not apply to:
When business clients use UBEX.ai to process data belonging to their own customers, employees, or end users, the following role distinction applies:
The following definitions apply throughout this Privacy Policy in accordance with GDPR Article 4 and Spanish LOPDGDD:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity (GDPR Art. 4(1)) |
| Special Category Data | Sensitive personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation (GDPR Art. 9) |
| Processing | Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction (GDPR Art. 4(2)) |
| Data Controller | The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data (GDPR Art. 4(7)) |
| Data Processor | A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (GDPR Art. 4(8)) |
| Data Subject | The identified or identifiable natural person whose personal data is being processed |
| Consent | Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of their personal data (GDPR Art. 4(11)) |
| Legitimate Interests | Processing necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (GDPR Art. 6(1)(f)) |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed (GDPR Art. 4(12)) |
| Profiling | Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements (GDPR Art. 4(4)) |
| Third Party | A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data |
| AI Model | A machine learning system trained on large datasets capable of processing natural language inputs and generating outputs, including but not limited to ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google DeepMind), and Grok (xAI) |
| AI Workflow | An automated sequence of tasks, processes, or operations configured and executed through the UBEX.ai platform using one or more AI models |
| User Content | All prompts, inputs, text, files, images, data, and other content submitted by users to the UBEX.ai platform at app.ubex.ai for processing through AI workflows |
| Platform | The UBEX.ai AI workflow automation platform accessible at https://www.ubex.ai and https://app.ubex.ai |
| Services | All products, features, tools, APIs, and services provided by TechVision Mallorca SL under the UBEX.ai brand |
| Sub-processor | A third-party data processor engaged by TechVision Mallorca SL to process personal data on its behalf in connection with the provision of UBEX.ai services |
| Pseudonymisation | The processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information (GDPR Art. 4(5)) |
| Anonymisation | The irreversible process of altering personal data so that a data subject cannot be identified directly or indirectly |
| Supervisory Authority | An independent public authority responsible for monitoring the application of GDPR - in Spain, this is the Agencia Española de Protección de Datos (AEPD) |
TechVision Mallorca SL collects personal data through multiple channels in connection with the operation of the UBEX.ai platform at https://www.ubex.ai and https://app.ubex.ai. We collect only the minimum data necessary for the purposes described in this Policy, in accordance with the GDPR principle of data minimisation (GDPR Art. 5(1)(c)).
The following personal data is collected directly from you when you register, use, or interact with our platform:
Identity & Account Data:
| Data Type | Specific Examples | When Collected |
|---|---|---|
| Full name | First name, last name | Account registration |
| Username | Display name or handle | Account creation |
| Email address | Primary contact email | Registration, login, communications |
| Password | Stored in encrypted/hashed form only - we never store plain text passwords | Account creation |
| Profile information | Profile photo, bio, preferences | Optional profile setup |
| Language preference | Preferred language for platform interface | Account settings |
Business & Professional Data:
| Data Type | Specific Examples | When Collected |
|---|---|---|
| Company name | Business or organisation name | B2B account registration |
| Job title | Professional role or position | Optional profile information |
| Industry | Business sector | Optional profile information |
| VAT/Tax number | EU VAT number for business invoicing | Billing setup for business accounts |
| Business address | Company registered address | Business account & invoicing |
Billing & Payment Data:
| Data Type | Specific Examples | When Collected |
|---|---|---|
| Billing name | Name on payment method | Subscription purchase |
| Billing address | Address associated with payment method | Subscription purchase |
| Payment method details | Card type, last 4 digits, expiry date (tokenized - we never store full card numbers) | Subscription purchase |
| Transaction history | Payment dates, amounts, subscription tier, invoices | Ongoing subscription management |
| Subscription information | Plan type, billing cycle, renewal dates | Account management |
Important: All payment card data is processed exclusively by Stripe, Inc. (our PCI-DSS Level 1 certified payment processor). TechVision Mallorca SL does not store, process, or have access to your full payment card numbers at any time. Stripe's privacy policy is available at https://stripe.com/privacy.
Communications Data:
| Data Type | Specific Examples | When Collected |
|---|---|---|
| Support messages | Help desk tickets, live chat messages, email inquiries | When you contact support |
| Feedback & surveys | Responses to satisfaction surveys, feature requests | When you voluntarily provide feedback |
| Email correspondence | Emails sent to and received from adelina@ubex.ai or any UBEX.ai address | Ongoing communication |
When you visit https://www.ubex.ai or use the platform at https://app.ubex.ai, we automatically collect the following data through technical means:
Technical & Device Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| IP address | Full IP address at point of access | Security, fraud prevention, approximate location |
| Device identifiers | Device type, device ID, hardware model | Platform compatibility & security |
| Browser information | Browser type, version, language settings | Platform optimisation & compatibility |
| Operating system | OS type and version | Technical support & compatibility |
| Screen resolution | Display dimensions | UI/UX optimisation |
| Time zone | Local time zone setting | Service localisation |
| Referring URL | The website or link that directed you to UBEX.ai | Marketing analytics & traffic analysis |
Usage & Behavioural Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Pages visited | Which pages on ubex.ai and app.ubex.ai you visit | Platform improvement & analytics |
| Features used | Which AI workflow tools, features, and functions you interact with | Product development & improvement |
| Click patterns | Buttons clicked, links followed, navigation paths | UX optimisation |
| Session duration | How long you spend on the platform and individual pages | Analytics & performance monitoring |
| Workflow activity | Workflows created, executed, modified, or deleted | Service delivery & account management |
| Search queries | Searches performed within the platform | Service improvement |
| Error encounters | Technical errors or failures you experience | Debugging & quality improvement |
| Feature engagement | How frequently you use specific features | Product analytics |
Log & Server Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Server logs | Access logs, request logs, response codes | Security monitoring & debugging |
| API call logs | API requests made to and from the platform | Service delivery & security |
| Error logs | System errors, exceptions, crash reports | Platform stability & improvement |
| Authentication logs | Login attempts, session creation, logout events | Security & fraud prevention |
| Performance logs | Response times, load times, system performance metrics | Infrastructure optimisation |
Location Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Approximate geographic location | Country, region, city - derived from IP address | Compliance, language settings, fraud prevention |
| Time zone | Inferred from browser or device settings | Service localisation |
Important: We do not collect precise GPS location data or real-time location tracking. Location is approximated from your IP address only.
As an AI workflow automation platform, UBEX.ai processes specific categories of data that are unique to our services. This data is collected and processed exclusively through https://app.ubex.ai:
User Prompts & AI Inputs:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Text prompts | Written instructions, questions, and commands submitted to AI models | Executing your requested AI workflows |
| Uploaded files | Documents, spreadsheets, images, PDFs submitted for AI processing | AI workflow execution |
| Structured data inputs | Data tables, JSON, CSV files submitted for processing | AI workflow execution |
| Voice inputs | Audio recordings submitted for transcription or processing (if applicable) | AI workflow execution |
| Images & media | Visual content submitted for AI analysis or generation | AI workflow execution |
AI Outputs & Results:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Generated text | AI-generated content, responses, summaries, analyses | Delivering service results to you |
| Generated images | AI-created visual content | Delivering service results to you |
| Processed data | Transformed, analysed, or structured data outputs | Delivering service results to you |
| Workflow results | Complete outputs from automated workflow executions | Delivering service results to you |
Workflow Configuration Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| Workflow settings | Custom workflow configurations, automation rules, triggers | Providing personalised service |
| Integration settings | Connected third-party tools, API keys, integration configurations | Enabling workflow integrations |
| Template data | Custom templates created and saved by users | Service personalisation |
| Prompt libraries | Saved prompts and prompt collections | Service personalisation |
Integration & Connected Service Data:
| Data Type | Specific Examples | Purpose |
|---|---|---|
| OAuth tokens | Authentication tokens from connected services (Google, Microsoft, etc.) | Enabling third-party integrations |
| Connected account data | Data retrieved from services you connect to UBEX.ai with your authorisation | Executing integration-based workflows |
| API credentials | API keys for third-party services you connect (stored encrypted) | Enabling integrations |
In certain circumstances, we may receive personal data about you from third parties:
| Source | Data Received | Circumstances |
|---|---|---|
| OAuth providers (Google, Microsoft, GitHub, etc.) | Name, email address, profile photo, account identifier | When you choose to register or log in using a social/OAuth login |
| Stripe | Payment confirmation, subscription status, billing country | Payment processing confirmation |
| Referral partners | Name, email address, referral source | When you are referred to UBEX.ai through a partner programme |
| Publicly available sources | Business name, professional information | For business verification purposes only |
| Analytics providers | Aggregated traffic and usage data | Platform analytics and improvement |
For the avoidance of doubt, TechVision Mallorca SL does not collect the following:
In accordance with GDPR Article 6 and Spanish LOPDGDD, TechVision Mallorca SL processes personal data only when a valid legal basis exists. We have identified and documented the legal basis for every processing activity we carry out. The following table provides a comprehensive overview:
This legal basis applies when processing is necessary to provide you with our services under our Terms of Service:
| Processing Activity | Justification |
|---|---|
| Creating and managing your UBEX.ai account | Necessary to provide access to the platform |
| Delivering AI workflow automation services | Core service delivery |
| Processing subscription payments | Necessary for paid service provision |
| Sending service-related communications | Essential for account and service management |
| Providing customer support | Necessary for service fulfilment |
| Managing your subscription and billing | Necessary for ongoing service relationship |
| Enabling platform features and tools at app.ubex.ai | Core service delivery |
| Processing user prompts and returning AI outputs | Fundamental to the service you have contracted |
This legal basis applies where we have a legitimate business interest that is not overridden by your rights and freedoms. We have conducted Legitimate Interests Assessments (LIAs) for each of the following:
| Processing Activity | Our Legitimate Interest | Balancing Assessment |
|---|---|---|
| Platform analytics and usage monitoring | Improving our product and user experience | Minimal privacy impact - aggregated data used where possible |
| Security monitoring and fraud prevention | Protecting our platform, users, and business | Essential for all users' security - outweighs privacy impact |
| Server log maintenance | Platform stability and debugging | Technical necessity - logs retained for minimum period only |
| Sending service improvement communications | Business development and product improvement | Users can opt out at any time |
| Enforcing our Terms of Service | Protecting platform integrity | Necessary for fair and safe platform operation |
| Internal business analytics and reporting | Business planning and development | Aggregated and anonymised where possible |
| Preventing abuse and misuse of the platform | Protecting platform integrity and all users | Necessary safeguard - minimal privacy impact when proportionate |
|---|---|---|
| Network and information security | Protecting our infrastructure and user data | Fundamental security obligation - outweighs privacy impact |
| Maintaining backup systems | Business continuity and data integrity | Technical necessity - backups encrypted and access-controlled |
This legal basis applies where you have freely given, specific, informed, and unambiguous consent to processing:
| Processing Activity | How Consent is Obtained | How to Withdraw |
|---|---|---|
| Marketing emails and newsletters | Explicit opt-in checkbox at registration or subscription | Unsubscribe link in every email or contact adelina@ubex.ai |
| Non-essential cookies and tracking technologies | Cookie consent banner on first visit to ubex.ai | Cookie preference centre - withdraw at any time |
| Analytics cookies | Cookie consent banner | Cookie preference centre |
| Processing of special category data voluntarily submitted in AI workflows | Explicit consent notice at point of submission | Contact adelina@ubex.ai to request deletion |
| Participation in surveys, research, or beta testing | Explicit opt-in at point of invitation | Withdraw participation at any time by contacting us |
Important - Consent Withdrawal: You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawal of consent does not affect processing carried out on other legal bases.
This legal basis applies where processing is required to comply with a legal obligation under EU or Spanish law:
| Processing Activity | Applicable Legal Obligation |
|---|---|
| Retaining financial and transaction records | Spanish General Tax Law (Ley 58/2003) - 6 year minimum retention |
| Retaining invoicing and accounting records | Spanish Commercial Code (Código de Comercio) - 6 year minimum retention |
| Responding to lawful requests from public authorities | Spanish law enforcement and judicial cooperation obligations |
| Reporting data breaches to the AEPD | GDPR Article 33 - mandatory 72-hour notification |
| Complying with anti-money laundering requirements | EU AML Directives and Spanish Law 10/2010 |
| Providing data to tax authorities | Spanish Tax Agency (AEAT) obligations |
| Retaining electronic communications records | Spanish Law 34/2002 (LSSI-CE) |
In exceptional circumstances, we may process personal data where it is necessary to protect the vital interests of a person - for example, in a medical emergency situation. This basis is used only as a last resort and in genuinely exceptional circumstances.
This basis does not currently apply to TechVision Mallorca SL's processing activities.
TechVision Mallorca SL does not intentionally collect or process special category data as defined under GDPR Article 9. However, we acknowledge that users may voluntarily include special category data within their AI workflow inputs and prompts submitted at app.ubex.ai.
In such cases, the following applies:
| Scenario | Legal Basis | Our Approach |
|---|---|---|
| User voluntarily includes health data in an AI prompt | Explicit Consent (GDPR Art. 9(2)(a)) - by submitting such data, the user explicitly consents to its processing for the purpose of executing their requested workflow | Data is processed solely to execute the requested workflow and is not used for any other purpose |
| User voluntarily includes political or religious information in a prompt | Explicit Consent (GDPR Art. 9(2)(a)) | Processed solely for workflow execution - not retained beyond operational necessity |
| User voluntarily includes biometric data | Explicit Consent (GDPR Art. 9(2)(a)) | Processed solely for workflow execution - users are advised to avoid submitting unnecessary sensitive data |
Our Strong Recommendation: We strongly advise users not to submit special category data, sensitive personal information, or confidential third-party data in AI workflow prompts unless strictly necessary for their intended use case. See Section 7 for full AI-specific data handling disclosures.
Where personal data is collected on the basis of contractual necessity, failure to provide the required data will result in our inability to provide the relevant service. Specifically:
| Data Required | Consequence of Non-Provision |
|---|---|
| Email address and password | Cannot create an account or access app.ubex.ai |
| Payment information | Cannot access paid subscription features |
| Basic account information | Cannot use platform features requiring authentication |
Where data is collected on the basis of consent or legitimate interests, you may choose not to provide it without affecting your ability to use the core platform services, though some features may be limited.
Where we engage in automated processing or profiling activities (see Section 17), the legal basis is:
| Automated Activity | Legal Basis |
|---|---|
| Automated fraud detection and security screening | Legitimate Interests (GDPR Art. 6(1)(f)) |
| Automated subscription management and billing | Performance of a Contract (GDPR Art. 6(1)(b)) |
| Personalisation of platform features based on usage | Legitimate Interests (GDPR Art. 6(1)(f)) |
| Automated responses to support queries | Performance of a Contract (GDPR Art. 6(1)(b)) |
In addition to GDPR requirements, Spanish Organic Law 3/2018 (LOPDGDD) provides the following supplementary provisions applicable to TechVision Mallorca SL:
Article 6 LOPDGDD: Consent must be obtained through a clear affirmative act. Pre-ticked boxes or implied consent are not valid under Spanish law. Article 7 LOPDGDD: Consent for each specific processing purpose must be granular and separately obtained - bundled consent is not valid. Article 11 LOPDGDD: Users have the right to receive transparent information about processing in clear and plain language accessible to all users. Article 17 LOPDGDD: The right to erasure under Spanish law supplements GDPR Article 17 and includes specific provisions for digital content removal. Article 94 LOPDGDD: Specific provisions apply to the use of personal data in internet-based services and digital platforms - TechVision Mallorca SL complies with all applicable provisions. Article 95 LOPDGDD: Right to digital disconnection and the right not to be contacted through digital means outside of agreed service communications. Article 97 LOPDGDD: Provisions relating to the use of personal data in artificial intelligence systems - TechVision Mallorca SL applies these provisions to all AI model integrations.
TechVision Mallorca SL uses personal data collected through https://www.ubex.ai and https://app.ubex.ai for specific, explicit, and legitimate purposes only, in accordance with the purpose limitation principle under GDPR Article 5(1)(b). We do not use your personal data for any purpose incompatible with those described below.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and maintaining your UBEX.ai account | Identity data, contact data, credentials | Contract (Art. 6(1)(b)) |
| Providing access to the platform at app.ubex.ai | Identity data, authentication data, technical data | Contract (Art. 6(1)(b)) |
| Processing and executing AI workflow requests | User prompts, inputs, workflow configurations | Contract (Art. 6(1)(b)) |
| Delivering AI-generated outputs and results | User content, AI outputs | Contract (Art. 6(1)(b)) |
| Managing your subscription and account settings | Identity data, billing data, subscription data | Contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Billing data, payment data, transaction history | Contract (Art. 6(1)(b)) |
| Enabling third-party integrations you authorise | Integration data, OAuth tokens, API credentials | Contract (Art. 6(1)(b)) |
| Saving and retrieving your workflow configurations | Workflow configuration data, template data | Contract (Art. 6(1)(b)) |
| Providing access to your usage history and outputs | Usage data, AI outputs, workflow data | Contract (Art. 6(1)(b)) |
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to support requests and help desk tickets | Identity data, communications data, usage data | Contract (Art. 6(1)(b)) |
| Sending service-related notifications | Contact data, subscription data | Contract (Art. 6(1)(b)) |
| Sending billing notifications and payment confirmations | Contact data, billing data, transaction data | Contract (Art. 6(1)(b)) |
| Notifying you of changes to our services or policies | Contact data | Legal obligation (Art. 6(1)(c)) |
| Sending security alerts and account notifications | Contact data, technical data | Legitimate interests (Art. 6(1)(f)) |
| Responding to legal inquiries or complaints | Identity data, communications data | Legal obligation (Art. 6(1)(c)) |
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Analysing platform usage patterns and trends | Usage data, technical data (aggregated) | Legitimate interests (Art. 6(1)(f)) |
| Identifying and fixing technical bugs and errors | Log data, error data, technical data | Legitimate interests (Art. 6(1)(f)) |
| Developing and testing new features | Usage data, feedback data (anonymised where possible) | Legitimate interests (Art. 6(1)(f)) |
| Conducting internal research and analysis | Aggregated and anonymised usage data | Legitimate interests (Art. 6(1)(f)) |
| Monitoring platform performance and stability | Technical data, log data, server data | Legitimate interests (Art. 6(1)(f)) |
| Improving AI workflow accuracy and reliability | Aggregated performance data (not individual prompts - see Section 7) | Legitimate interests (Art. 6(1)(f)) |
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Detecting and preventing fraudulent activity | Technical data, usage data, payment data | Legitimate interests (Art. 6(1)(f)) |
| Monitoring for unauthorised access and security threats | Authentication logs, IP data, technical data | Legitimate interests (Art. 6(1)(f)) |
| Enforcing our Terms of Service and Acceptable Use Policy | Identity data, usage data, communications data | Legitimate interests (Art. 6(1)(f)) |
| Verifying user identity for security purposes | Identity data, authentication data | Legitimate interests (Art. 6(1)(f)) |
| Protecting against spam, abuse, and malicious activity | Technical data, usage data, IP data | Legitimate interests (Art. 6(1)(f)) |
| Maintaining audit trails for security incidents | Log data, authentication data | Legitimate interests (Art. 6(1)(f)) |
| Complying with cybersecurity obligations | Technical data, log data | Legal obligation (Art. 6(1)(c)) |
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Complying with Spanish tax and accounting obligations | Billing data, transaction data, identity data | Legal obligation (Art. 6(1)(c)) |
| Responding to lawful requests from courts or authorities | Any relevant data as required by law | Legal obligation (Art. 6(1)(c)) |
| Maintaining legally required records | Transaction data, communications data | Legal obligation (Art. 6(1)(c)) |
| Reporting data breaches to the AEPD | Relevant incident data | Legal obligation (Art. 6(1)(c)) |
| Complying with anti-money laundering obligations | Identity data, payment data | Legal obligation (Art. 6(1)(c)) |
| Enforcing our legal rights and defending legal claims | Any relevant data | Legitimate interests (Art. 6(1)(f)) |
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Sending marketing emails and newsletters (opt-in only) | Contact data, subscription data | Consent (Art. 6(1)(a)) |
| Personalising marketing communications based on usage | Usage data, subscription data | Consent (Art. 6(1)(a)) |
| Conducting customer satisfaction surveys | Contact data, usage data | Legitimate interests (Art. 6(1)(f)) |
| Analysing marketing campaign effectiveness | Aggregated usage data, referral data | Legitimate interests (Art. 6(1)(f)) |
| Managing referral and affiliate programmes | Identity data, referral data | Contract (Art. 6(1)(b)) |
TechVision Mallorca SL makes the following absolute commitments regarding your personal data:
This section provides full transparency about how personal data is handled specifically in connection with the AI workflow automation features of the UBEX.ai platform at https://app.ubex.ai. This section is required under GDPR, the EU AI Act, and emerging best practices for AI service providers.
The UBEX.ai platform enables users to create, configure, and execute automated workflows powered by multiple large language models (LLMs) and AI systems. When you submit a prompt, input, or file through app.ubex.ai, the following processing sequence occurs:
Input Reception: Your prompt or input is received by UBEX.ai's servers hosted on Google Cloud in Frankfurt, Germany (EU) Workflow Processing: Your input is processed according to your configured workflow settings AI Model Routing: Your input is transmitted to the relevant AI model provider(s) selected for your workflow
AI Model Processing: The selected AI model processes your input and generates a response or output Output Delivery: The AI-generated output is transmitted back to UBEX.ai's servers and delivered to you at app.ubex.ai Storage: Your inputs, outputs, and workflow data are stored on Google Cloud servers in Frankfurt, Germany (EU) in accordance with the retention periods set out in Section 12
When you use UBEX.ai's AI workflow features, your inputs and prompts are transmitted to one or more of the following AI model providers. Each provider processes your data according to their own data processing terms, which are incorporated into our agreements with them:
| AI Model Provider | Model(s) Used | Data Processing Location | Privacy Policy | Data Processing Terms |
|---|---|---|---|---|
| OpenAI, LLC | ChatGPT, ChatGPT, ChatGPT, and related models | United States (with EU safeguards) | https://openai.com/privacy | https://openai.com/policies/data-processing-addendum |
| Anthropic, PBC | Claude Opus, Claude Sonnet, and related models | United States (with EU safeguards) | https://www.anthropic.com/privacy | https://www.anthropic.com/legal/data-processing-addendum |
| Google DeepMind / Google LLC | Gemini, Gemini, and related models | United States and EU (with EU safeguards) | https://policies.google.com/privacy | https://cloud.google.com/terms/data-processing-addendum |
| xAI, LLC | Grok and related models | United States (with EU safeguards) | https://x.ai/privacy | Subject to xAI enterprise terms |
Important Disclosure: TechVision Mallorca SL has entered into or is in the process of entering into Data Processing Agreements (DPAs) with each AI model provider to ensure your data is handled in compliance with GDPR requirements. Where providers are located outside the EU/EEA, appropriate safeguards including Standard Contractual Clauses (SCCs) are applied - see Section 10 for full details.
When your workflow is executed, the following data may be transmitted to AI model providers:
| Data Transmitted | Circumstances | Minimisation Measures |
|---|---|---|
| Your text prompts and instructions | Every AI workflow execution | Only the minimum prompt necessary for the task |
| Content of uploaded files | When you upload files for AI processing | Only the content you explicitly submit |
| Workflow context and conversation history | For multi-turn conversations and workflows | Limited to the context window required |
| System prompts and workflow configurations | To configure AI model behaviour for your workflow | Template-level instructions only |
What is NOT transmitted to AI model providers:
This is one of the most important disclosures in this Privacy Policy. We want to be completely transparent about whether your data is used to train AI models:
TechVision Mallorca SL's Position:
Third-Party AI Provider Training Policies:
| Provider | Uses API Data for Training? | Our Contractual Protection |
|---|---|---|
| OpenAI | No - API inputs and outputs are not used to train OpenAI models by default under API terms | DPA in place confirming no training on API data |
| Anthropic | No - API inputs and outputs are not used to train Claude models under API terms | DPA in place confirming no training on API data |
| Gemini | No - Google Cloud API data is not used for model training under enterprise terms | DPA in place confirming no training on API data |
| xAI (Grok) | Subject to xAI's current API terms - we are monitoring and updating agreements | We are actively pursuing DPA confirmation |
Our Commitment: We are committed to ensuring that none of your data submitted through app.ubex.ai is used to train any AI model without your explicit, informed consent. We will update this Policy immediately if any provider changes their training data policies.
As noted in Section 4.5, we strongly advise users not to submit special category data in AI workflow prompts. However, we acknowledge that users may do so voluntarily. In such cases:
Categories of special data users should avoid submitting unless necessary:
When using UBEX.ai's AI workflow features, you as the user are responsible for:
TechVision Mallorca SL is not responsible for the content of data submitted by users to AI workflows, provided we have fulfilled our obligations as Data Processor under GDPR Article 28.
AI-generated outputs produced through the UBEX.ai platform are generated by third-party AI models and may not always be accurate, complete, or appropriate. Users should:
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which entered into force on 1 August 2024 and is being phased in through 2025–2026, establishes a comprehensive regulatory framework for AI systems in the European Union. As an AI platform provider operating within the EU, TechVision Mallorca SL is committed to full compliance with all applicable provisions.
TechVision Mallorca SL operates in the following capacities under the EU AI Act:
| Role | Description |
|---|---|
| Deployer | We deploy AI models developed by third-party providers (OpenAI, Anthropic, Google, xAI) within our platform |
| Provider (partial) | We provide AI workflow automation tools and configurations that determine how AI models are used |
Under the EU AI Act's risk-based classification framework, we have assessed our AI systems as follows:
| AI System / Feature | Risk Classification | Justification |
|---|---|---|
| General AI workflow automation | Minimal Risk | General purpose productivity tool with no significant impact on fundamental rights |
| Content generation workflows | Minimal Risk | Creative and productivity assistance with human oversight |
| Data analysis workflows | Limited Risk | Involves processing of potentially sensitive data - transparency obligations apply |
| Automated decision-support workflows | Limited Risk | Provides recommendations to humans who retain final decision-making authority |
| Document processing workflows | Minimal Risk | General productivity tool with no significant rights impact |
Important: UBEX.ai does not operate any High-Risk AI systems as defined under EU AI Act Annex III, which includes AI systems used in critical infrastructure, education, employment, essential services, law enforcement, migration, or administration of justice. If our services expand into any high-risk category in the future, we will update this Policy and implement all required compliance measures immediately.
In accordance with EU AI Act Article 50 transparency obligations, TechVision Mallorca SL makes the following disclosures:
AI-Generated Content Disclosure:
All content generated through UBEX.ai's AI workflow features is produced by AI systems Users are aware they are interacting with AI systems when using the app.ubex.ai platform Where AI-generated content is produced, users are responsible for labelling it appropriately when required by law or professional standards Chatbot & AI Interaction Disclosure:
Any automated conversational AI features within the UBEX.ai platform are clearly identified as AI systems Users are not deceived into believing they are interacting with a human when interacting with AI features Deep Fake & Synthetic Media:
UBEX.ai does not provide deep fake generation capabilities Any image or media generation features clearly identify outputs as AI-generated
The AI models integrated into UBEX.ai (ChatGPT, Claude, Gemini, Grok) are classified as General Purpose AI (GPAI) models under EU AI Act Article 51. TechVision Mallorca SL, as a deployer of these models, fulfils the following obligations:
| Obligation | How We Comply |
|---|---|
| Use models in accordance with provider instructions and permitted use policies | ✅ All model integrations comply with provider usage policies |
| Maintain transparency with users about AI involvement | ✅ Disclosed throughout this Policy and within the platform interface |
| Implement appropriate human oversight mechanisms | ✅ All AI outputs require user review before action - no fully autonomous consequential decisions |
| Monitor for misuse and harmful outputs | ✅ Content moderation and abuse monitoring in place |
| Cooperate with providers on safety and compliance | ✅ Active compliance monitoring with all provider terms |
TechVision Mallorca SL confirms that UBEX.ai does not engage in any AI practices prohibited under EU AI Act Article 5, including:
In accordance with EU AI Act principles and GDPR Article 22, TechVision Mallorca SL ensures that:
| EU AI Act Provision | Applicability Date | Our Status |
|---|---|---|
| Prohibited practices (Art. 5) | February 2, 2025 | ✅ Compliant |
| GPAI model obligations (Art. 51-56) | August 2, 2025 | ✅ In progress |
| Transparency obligations (Art. 50) | August 2, 2026 | ✅ Implementing proactively |
| Full regulation applicability | August 2, 2026 | ✅ Monitoring and preparing |
TechVision Mallorca SL does not sell, rent, or trade your personal data. We share personal data with third parties only in the specific circumstances described in this section, and only to the extent necessary for the stated purpose. All third-party processors are bound by Data Processing Agreements (DPAs) in accordance with GDPR Article 28.
| Category | Who | Purpose | Legal Basis |
|---|---|---|---|
| Cloud Infrastructure Provider | Google Cloud (Frankfurt) | Hosting, storage, and infrastructure for all UBEX.ai services | Contract (Art. 6(1)(b)) |
| Payment Processor | Stripe, Inc. | Processing subscription payments and managing billing | Contract (Art. 6(1)(b)) |
| AI Model Providers | OpenAI, Anthropic, Google DeepMind, xAI | Processing AI workflow inputs and generating outputs | Contract (Art. 6(1)(b)) |
| Analytics Providers | Google Analytics and related tools | Platform usage analytics and performance monitoring | Consent (Art. 6(1)(a)) / Legitimate interests (Art. 6(1)(f)) |
| Email Service Providers | Transactional email service providers | Delivering service emails, notifications, and communications | Contract (Art. 6(1)(b)) |
| Customer Support Tools | Support platform providers | Managing customer support tickets and communications | Legitimate interests (Art. 6(1)(f)) |
| Legal & Professional Advisors | Lawyers, accountants, auditors | Legal advice, tax compliance, financial auditing | Legal obligation (Art. 6(1)(c)) / Legitimate interests (Art. 6(1)(f)) |
| Public Authorities | AEPD, AEAT, courts, law enforcement | Responding to lawful legal requests and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Detail | Information |
|---|---|
| Legal Entity | Google Ireland Limited |
| Address | Gordon House, Barrow Street, Dublin 4, Ireland |
| Data Center Location | Frankfurt, Germany (EU) - europe-west3 region |
| Data Processed | All platform data including user accounts, workflow data, AI inputs/outputs, logs, backups |
| Purpose | Cloud hosting, storage, compute, networking, and infrastructure services |
| GDPR Safeguard | Google Cloud Data Processing Addendum incorporating Standard Contractual Clauses |
| Privacy Policy | https://cloud.google.com/terms/cloud-privacy-notice |
| DPA | https://cloud.google.com/terms/data-processing-addendum |
| Data Stays in EU | ✅ Yes - all data stored in Frankfurt, Germany |
| Detail | Information |
|---|---|
| Legal Entity | Stripe Payments Europe Limited (for EU customers) |
| Address | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland |
| Data Processed | Payment card data, billing information, transaction records, fraud signals |
| Purpose | Processing subscription payments, managing billing, fraud prevention |
| GDPR Safeguard | Stripe Data Processing Agreement incorporating Standard Contractual Clauses |
| PCI-DSS Status | Level 1 PCI-DSS certified - highest level of payment security |
| Privacy Policy | https://stripe.com/privacy |
| DPA | https://stripe.com/legal/dpa |
| Data Location | EU (Stripe Payments Europe Limited - Dublin, Ireland) |
| Detail | Information |
|---|---|
| Legal Entity | OpenAI, LLC |
| Address | 3180 18th Street, San Francisco, CA 94110, United States |
| Models Used | ChatGPT, ChatGPT, ChatGPT, and related OpenAI models |
| Data Processed | User prompts, workflow inputs, and conversation context transmitted for AI processing |
| Purpose | Generating AI outputs in response to user workflow requests |
| GDPR Safeguard | OpenAI Data Processing Addendum incorporating Standard Contractual Clauses (SCCs) |
| Training on API Data | ❌ No - OpenAI does not use API inputs/outputs to train models under enterprise API terms |
| Privacy Policy | https://openai.com/privacy |
| DPA | https://openai.com/policies/data-processing-addendum |
| Data Location | United States - protected by SCCs and OpenAI DPA |
| Detail | Information |
|---|---|
| Legal Entity | Anthropic, PBC |
| Address | 548 Market Street, PMB 90375, San Francisco, CA 94104, United States |
| Models Used | Claude Opus, Claude Sonnet, Claude Sonnet, and related Anthropic models |
| Data Processed | User prompts, workflow inputs, and conversation context transmitted for AI processing |
| Purpose | Generating AI outputs in response to user workflow requests |
| GDPR Safeguard | Anthropic Data Processing Addendum incorporating Standard Contractual Clauses (SCCs) |
| Training on API Data | ❌ No - Anthropic does not use API inputs/outputs to train models under API terms |
| Privacy Policy | https://www.anthropic.com/privacy |
| DPA | https://www.anthropic.com/legal/data-processing-addendum |
| Data Location | United States - protected by SCCs and Anthropic DPA |
| Detail | Information |
|---|---|
| Legal Entity | Google LLC / Google Ireland Limited (for EU users) |
| Address | 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
| Models Used | Gemini, Gemini, Gemini, and related Google AI models |
| Data Processed | User prompts, workflow inputs, and conversation context transmitted for AI processing |
| Purpose | Generating AI outputs in response to user workflow requests |
| GDPR Safeguard | Google Cloud Data Processing Addendum incorporating Standard Contractual Clauses (SCCs) |
| Training on API Data | ❌ No - Google does not use Google Cloud API data to train models under enterprise terms |
| Privacy Policy | https://policies.google.com/privacy |
| DPA | https://cloud.google.com/terms/data-processing-addendum |
| Data Location | United States and EU - protected by SCCs and Google Cloud DPA |
| Detail | Information |
|---|---|
| Legal Entity | xAI, LLC |
| Address | 216 Park Road, Burlingame, CA 94010, United States |
| Models Used | Grok and related xAI models |
| Data Processed | User prompts, workflow inputs, and conversation context transmitted for AI processing |
| Purpose | Generating AI outputs in response to user workflow requests |
| GDPR Safeguard | xAI API terms and Data Processing Agreement - we are actively pursuing full GDPR-compliant DPA |
| Training on API Data | Subject to xAI's current API terms - we are monitoring and will update this Policy accordingly |
| Privacy Policy | https://x.ai/privacy |
| Data Location | United States - safeguards being established |
Note Regarding xAI / Grok: TechVision Mallorca SL is actively working to establish a fully GDPR-compliant Data Processing Agreement with xAI. In the interim, we apply additional technical safeguards when routing data through Grok models and will update this Policy as soon as a full DPA is in place. Users who have concerns about this integration may contact us at adelina@ubex.ai.
TechVision Mallorca SL uses analytics tools to understand how users interact with https://www.ubex.ai and https://app.ubex.ai. The following analytics processing takes place:
| Detail | Information |
|---|---|
| Provider | Google Analytics (Google Ireland Limited) |
| Purpose | Understanding user behaviour, traffic sources, platform usage patterns, and performance metrics |
| Data Collected | IP address (anonymised), pages visited, session duration, device information, referral sources |
| IP Anonymisation | ✅ Enabled - full IP addresses are not stored |
| Data Sharing with Google | Aggregated analytics data shared with Google under Google Analytics terms |
| Legal Basis | Consent (Art. 6(1)(a)) - analytics cookies require your prior consent via our cookie banner |
| Opt-Out | You may opt out via our cookie preference centre or via https://tools.google.com/dlpage/gaoptout |
| Privacy Policy | https://policies.google.com/privacy |
| Data Retention | Configured to minimum retention periods within Google Analytics settings |
TechVision Mallorca SL may be required to disclose personal data to public authorities in the following circumstances:
| Circumstance | Authority | Our Approach |
|---|---|---|
| Lawful court order or judicial request | Spanish courts, EU judicial authorities | We comply with all lawful court orders after verifying their legal validity |
| Law enforcement request with legal basis | Spanish Policía Nacional, Guardia Civil, EU law enforcement | We comply only with requests that have a clear and lawful legal basis |
| Tax authority request | Agencia Tributaria (AEAT) | We comply with all lawful tax authority requests |
| Data protection authority investigation | AEPD | We cooperate fully with AEPD investigations and audits |
| Regulatory compliance request | Any competent EU regulatory authority | We comply with all lawful regulatory requests |
Our Commitment Regarding Authority Requests:
We will always verify the legal validity of any request before disclosing data We will notify you of any request for your data where we are legally permitted to do so We will disclose only the minimum data necessary to satisfy the lawful request We will maintain a record of all authority requests received and our responses We will challenge any request we believe to be unlawful or disproportionate
In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency proceedings involving TechVision Mallorca SL, personal data held by us may be transferred to a successor entity. In such circumstances:
TechVision Mallorca SL maintains a current list of all sub-processors engaged in processing personal data on our behalf. Users may request an up-to-date list of sub-processors at any time by contacting adelina@ubex.ai. We will notify users of any material changes to our sub-processor arrangements with reasonable advance notice, providing the opportunity to object to such changes.
TechVision Mallorca SL's primary infrastructure is hosted on Google Cloud in Frankfurt, Germany - meaning your data is stored within the European Union and the European Economic Area (EEA). However, certain data transfers to third-party service providers located outside the EU/EEA do occur in connection with our AI model integrations
in connection with our AI model integrations and other service providers. TechVision Mallorca SL ensures that all such international transfers are conducted with appropriate safeguards in full compliance with GDPR Chapter V (Articles 44–49) and the guidance of the European Data Protection Board (EDPB).
Under GDPR Chapter V, personal data may only be transferred outside the EU/EEA where one of the following conditions is met:
| Transfer Mechanism | Legal Basis | Description |
|---|---|---|
| Adequacy Decision | GDPR Art. 45 | The European Commission has determined that the destination country provides an adequate level of data protection |
| Standard Contractual Clauses (SCCs) | GDPR Art. 46(2)(c) | Contractual clauses approved by the European Commission providing appropriate safeguards |
| Binding Corporate Rules (BCRs) | GDPR Art. 47 | Approved internal rules for multinational organisations |
| Certification Mechanisms | GDPR Art. 46(2)(f) | Approved certification schemes providing appropriate safeguards |
| Derogations for Specific Situations | GDPR Art. 49 | Limited exceptions including explicit consent or necessity for contract performance |
The following table provides a complete overview of all international data transfers carried out by TechVision Mallorca SL:
| Recipient | Country | Data Transferred | Transfer Mechanism | Adequacy Decision? |
|---|---|---|---|---|
| Google Cloud | Germany (EU) | All platform data | N/A - stays within EU/EEA | N/A - EU storage |
| Stripe Payments Europe | Ireland (EU) | Payment & billing data | N/A - stays within EU/EEA | N/A - EU entity |
| OpenAI, LLC | United States | AI workflow prompts & inputs | Standard Contractual Clauses (SCCs) | ❌ No adequacy decision - SCCs apply |
| Anthropic, PBC | United States | AI workflow prompts & inputs | Standard Contractual Clauses (SCCs) | ❌ No adequacy decision - SCCs apply |
| Google LLC (Gemini API) | United States | AI workflow prompts & inputs | Standard Contractual Clauses (SCCs) | ❌ No adequacy decision - SCCs apply |
| xAI, LLC | United States | AI workflow prompts & inputs | SCCs being established - DPA in progress | ❌ No adequacy decision - safeguards being formalised |
Key Point: The majority of your personal data - including your account information, billing data, and stored workflow data - never leaves the European Union, as it is stored exclusively on Google Cloud's Frankfurt, Germany infrastructure. International transfers occur only when your AI workflow prompts are processed by AI model providers, which is necessary for the core functionality of the service you have requested.
Standard Contractual Clauses (SCCs) are contractual terms approved by the European Commission under GDPR Article 46(2)(c) that provide legally binding data protection guarantees for international transfers. The current applicable SCCs were adopted by the European Commission on 4 June 2021 (Commission Implementing Decision (EU) 2021/914).
TechVision Mallorca SL uses the following SCC modules for international transfers:
| Module | Transfer Type | Applicable To |
|---|---|---|
| Module 1 | Controller to Controller | Transfers where both parties act as independent data controllers |
| Module 2 | Controller to Processor | Transfers where TechVision Mallorca SL transfers data to a third-party processor (primary module used) |
| Module 3 | Processor to Processor | Transfers between processors in the processing chain |
For all transfers to US-based AI model providers, Module 2 (Controller to Processor) SCCs are the primary transfer mechanism, as TechVision Mallorca SL acts as Data Controller and the AI model providers act as Data Processors for the purpose of executing AI workflow requests.
In accordance with EDPB Recommendations 01/2020 on measures supplementing transfer tools, TechVision Mallorca SL conducts Transfer Impact Assessments (TIAs) for all transfers to third countries. Our TIAs assess:
What personal data is being transferred Who the recipient is and their location The purpose and necessity of the transfer
Which GDPR Chapter V mechanism applies Whether SCCs, BCRs, or other mechanisms are in place
Whether the destination country's laws impinge on the effectiveness of the transfer tool Specifically, whether US surveillance laws (FISA 702, EO 12333) may affect data transferred to US providers
| Supplementary Measure | Applied To | Description |
|---|---|---|
| Data minimisation | All AI provider transfers | Only the minimum prompt data necessary for workflow execution is transmitted |
| Pseudonymisation | Where technically feasible | Removing or replacing identifying information before transmission |
| Encryption in transit | All transfers | All data transmitted to AI providers is encrypted using TLS 1.2/1.3 |
| Encryption at rest | Google Cloud storage | All stored data is encrypted at rest on Google Cloud Frankfurt servers |
| Contractual restrictions | All DPAs | AI providers contractually prohibited from using data for training or unauthorised purposes |
| Access controls | All providers | Strict access controls limiting who at AI providers can access transmitted data |
The EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 (Adequacy Decision C(2023) 4745), provides a new adequacy mechanism for transfers to certified US organisations.
| Provider | DPF Certified? | Implications |
|---|---|---|
| Google LLC | ✅ Yes - certified under EU-US DPF | Transfers to Google may benefit from DPF adequacy in addition to SCCs |
| OpenAI, LLC | ✅ Yes - certified under EU-US DPF | Transfers to OpenAI may benefit from DPF adequacy in addition to SCCs |
| Anthropic, PBC | 🔄 Monitoring - certification status subject to change | SCCs remain primary transfer mechanism |
| xAI, LLC | 🔄 Monitoring - certification status subject to change | SCCs being established as primary transfer mechanism |
Note: TechVision Mallorca SL continues to maintain SCCs with all US providers regardless of DPF certification status, as an additional layer of protection in the event the DPF is challenged or invalidated (as occurred with its predecessors Safe Harbor and Privacy Shield).
In addition to the legal mechanisms described above, TechVision Mallorca SL implements the following technical and organisational measures to protect data transferred internationally:
| Safeguard | Description | Applied To |
|---|---|---|
| Encryption in Transit | All data transmitted to third-party providers is encrypted using TLS 1.2 or higher | All international transfers |
| Encryption at Rest | All data stored on our infrastructure is encrypted at rest using AES-256 | All stored data |
| Data Minimisation | Only the minimum data necessary for the specific AI processing task is transmitted | All AI model transfers |
| Access Controls | Strict access controls limit which personnel and systems can access transferred data | All transfers |
| API Security | All API communications with AI model providers use authenticated, encrypted connections | All AI model transfers |
| Prompt Sanitisation | Where technically feasible, personally identifiable information is removed from prompts before transmission | AI model transfers |
| Contractual Restrictions | All DPAs contractually prohibit providers from using data for unauthorised purposes | All transfers |
| Audit Rights | Our DPAs include audit rights allowing us to verify compliance by sub-processors | All named processors |
You have the right to:
Request information about the specific safeguards applied to transfers of your personal data to third countries by contacting adelina@ubex.ai Obtain a copy of the Standard Contractual Clauses or other transfer mechanisms we rely upon for international transfers Lodge a complaint with the AEPD if you believe your data has been transferred internationally without adequate safeguards Withdraw consent for processing activities that involve international transfers where consent is the legal basis - noting this may affect your ability to use certain AI workflow features To exercise any of these rights in connection with international transfers, please contact us at adelina@ubex.ai with the subject line "International Transfer Inquiry" and we will respond within 30 days.
TechVision Mallorca SL commits to the following ongoing monitoring obligations in respect of international transfers:
Annual review of all Transfer Impact Assessments to ensure continued adequacy Immediate review upon any material change in the legal framework of a destination country Continuous monitoring of EU Commission adequacy decisions and DPF certification status of our providers Prompt update of this Privacy Policy upon any material change to our transfer mechanisms or safeguards EDPB guidance monitoring - we actively monitor guidance issued by the European Data Protection Board regarding international transfers and implement recommendations promptly Provider compliance monitoring - we regularly review our sub-processors' compliance with their DPA obligations and update our agreements as required
This section constitutes the full Cookie Policy of TechVision Mallorca SL and applies to all cookies and tracking technologies used on https://www.ubex.ai and https://app.ubex.ai. This Cookie Policy complies with the ePrivacy Directive 2002/58/EC, GDPR, Spanish Law 34/2002 (LSSI-CE), and the AEPD Cookie Guidelines (updated January 2024).
Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work efficiently, to remember your preferences, and to provide analytical information to website operators. Cookies may be:
First-party cookies - set directly by TechVision Mallorca SL on our domains (ubex.ai and app.ubex.ai) Third-party cookies - set by third-party services we use, such as analytics providers and payment processors Session cookies - temporary cookies that are deleted when you close your browser Persistent cookies - cookies that remain on your device for a defined period or until you delete them
In addition to cookies, we may use the following tracking technologies on our platform:
| Technology | Description | Where Used |
|---|---|---|
| Web beacons / pixel tags | Tiny invisible images embedded in web pages or emails that track whether a page or email has been opened | Marketing emails, web pages |
| Local storage | Browser-based storage mechanism used to save user preferences and session data locally | app.ubex.ai platform |
| Session storage | Temporary browser storage cleared when the browser session ends | app.ubex.ai platform |
| JavaScript tags | Scripts that collect usage and behavioural data for analytics purposes | ubex.ai and app.ubex.ai |
| API tracking | Logging of API calls and usage patterns for security and analytics | app.ubex.ai API |
| Fingerprinting (limited) | Device and browser characteristic analysis used exclusively for fraud prevention and security - not for advertising | Security systems only |
In accordance with AEPD guidelines and the ePrivacy Directive, we classify all cookies into the following categories:
These cookies are essential for the operation of our platform. They cannot be disabled as they are required for the website and application to function. No consent is required for strictly necessary cookies under the ePrivacy Directive and LSSI-CE.
| Cookie Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| session_id | TechVision Mallorca SL | Maintains your authenticated session at app.ubex.ai | Session | Until browser close |
| csrf_token | TechVision Mallorca SL | Cross-site request forgery protection - security essential | Session | Until browser close |
| auth_token | TechVision Mallorca SL | Authentication token for logged-in users at app.ubex.ai | Persistent | 30 days |
| user_preferences | TechVision Mallorca SL | Stores essential user interface preferences (language, theme) | Persistent | 12 months |
| cookie_consent | TechVision Mallorca SL | Records your cookie consent choices | Persistent | 12 months |
| stripe_mid | Stripe | Fraud prevention and payment security | Persistent | 12 months |
| stripe_sid | Stripe | Stripe session identifier for payment processing | Session | Until browser close |
| __stripe_orig_props | Stripe | Payment fraud detection | Persistent | 12 months |
Legal Basis: Strictly necessary - no consent required (ePrivacy Directive Art. 5(3) exemption; LSSI-CE Art. 22(2))
These cookies enhance the functionality of our platform by remembering your choices and preferences. They are not strictly necessary but improve your experience. Consent is required.
| Cookie Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| lang_preference | TechVision Mallorca SL | Remembers your preferred language setting | Persistent | 12 months |
| ui_theme | TechVision Mallorca SL | Remembers your preferred interface theme (light/dark mode) | Persistent | 12 months |
| workflow_layout | TechVision Mallorca SL | Saves your preferred workflow editor layout | Persistent | 6 months |
| dashboard_config | TechVision Mallorca SL | Saves your dashboard configuration and widget arrangement | Persistent | 6 months |
| recently_used | TechVision Mallorca SL | Tracks recently used workflows and templates for quick access | Persistent | 3 months |
| timezone | TechVision Mallorca SL | Stores your detected or selected time zone | Persistent | 12 months |
Legal Basis: Consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))
These cookies collect information about how visitors use our website and platform. All data collected is aggregated and used solely to improve our services. Consent is required.
| Cookie Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| _ga | Google Analytics | Distinguishes unique users - primary Google Analytics identifier | Persistent | 24 months |
| _ga_[ID] | Google Analytics | Maintains session state for Google Analytics 4 | Persistent | 24 months |
| _gid | Google Analytics | Distinguishes users - refreshed every 24 hours | Persistent | 24 hours |
| _gat | Google Analytics | Throttles request rate to Google Analytics servers | Session | 1 minute |
| _gac_[ID] | Google Analytics | Contains campaign-related information | Persistent | 90 days |
| _gcl_au | Google Tag Manager | Used by Google AdSense to experiment with advertisement efficiency | Persistent | 3 months |
| ubex_analytics | TechVision Mallorca SL | Internal platform usage analytics - feature engagement tracking | Persistent | 6 months |
| ubex_session | TechVision Mallorca SL | Internal session analytics - page flow and navigation tracking | Session | Until browser close |
| ubex_perf | TechVision Mallorca SL | Platform performance monitoring - load times and error tracking | Session | Until browser close |
Legal Basis: Consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))
IP Anonymisation: Google Analytics is configured with IP anonymisation enabled. Full IP addresses are never stored by Google Analytics in connection with our platform.
These cookies are used to deliver relevant content and, where applicable, track the effectiveness of our marketing campaigns. Consent is required. We do not currently use third-party advertising networks for behavioural advertising.
| Cookie Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| ubex_referral | TechVision Mallorca SL | Tracks referral source for attribution purposes | Persistent | 30 days |
| ubex_campaign | TechVision Mallorca SL | Tracks marketing campaign source for internal attribution | Persistent | 30 days |
| _fbp | Meta (Facebook) | Used by Facebook to deliver advertisements (if Meta Pixel active) | Persistent | 3 months |
| _fbc | Meta (Facebook) | Stores Facebook click identifier for conversion tracking | Persistent | 3 months |
Legal Basis: Consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))
Note: Marketing cookies from Meta/Facebook are only active if you have consented to marketing cookies via our cookie consent banner. We do not engage in cross-site behavioural advertising without your explicit
Note: Marketing cookies from Meta/Facebook are only active if you have consented to marketing cookies via our cookie consent banner. We do not engage in cross-site behavioural advertising without your explicit prior consent. You may withdraw consent at any time through our cookie preference centre.
TechVision Mallorca SL implements a fully GDPR and LSSI-CE compliant cookie consent mechanism on https://www.ubex.ai and https://app.ubex.ai:
How We Obtain Cookie Consent:
| Requirement | How We Comply |
|---|---|
| Prior consent | Cookie consent banner is displayed on first visit before any non-essential cookies are set |
| Informed consent | Banner clearly explains what cookies are used and for what purposes |
| Granular consent | Users can accept or reject each category of cookies separately |
| Freely given consent | Declining non-essential cookies is as easy as accepting them - no dark patterns used |
| Unambiguous consent | Consent requires an active affirmative action - no pre-ticked boxes |
| Documented consent | All consent decisions are recorded with timestamp and stored for audit purposes |
| Easy withdrawal | Cookie preference centre accessible at all times via footer link on all pages |
| No cookie walls | Access to our website and platform is not conditional on accepting non-essential cookies |
Cookie Consent Banner Requirements (AEPD Compliance):
In accordance with the AEPD's updated Cookie Guidelines (January 2024), our cookie consent banner:
In addition to our cookie preference centre, you can manage cookies through the following methods:
Browser-Level Cookie Controls:
| Browser | How to Manage Cookies |
|---|---|
| Google Chrome | Settings → Privacy and Security → Cookies and other site data |
| Mozilla Firefox | Settings → Privacy & Security → Cookies and Site Data |
| Safari | Preferences → Privacy → Manage Website Data |
| Microsoft Edge | Settings → Cookies and site permissions → Cookies and site data |
| Opera | Settings → Advanced → Privacy & Security → Site Settings → Cookies |
Important: Disabling all cookies through your browser settings may affect the functionality of https://app.ubex.ai, including your ability to log in and use the platform. Strictly necessary cookies are required for the platform to function.
Opt-Out Tools for Specific Providers:
| Provider | Opt-Out Method |
|---|---|
| Google Analytics | https://tools.google.com/dlpage/gaoptout |
| Google Advertising | https://adssettings.google.com |
| Meta / Facebook | https://www.facebook.com/settings/?tab=ads |
| General (EU) | http://www.youronlinechoices.eu |
| General (all) | https://optout.networkadvertising.org |
The application platform at https://app.ubex.ai uses additional technical cookies and local storage mechanisms that are strictly necessary for platform functionality. These include:
Authentication tokens - required to maintain your logged-in session securely CSRF protection tokens - required to protect against cross-site request forgery attacks Workflow state storage - used to maintain the state of active workflow editors and prevent data loss API rate limiting tokens - used to manage API request rates and prevent service abuse Feature flag storage - used to deliver the correct feature set based on your subscription tier UI state storage - used to remember interface states such as open panels, collapsed menus, and active tabs All of the above are strictly necessary for the operation of the app.ubex.ai platform and do not require consent under the ePrivacy Directive strictly necessary exemption.
Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites requesting that your browsing not be tracked. At present, there is no legally binding standard or EU regulatory requirement governing how websites must respond to DNT signals. TechVision Mallorca SL currently does not alter its data collection practices in response to DNT signals. However, we respect your privacy preferences and encourage you to use our cookie preference centre to control tracking on our platform.
TechVision Mallorca SL retains personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the storage limitation principle under GDPR Article 5(1)(e) and applicable Spanish law retention obligations. This section sets out our complete data retention schedule.
Our data retention practices are governed by the following principles:
Purpose limitation: Data is retained only for as long as the original purpose requires Legal obligation compliance: Where Spanish or EU law mandates minimum retention periods, we comply fully Data minimisation: We regularly review retained data and delete or anonymise data that is no longer necessary Proportionality: Retention periods are proportionate to the sensitivity of the data and the purpose of processing Security during retention: All retained data is subject to the same security measures as actively used data Documented justification: Every retention period in this schedule has a documented legal or business justification
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Account registration data (name, email, credentials) | Duration of account + 2 years after account deletion | Contract performance; legitimate interests (fraud prevention) | Permanent deletion |
| Profile information | Duration of account + 30 days after deletion | Contract performance | Permanent deletion |
| Login and authentication history | 12 months from creation | Legitimate interests (security) | Permanent deletion |
| Account deletion request records | 5 years from request date | Legal obligation (LOPDGDD compliance documentation) | Permanent deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Payment transaction records | 6 years from transaction date | Spanish General Tax Law (Ley 58/2003) Art. 70 | Permanent deletion |
| Invoices and billing records | 6 years from invoice date | Spanish Commercial Code (Código de Comercio) Art. 30 | Permanent deletion |
| Subscription history | 6 years from subscription end date | Spanish tax and commercial law obligations | Permanent deletion |
| Stripe payment tokens | Managed by Stripe - see Stripe retention policy | PCI-DSS compliance | Managed by Stripe |
| VAT and tax records | 6 years from tax period end | Spanish tax authority (AEAT) requirements | Permanent deletion |
| Refund and dispute records | 6 years from resolution date | Spanish consumer protection law | Permanent deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| AI workflow inputs (prompts) | Duration of account + 90 days after account deletion | Contract performance | Permanent deletion |
| AI workflow outputs | Duration of account + 90 days after account deletion | Contract performance | Permanent deletion |
| Saved workflow configurations | Duration of account + 30 days after account deletion | Contract performance | Permanent deletion |
| Workflow execution logs | 12 months from execution date | Legitimate interests (debugging, support) | Permanent deletion |
| Uploaded files and documents | Duration of account + 90 days after account deletion | Contract performance | Permanent deletion |
| Prompt libraries and templates | Duration of account + 30 days after account deletion | Contract performance | Permanent deletion |
| Integration configurations | Duration of account + 30 days after account deletion | Contract performance | Permanent deletion |
| API keys and OAuth tokens | Until revoked or account deletion + 30 days | Contract performance | Permanent deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Server access logs | 12 months from creation | Legitimate interests (security, debugging) | Permanent deletion |
| Error logs | 6 months from creation | Legitimate interests (platform stability) | Permanent deletion |
| Security incident logs | 5 years from incident date | Legal obligation (cybersecurity compliance) | Permanent deletion |
| Authentication and login logs | 12 months from creation | Legitimate interests (security monitoring) | Permanent deletion |
| API request logs | 6 months from creation | Legitimate interests (security, debugging) | Permanent deletion |
| Performance monitoring logs | 3 months from creation | Legitimate interests (platform optimisation) | Permanent deletion |
| Backup data | 90 days from backup creation | Legitimate interests (business continuity) | Permanent deletion |
| IP address logs | 12 months from collection | Legitimate interests (security, fraud prevention) | Anonymisation then deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Customer support tickets and correspondence | 3 years from ticket closure | Legitimate interests (service quality, dispute resolution) | Permanent deletion |
| Email communications with users | 3 years from last communication | Legitimate interests (service continuity) | Permanent deletion |
| Marketing email records (sent/received) | 2 years from last interaction | Legitimate interests (marketing compliance) | Permanent deletion |
| Marketing consent records | 5 years from consent withdrawal | Legal obligation (GDPR consent documentation) | Permanent deletion |
| Complaint records | 5 years from complaint resolution | Legal obligation (consumer protection compliance) | Permanent deletion |
| Data subject request records | 5 years from request completion | Legal obligation (GDPR compliance documentation) | Permanent deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Google Analytics data | 14 months (configured in GA4 settings) | Consent | Automatic deletion by Google Analytics |
| Internal platform analytics | 24 months from collection | Legitimate interests (product development) | Anonymisation then deletion |
| Aggregated usage statistics | Indefinitely (anonymised) | Legitimate interests (business analytics) | N/A - fully anonymised |
| A/B testing data | 6 months from test completion | Legitimate interests (product improvement) | Anonymisation then deletion |
| Feature usage data | 24 months from collection | Legitimate interests (product development) | Anonymisation then deletion |
| Data Category | Retention Period | Legal Basis for Retention | Action After Expiry |
|---|---|---|---|
| Data breach records | 5 years from incident date | Legal obligation (GDPR Art. 33 documentation) | Permanent deletion |
| AEPD correspondence | 10 years from correspondence date | Legal obligation (regulatory compliance) | Permanent deletion |
| Legal proceedings records | 10 years from proceedings conclusion | Legal obligation (Spanish procedural law) | Permanent deletion |
| DPA and contract records | 10 years from contract termination | Legal obligation (Spanish Commercial Code) | Permanent deletion |
| Transfer Impact Assessments | 5 years from last review date | Legal obligation (GDPR compliance documentation) | Permanent deletion |
| Legitimate Interests Assessments | 5 years from last review date | Legal obligation (GDPR compliance documentation) | Permanent deletion |
Scenario A - Active User Account:
All data categories are retained for the duration of the active account relationship plus the applicable retention period specified in Section 12.2.
Scenario B - User Requests Account Deletion:
| Step | Action | Timeframe |
|---|---|---|
| 1 | Account access disabled immediately | Immediate upon request |
| 2 | Active workflow data and personal profile deleted | Within 30 days of request |
| 3 | AI workflow inputs, outputs, and uploaded files deleted | Within 90 days of request |
| 4 | Backup copies purged from all backup systems | Within 90 days of request |
| 5 | Financial and billing records retained for legal compliance | 6 years from last transaction |
| 6 | Anonymised analytics data retained | Indefinitely (no personal data) |
| 7 | Deletion confirmation sent to user | Within 30 days of request |
Scenario C - Account Suspended for Terms of Service Violation:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data and violation records | 5 years from suspension date | Fraud prevention and legitimate interests |
| Communications related to violation | 5 years from suspension date | Legal defence and compliance |
| Financial records | 6 years from last transaction | Legal obligation |
Scenario D - Inactive Account (No Login for 24 Months):
| Step | Action | Timeframe |
|---|---|---|
| 1 | Email notification sent to user warning of inactivity | At 22 months of inactivity |
| 2 | Second email notification sent | At 23 months of inactivity |
| 3 | Account flagged for deletion if no response | At 24 months of inactivity |
| 4 | Account and associated data deleted | Within 30 days of flagging |
| 5 | Financial records retained for legal compliance | 6 years from last transaction |
When personal data reaches the end of its retention period, TechVision Mallorca SL applies the following deletion and anonymisation methods:
| Method | Description | Applied To |
|---|---|---|
| Secure deletion | Data is permanently and irreversibly deleted from all active systems and databases | All personal data at end of retention period |
| Backup purging | Data is removed from all backup copies within the backup rotation cycle | All personal data subject to deletion requests |
| Anonymisation | All personally identifiable fields are removed or replaced with non-identifiable values | Analytics data retained beyond personal data retention periods |
| Pseudonymisation | Personal identifiers replaced with pseudonymous identifiers during active processing where appropriate | Active processing where full identification is not required |
| Cryptographic erasure | Encryption keys are destroyed rendering encrypted data permanently inaccessible | Certain cloud storage deletion scenarios |
TechVision Mallorca SL conducts the following retention management activities:
Annual retention audit - all data categories are reviewed annually to confirm retention periods remain appropriate and legally justified Automated deletion - where technically feasible, automated deletion processes are implemented to enforce retention schedules Deletion logging - all data deletion activities are logged for compliance audit purposes Third-party processor review - we annually verify that all third-party processors are applying retention periods consistent with our instructions and their DPAs
As a data subject under the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), you have comprehensive rights regarding your personal data. TechVision Mallorca SL is committed to facilitating the exercise of all your data subject rights promptly, transparently, and free of charge.
| Right | GDPR Basis | Summary |
|---|---|---|
| Right of Access | Art. 15 GDPR | Obtain confirmation of whether we process your data and receive a copy |
| Right to Erasure | Art. 17 GDPR | Request deletion of your personal data in certain circumstances |
| Right to Restriction | Art. 18 GDPR | Request that we restrict processing of your data in certain circumstances |
| Right to Data Portability | Art. 20 GDPR | Receive your data in a structured, machine-readable format and transfer it |
| Right to Object | Art. 21 GDPR | Object to processing based on legitimate interests or for direct marketing |
| Rights Related to Automated Decision-Making | Art. 22 GDPR | Not be subject to solely automated decisions with significant effects |
| Right to Withdraw Consent | Art. 7(3) GDPR | Withdraw consent at any time where consent is the legal basis |
| Right to Lodge a Complaint | Art. 77 GDPR | Lodge a complaint with the AEPD or another supervisory authority |
| Right to Digital Disconnection | Art. 95 LOPDGDD | Right not to be contacted through digital means outside agreed service communications |
What this right means:
You have the right to obtain from TechVision Mallorca SL confirmation of whether or not we are processing personal data about you, and where we are, to receive a copy of that personal data together with the following supplementary information:
The purposes of the processing The categories of personal data being processed The recipients or categories of recipients to whom the data has been or will be disclosed The envisaged retention period or the criteria used to determine it The existence of your rights to rectification, erasure, restriction, and objection The right to lodge a complaint with the AEPD Any available information about the source of data not collected directly from you The existence of automated decision-making including profiling and meaningful information about the logic involved Where data is transferred to a third country, the safeguards in place How to exercise this right:
Submit a written request to adelina@ubex.ai with the subject line "Data Access Request" including:
Your full name and email address associated with your UBEX.ai account Specific description of the data or processing activities you wish to access (or confirmation that you request all data) Copy of identity verification document if required (see Section 13.11) Our response commitment:
We will respond within 30 calendar days of receiving your request This period may be extended by a further 60 days where requests are complex or numerous - we will notify you within the initial 30-day period if an extension is required We will provide the requested information free of charge for the first copy For subsequent copies or manifestly unfounded or excessive requests, we may charge a reasonable administrative fee Format of response:
We will provide your data in a commonly used electronic format (PDF or JSON) unless you request otherwise Where you have submitted your request electronically, we will provide the information electronically where possible
What this right means:
You have the right to obtain from TechVision Mallorca SL the correction of inaccurate personal data about you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
How to exercise this right:
Self-service: Many personal data fields (name, email, billing address) can be updated directly through your account settings at app.ubex.ai Request: For data that cannot be updated through account settings, submit a request to adelina@ubex.ai with the subject line "Data Rectification Request" specifying: The data that is inaccurate or incomplete The correct data you wish to substitute Supporting evidence of the correct data where appropriate Our response commitment:
We will action your rectification request within 30 calendar days We will notify all third-party processors to whom the inaccurate data was disclosed of the rectification, unless this proves impossible or involves disproportionate effort We will confirm completion of the rectification to you in writing
What this right means:
You have the right to obtain from TechVision Mallorca SL the erasure of personal data about you without undue delay where one of the following grounds applies:
| Ground for Erasure | Description |
|---|---|
| Purpose fulfilled | The personal data is no longer necessary in relation to the purposes for which it was collected or processed |
| Consent withdrawn | You withdraw consent and there is no other legal basis for processing |
| Objection upheld | You object to processing under Art. 21 and there are no overriding legitimate grounds |
| Unlawful processing | The personal data has been unlawfully processed |
| Legal obligation | The personal data must be erased to comply with a legal obligation under EU or Spanish law |
| Child's data | The personal data was collected in relation to the offer of information society services to a child |
Limitations on the right to erasure:
The right to erasure does not apply where processing is necessary for:
Compliance with a legal obligation requiring processing under EU or Spanish law The establishment, exercise, or defence of legal claims Archiving purposes in the public interest, scientific research, or statistical purposes Exercise of the right of freedom of expression and information How to exercise this right:
Submit a request to adelina@ubex.ai with the subject line "Erasure Request" specifying:
The specific data or categories of data you wish to have erased The ground on which you are relying from the list above Your account email address for verification purposes Our response commitment:
We will respond within 30 calendar days confirming either completion of erasure or the reason why erasure cannot be carried out Where erasure is carried out, we will notify all third-party processors and recipients of the erasure request We will confirm which data has been deleted and which data is being retained under a legal obligation exemption, with full explanation Spanish LOPDGDD Supplementary Right (Art. 17): Under Spanish law, the right to erasure includes the right to request that search engines and online platforms remove links to content containing your personal data. Where applicable to UBEX.ai's services, we will cooperate fully with such requests.
What this right means:
You have the right to obtain from TechVision Mallorca SL restriction of processing where one of the following applies:
| Ground for Restriction | What Happens During Restriction |
|---|---|
| Accuracy contested | You contest the accuracy of personal data - restriction applies for the period needed to verify accuracy |
| Unlawful processing | Processing is unlawful but you oppose erasure and request restriction instead |
| Purpose fulfilled | We no longer need the data but you require it for legal claims |
| Objection pending | You have objected to processing under Art. 21 and verification of legitimate grounds is pending |
Effect of restriction:
During a period of restricted processing, TechVision Mallorca SL will:
Store the restricted data securely Not process the data for any purpose other than storage Not share the restricted data with third parties except with your consent or for legal claims Notify you before lifting any restriction How to exercise this right:
Submit a request to adelina@ubex.ai with the subject line "Restriction Request" specifying the ground for restriction and the specific data to be restricted.
Our response commitment:
We will confirm restriction within 30 calendar days We will notify you in writing before lifting any restriction so you may object
What this right means:
You have the right to receive personal data you have provided to TechVision Mallorca SL in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where:
The processing is based on consent or contract performance; and The processing is carried out by automated means Data covered by portability right:
| Data Category | Portable? | Format Available |
|---|---|---|
| Account profile data (name, email, preferences) | ✅ Yes | JSON, CSV |
| AI workflow configurations and templates | ✅ Yes | JSON |
| AI workflow inputs (prompts submitted) | ✅ Yes | JSON, TXT |
| AI workflow outputs (generated content) | ✅ Yes | JSON, TXT, PDF |
| Usage history and activity logs | ✅ Yes | JSON, CSV |
| Billing and subscription history | ✅ Yes | CSV, PDF |
| Saved integrations and API configurations | ✅ Yes | JSON |
| Marketing preferences and consent records | ✅ Yes | JSON, CSV |
| Payment card data | ❌ No | Held by Stripe - request directly from Stripe |
| Server-side technical logs | ❌ No | Not portable - internal operational data |
| Aggregated analytics data | ❌ No | Not portable - anonymised, not personal data |
| Third-party AI model outputs (raw) | ⚠️ Partial | Available as part of workflow output export |
How to exercise this right:
Self-service export: Where technically available, you may export your data directly from your account settings at app.ubex.ai using the "Export My Data" feature Manual request: Submit a request to adelina@ubex.ai with the subject line "Data Portability Request" specifying: The categories of data you wish to export Your preferred format (JSON, CSV, PDF, TXT) Whether you wish the data sent directly to you or transmitted to another controller (provide controller details if applicable) Our response commitment:
We will provide your portable data within 30 calendar days of receiving your request Data will be provided in the format you request where technically feasible Where you request direct transmission to another controller, we will do so where technically feasible and will confirm completion This service is provided free of charge Important limitations:
The right to portability applies only to data you have actively provided to us - it does not extend to data derived or inferred from your data by our systems Portability of AI workflow outputs is subject to the intellectual property terms in our Terms of Service Transmission to another controller is subject to that controller's own data protection obligations
What this right means:
You have the right to object, on grounds relating to your particular situation, to processing of your personal data where the legal basis for processing is:
Legitimate interests (Art. 6(1)(f)); or Public interest (Art. 6(1)(e)) Upon receiving an objection, TechVision Mallorca SL must cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
Absolute right to object to direct marketing:
You have an absolute and unconditional right to object to processing of your personal data for direct marketing purposes at any time, with no requirement to provide justification. This includes profiling to the extent it is related to direct marketing. Upon receipt of such an objection, we will immediately cease all direct marketing processing.
| Type of Objection | Justification Required? | Our Obligation |
|---|---|---|
| Objection to legitimate interests processing | Yes - grounds relating to your particular situation | We must cease unless compelling legitimate grounds override |
| Objection to direct marketing | No - absolute right | We must cease immediately and unconditionally |
| Objection to profiling for marketing | No - absolute right | We must cease immediately and unconditionally |
| Objection to research/statistical processing | Yes - grounds relating to your particular situation | We must cease unless processing is necessary for public interest |
How to exercise this right:
Marketing opt-out: Use the unsubscribe link in any marketing email, or update your communication preferences in your account settings at app.ubex.ai Legitimate interests objection: Submit a request to adelina@ubex.ai with the subject line "Objection to Processing" specifying: The specific processing activity you are objecting to The grounds relating to your particular situation that justify the objection Our response commitment:
For direct marketing objections - we will action your request immediately and within no more than 5 business days For legitimate interests objections - we will respond within 30 calendar days confirming either that we have ceased processing or providing our compelling legitimate grounds for continuing We will update all relevant third-party processors of your objection where applicable Spanish LOPDGDD Supplementary Provision (Art. 18): Under Spanish law, you have the right to object to processing in the context of automated decisions including profiling. This right supplements and reinforces the rights under GDPR Article 22 described in Section 13.8 below.
What this right means:
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Current automated processing at UBEX.ai:
| Processing Activity | Automated? | Legal/Significant Effect? | Art. 22 Applies? |
|---|---|---|---|
| AI workflow output generation | ✅ Yes | ❌ No - outputs are tools for human use | ❌ No |
| Subscription tier assignment | ✅ Yes | ⚠️ Limited - based on your chosen plan | ❌ No - user-initiated |
| Fraud detection scoring | ✅ Yes | ⚠️ May result in account suspension | ✅ Yes - see below |
| Payment fraud screening (Stripe) | ✅ Yes | ⚠️ May result in payment decline | ✅ Yes - see below |
| Usage limit enforcement | ✅ Yes | ⚠️ May restrict platform access | ❌ No - rule-based, not profiling |
| Marketing personalisation | ✅ Yes | ❌ No significant legal effect | ❌ No |
Safeguards for automated decisions with significant effects:
Where automated processing does produce significant effects (fraud detection, payment screening), TechVision Mallorca SL implements the following safeguards in compliance with GDPR Art. 22(2)(b):
How to exercise this right:
Submit a request to adelina@ubex.ai with the subject line "Automated Decision Review" specifying:
The automated decision you wish to contest Any additional context or information you wish us to consider Whether you are requesting human intervention or a full review of the decision
What this right means:
Where TechVision Mallorca SL processes your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Processing activities based on consent:
| Processing Activity | How to Withdraw Consent |
|---|---|
| Marketing emails and newsletters | Click unsubscribe in any marketing email, or update preferences at app.ubex.ai |
| Analytics cookies (Google Analytics) | Update cookie preferences via cookie preference centre on ubex.ai |
| Marketing and targeting cookies | Update cookie preferences via cookie preference centre on ubex.ai |
| Functional/preference cookies | Update cookie preferences via cookie preference centre on ubex.ai |
| Personalised marketing communications | Update communication preferences in account settings at app.ubex.ai |
Effect of withdrawal:
Withdrawal of consent for marketing emails will result in immediate cessation of all marketing communications - you will continue to receive essential service emails (account notifications, billing receipts, security alerts) which are sent on the basis of contract performance, not consent Withdrawal of consent for analytics cookies will result in immediate cessation of analytics tracking on your device - historical analytics data already collected may be retained in anonymised form Withdrawal of consent for marketing cookies will result in immediate removal of marketing cookies from your device and cessation of any associated tracking Withdrawal of consent does not affect the validity of any processing carried out during the period when consent was in place Withdrawal of consent will not affect your ability to use the core features of the UBEX.ai platform, except where the specific feature requires consent as its legal basis How quickly we action consent withdrawal:
Cookie consent withdrawal - immediate (cookies removed within current browsing session) Marketing email opt-out - within 5 business days of request (you may receive one further communication if already scheduled at time of withdrawal) All other consent withdrawals - within 15 calendar days of request
What this right means:
Primary Supervisory Authority - Spain:
| Detail | Information |
|---|---|
| Authority Name | Agencia Española de Protección de Datos (AEPD) |
| Address | C/ Jorge Juan, 6, 28001 Madrid, Spain |
| Telephone | +34 912 663 517 |
| Website | https://www.aepd.es |
| Online Complaint Form | https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/tramitesCiudadano.jsf |
| internacional@aepd.es (for international matters) | |
| Working Hours | Monday to Friday, 09:00 - 17:00 CET |
Alternative Supervisory Authorities:
As a resident of any EU/EEA member state, you also have the right to lodge a complaint with the supervisory authority of your country of habitual residence, place of work, or the place of the alleged infringement:
| Country | Authority | Website |
|---|---|---|
| Germany | Bundesbeauftragter für den Datenschutz (BfDI) | https://www.bfdi.bund.de |
| France | Commission Nationale de l'Informatique et des Libertés (CNIL) | https://www.cnil.fr |
| Italy | Garante per la protezione dei dati personali | https://www.garanteprivacy.it |
| Netherlands | Autoriteit Persoonsgegevens (AP) | https://www.autoriteitpersoonsgegevens.nl |
| Ireland | Data Protection Commission (DPC) | https://www.dataprotection.ie |
| Other EU/EEA | Contact your national supervisory authority | https://edpb.europa.eu/about-edpb/about-edpb/members_en |
Our strong preference:
While you have an unconditional right to contact the AEPD or any supervisory authority at any time, we strongly encourage you to contact us first at adelina@ubex.ai so that we have the opportunity to address your concern directly and promptly. We are committed to resolving all data protection concerns fairly, transparently, and without requiring formal regulatory intervention wherever possible.
What this right means:
Under Spanish Organic Law 3/2018 (LOPDGDD), users have the right to digital disconnection - the right not to receive communications through digital means outside of agreed service interactions. In the context of UBEX.ai, this means:
You have the right to restrict the channels through which we contact you You have the right to set boundaries on the frequency and timing of communications You have the right to receive only essential service communications if you choose to opt out of all non-essential digital contact How to exercise this right:
Update your communication preferences in your account settings at app.ubex.ai, or contact adelina@ubex.ai with the subject line "Digital Disconnection Request" specifying your preferred communication restrictions.
Identify which right you wish to exercise and prepare the following information:
Your full name as registered on your UBEX.ai account Your email address associated with your UBEX.ai account The specific right you wish to exercise A clear description of your request Any supporting information relevant to your request
| Method | Contact Details |
|---|---|
| Email (preferred) | adelina@ubex.ai - with appropriate subject line as specified in each rights section above |
| Postal mail | TechVision Mallorca SL, Calle Bartomeu Ferra 16, A, 07141 Marratxi, Mallorca, Spain |
To protect your personal data from unauthorised access, we may need to verify your identity before processing your request. Identity verification may involve:
| Verification Method | When Applied |
|---|---|
| Email confirmation to registered account email | All requests submitted by email - standard verification |
| Account login verification | Requests that can be processed through account settings |
| Additional identity documentation | Where there is reasonable doubt about identity or for high-risk requests (e.g., full data export) |
Important: We will never ask for more identity verification than is necessary and proportionate to the risk of the request. We will not use identity verification as a mechanism to discourage or delay the exercise of your rights.
| Stage | Timeframe |
|---|---|
| Acknowledgement of receipt | Within 3 business days |
| Identity verification (if required) | Within 5 business days of acknowledgement |
| Full response to request | Within 30 calendar days of receipt |
| Extension notification (if required) | Within 30 calendar days - extension of up to 60 further days for complex requests |
| Maximum response time | 90 calendar days from receipt (30 + 60 extension) |
If you are not satisfied with our response to your data subject request, you have the right to:
Request an internal review by contacting adelina@ubex.ai with the subject line "Data Rights Review Request" Lodge a complaint directly with the AEPD - see Section 13.10 for full contact details Seek judicial remedy before the competent Spanish courts under GDPR Art. 79
You may exercise data subject rights on behalf of another person in the following circumstances:
| Circumstance | Requirements |
|---|---|
| Parent or guardian acting for a minor | Provide evidence of parental responsibility or legal guardianship |
| Legal representative acting for an incapacitated person | Provide evidence of legal authority (power of attorney or court order) |
| Authorised representative | Provide written authorisation signed by the data subject and a copy of the data subject's identity document |
All third-party requests will be subject to enhanced identity verification to protect data subjects from unauthorised access to their personal data.
In accordance with GDPR Article 12(5), TechVision Mallorca SL provides responses to data subject requests free of charge as a general rule. However, we reserve the right to charge a reasonable administrative fee or refuse to act on requests that are manifestly unfounded or excessive, particularly where they are repetitive in nature.
| Request Type | Fee |
|---|---|
| First access request (copy of data) | Free of charge |
| Subsequent copies within 12 months | Reasonable administrative fee may apply |
| Manifestly unfounded or excessive requests | Reasonable administrative fee or refusal - with written justification |
| All other rights requests (rectification, erasure, restriction, portability, objection) | Free of charge |
Where we determine that a fee is appropriate, we will notify you in writing with full justification before charging any fee, giving you the opportunity to withdraw or modify your request.
TechVision Mallorca SL's UBEX.ai platform is an AI workflow automation tool designed exclusively for business and professional use. The platform is not directed at, designed for, or intended to be used by children or minors.
| Jurisdiction | Minimum Age for Platform Use | Legal Basis |
|---|---|---|
| European Union / Spain | 14 years (with parental consent below 18 for non-professional use) | GDPR Art. 8; LOPDGDD Art. 7 |
| Spain specifically | 14 years minimum - below 14 requires verifiable parental consent | LOPDGDD Art. 7(1) |
| General platform policy | 18 years - UBEX.ai is a professional B2B platform | TechVision Mallorca SL Terms of Service |
Our Policy: Given the professional and business nature of the UBEX.ai platform, we set our minimum age requirement at 18 years. We do not knowingly collect personal data from individuals under the age of 18. If you are under 18, please do not register for or use the UBEX.ai platform.
TechVision Mallorca SL implements the following measures to prevent registration by minors:
| Measure | Description |
|---|---|
| Age declaration | Users must confirm they are 18 or over during the registration process |
| Terms of Service acceptance | Registration requires acceptance of Terms of Service which specify the 18+ age requirement |
| Professional context | Platform design, content, and marketing are directed exclusively at business and professional users |
| Payment requirement | Subscription payment requirement acts as a practical barrier to minor registration |
| Account review | Accounts showing indicators of minor use are subject to review and suspension |
If TechVision Mallorca SL discovers or is notified that personal data of a person under the age of 18 has been collected without appropriate parental consent, we will:
| Step | Action | Timeframe |
|---|---|---|
| 1 | Immediately suspend the relevant account | Within 24 hours of discovery |
| 2 | Delete all personal data associated with the account | Within 30 days of discovery |
| 3 | Delete all AI workflow data, inputs, and outputs associated with the account | Within 30 days of discovery |
| 4 | Notify the parent or guardian if contact details are available | Within 5 business days of discovery |
| 5 | Document the incident for compliance records | Immediately upon discovery |
| 6 | Assess whether the incident constitutes a reportable data breach under GDPR Art. 33 | Within 72 hours of discovery |
To report suspected minor account:
If you believe a minor is using the UBEX.ai platform, or if you are a parent or guardian who believes your child has registered, please contact us immediately at adelina@ubex.ai with the subject line "Minor Account Report". We will investigate and act promptly.
Under LOPDGDD Article 7, the following specific provisions apply to the processing of minors' data in Spain:
Children aged 14 and over may consent to processing of their personal data under Spanish law Children under 14 require verifiable parental or guardian consent for any data processing TechVision Mallorca SL applies a higher standard of 18 years given the professional nature of the platform Where parental consent would be required under LOPDGDD Art. 7, we will make every reasonable effort to verify such consent before processing
Given that UBEX.ai's platform involves AI model interactions, we apply additional caution regarding minors:
AI workflow features are not designed or optimised for use by minors No AI features within UBEX.ai are directed at children as defined under applicable law We do not create profiles of minors for any purpose If a minor's data is submitted within an AI workflow by an adult user (e.g., processing data about a child in a professional context), such processing must comply with all applicable child data protection requirements and the adult user bears responsibility for ensuring lawful processing
TechVision Mallorca SL takes the security of your personal data extremely seriously. We implement comprehensive technical and organisational security measures in accordance with:
GDPR Article 32 - Security of processing LOPDGDD - Spanish data protection security requirements ENS (Esquema Nacional de Seguridad) - Spanish National Security Framework ISO/IEC 27001 principles - Information security management best practices NIST Cybersecurity Framework - Risk-based cybersecurity approach ENISA guidelines - European Union Agency for Cybersecurity recommendations Our security measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.
| Measure | Standard Applied | Where Applied |
|---|---|---|
| Encryption in transit | TLS 1.2 / TLS 1.3 | All data transmitted between users and our servers |
| Encryption at rest | AES-256 | All data stored on Google Cloud infrastructure |
| Database encryption | AES-256 | All database storage containing personal data |
| Backup encryption | AES-256 | All backup copies of platform data |
| API communication encryption | TLS 1.2+ with certificate pinning | All API communications with third-party providers |
| Password hashing | bcrypt with salt (minimum cost factor 12) | All user passwords |
| Measure | Description |
|---|---|
| Role-based access control (RBAC) | Access to personal data is restricted to personnel whose role requires it |
| Principle of least privilege | All system accounts operate with the minimum permissions necessary |
| Multi-factor authentication (MFA) | MFA is required for all administrative access to production systems |
| Strong password policy | Minimum 12-character passwords with complexity requirements enforced |
| Session management | Secure session tokens with appropriate expiry and invalidation |
| API key management | All API keys are encrypted, rotated regularly, and subject to access controls |
| Privileged access management | Elevated access requires additional approval and is fully logged |
| Measure | Description |
|---|---|
| Google Cloud Security | Hosted on Google Cloud Frankfurt - ISO 27001, SOC 2 Type II, PCI-DSS certified infrastructure |
| Network security | Firewalls, intrusion detection systems, and DDoS protection in place |
| Virtual Private Cloud (VPC) | Platform infrastructure isolated within a secure VPC |
| Web Application Firewall (WAF) | WAF deployed to protect against common web application attacks |
| DDoS protection | Google Cloud Armor DDoS protection enabled |
| Vulnerability scanning | Regular automated vulnerability scanning of all infrastructure components |
| Penetration testing | Periodic penetration testing of platform and infrastructure |
| Dependency management | Regular review and updating of all software dependencies to address known vulnerabilities |
| Measure | Description |
|---|---|
| Secure development lifecycle (SDLC) | Security considerations integrated throughout the development process |
| Code review | All code changes subject to security-focused peer review |
| OWASP Top 10 mitigation | Platform designed and tested to mitigate all OWASP Top 10 vulnerabilities |
| Input validation | All user inputs validated and sanitised to prevent injection attacks |
| Output encoding | All outputs encoded to prevent cross-site scripting (XSS) attacks |
| CSRF protection | Cross-site request forgery tokens implemented on all state-changing operations |
| Security headers | HTTP security headers (HSTS, CSP, X-Frame-Options, etc.) implemented |
| Rate limiting | API rate limiting to prevent brute force and abuse |
| Measure | Description |
|---|---|
| Data protection by design | Privacy and security considerations integrated into all new features and systems from inception |
| Data protection by default | Default settings configured to maximise privacy - minimal data collection by default |
| Staff training | All personnel with access to personal data receive regular data protection and security training |
| Confidentiality obligations | All personnel and contractors are bound by confidentiality agreements |
| Third-party due diligence | All third-party processors assessed for security compliance before engagement |
| DPA agreements | Data Processing Agreements in place with all third-party processors |
| Security policy | Comprehensive internal information security policy maintained and reviewed annually |
| Incident response plan | Documented data breach and security incident response procedure in place |
| Business continuity | Business continuity and disaster recovery plans maintained and tested |
| Regular security reviews | Annual security posture review conducted by management |
In the event of a personal data breach, TechVision Mallorca SL will follow the following response procedure in full compliance with GDPR Articles 33 and 34 and LOPDGDD:
| Step | Action |
|---|---|
| 1 | Breach detected through monitoring systems or reported by personnel/third party |
| 2 | Incident response team activated immediately |
| 3 | Breach contained - affected systems isolated, access revoked where necessary |
| 4 | Preliminary assessment of breach scope, nature, and affected data conducted |
| 5 | Evidence preserved for forensic investigation |
| Step | Action |
|---|---|
| 6 | Full risk assessment conducted - likelihood and severity of harm to data subjects evaluated |
| 7 | If breach is likely to result in risk to individuals - AEPD notified within 72 hours of discovery |
| 8 | AEPD notification includes: nature of breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed |
| 9 | If 72-hour deadline cannot be met - initial notification submitted with explanation and further information provided as soon as available |
| 10 | Internal breach record created and maintained |
| Trigger | Action |
|---|---|
| Breach is likely to result in high risk to individuals | Affected data subjects notified without undue delay |
| Notification content | Nature of breach, contact details of our privacy contact, likely consequences, measures taken or proposed |
| Notification method | Email to registered account email address; prominent notice on ubex.ai and app.ubex.ai if individual notification not possible |
| Exemptions from notification | Notification not required if: data was encrypted and key not compromised; subsequent measures eliminate high risk; would involve disproportionate effort (public notice used instead) |
| Step | Action |
|---|---|
| 11 | Root cause analysis conducted |
| 12 | Remediation measures implemented to prevent recurrence |
| 13 | Full incident report prepared and retained for minimum 5 years |
| 14 | Review of security measures and policies in light of incident |
| 15 | Follow-up communication to AEPD and affected data subjects as required |
TechVision Mallorca SL welcomes responsible disclosure of security vulnerabilities in our platform. If you discover a security vulnerability, please report it to us immediately:
| Contact Method | Details |
|---|---|
| adelina@ubex.ai - subject line: "Security Vulnerability Report" | |
| Response commitment | We will acknowledge receipt within 48 hours and provide a full response within 10 business days |
| Our commitment | We will not take legal action against researchers who report vulnerabilities in good faith and in accordance with responsible disclosure principles |
Please include in your report:
Description of the vulnerability Steps to reproduce the vulnerability Potential impact assessment Any proof-of-concept code or screenshots (where safe to provide) Your contact details for follow-up
This section provides a consolidated reference of all processing activities carried out by TechVision Mallorca SL and the corresponding legal basis under GDPR Article 6 and, where applicable, Article 9. This table is provided to ensure full transparency and to serve as a complete record of our lawful processing activities.
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Creating and managing user accounts | Name, email, password hash, account preferences | Performance of contract | Art. 6(1)(b) | Duration of account + 2 years |
| Authenticating user logins | Email, password hash, login timestamp, IP address | Performance of contract | Art. 6(1)(b) | 12 months |
| Sending account verification emails | Email address, verification token | Performance of contract | Art. 6(1)(b) | Until verified |
| Managing account settings and preferences | Name, email, UI preferences, notification settings | Performance of contract | Art. 6(1)(b) | Duration of account |
| Processing account deletion requests | Email, account ID, deletion timestamp | Legal obligation + Legitimate interests | Art. 6(1)(c) + Art. 6(1)(f) | 5 years |
| Enforcing Terms of Service | Account data, usage logs, violation records | Legitimate interests | Art. 6(1)(f) | 5 years from violation |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Processing subscription payments | Billing name, email, payment token, transaction amount | Performance of contract | Art. 6(1)(b) | 6 years |
| Issuing invoices and receipts | Name, billing address, email, transaction details | Legal obligation | Art. 6(1)(c) | 6 years |
| Managing subscription upgrades and downgrades | Account ID, subscription tier, billing details | Performance of contract | Art. 6(1)(b) | 6 years |
| Processing refunds | Name, email, transaction ID, refund amount | Performance of contract + Legal obligation | Art. 6(1)(b) + Art. 6(1)(c) | 6 years |
| VAT and tax compliance processing | Name, billing address, VAT number, transaction data | Legal obligation | Art. 6(1)(c) | 6 years |
| Fraud detection and payment security | Payment signals, device data, IP address | Legitimate interests | Art. 6(1)(f) | 12 months |
| Subscription renewal notifications | Email, subscription expiry date | Performance of contract | Art. 6(1)(b) | Duration of subscription |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Processing AI workflow inputs | User prompts, uploaded content, workflow configurations | Performance of contract | Art. 6(1)(b) | Account duration + 90 days |
| Generating AI workflow outputs | Processed prompts, generated content | Performance of contract | Art. 6(1)(b) | Account duration + 90 days |
| Transmitting prompts to AI model providers | Prompt content, session identifiers | Performance of contract | Art. 6(1)(b) | Per provider retention terms |
| Storing saved workflows and templates | Workflow configurations, prompt templates | Performance of contract | Art. 6(1)(b) | Account duration + 30 days |
| Managing API integrations | API keys, OAuth tokens, integration configurations | Performance of contract | Art. 6(1)(b) | Until revoked + 30 days |
| Enforcing usage limits and quotas | Account ID, usage metrics, request counts | Performance of contract | Art. 6(1)(b) | 6 months |
| Providing workflow execution history | Account ID, execution logs, timestamps | Performance of contract | Art. 6(1)(b) | 12 months |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Sending service and transactional emails | Email address, name, account status | Performance of contract | Art. 6(1)(b) | 3 years |
| Sending security alerts and notifications | Email address, security event details | Legitimate interests | Art. 6(1)(f) | 12 months |
| Sending billing and payment notifications | Email address, billing details | Performance of contract | Art. 6(1)(b) | 6 years |
| Sending marketing and promotional emails | Email address, name, marketing preferences | Consent | Art. 6(1)(a) | Until consent withdrawn + 2 years |
| Sending product update announcements | Email address, name, subscription tier | Legitimate interests | Art. 6(1)(f) | Until objection |
| Managing customer support communications | Name, email, support ticket content | Legitimate interests | Art. 6(1)(f) | 3 years |
| Responding to enquiries via website contact | Name, email, message content | Legitimate interests | Art. 6(1)(f) | 3 years |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Website analytics (Google Analytics) | Anonymised IP, pages visited, session data, device info | Consent | Art. 6(1)(a) | 14 months |
| Platform usage analytics | Feature usage, session duration, navigation patterns | Legitimate interests | Art. 6(1)(f) | 24 months |
| Performance monitoring | Response times, error rates, system metrics | Legitimate interests | Art. 6(1)(f) | 3 months |
| A/B testing | Feature variant exposure, interaction data | Legitimate interests | Art. 6(1)(f) | 6 months |
| Conversion tracking | Registration events, upgrade events, referral data | Consent | Art. 6(1)(a) | 30 days |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Security monitoring and threat detection | IP addresses, access logs, behavioural signals | Legitimate interests | Art. 6(1)(f) | 12 months |
| DDoS and abuse prevention | IP addresses, request patterns, rate limit data | Legitimate interests | Art. 6(1)(f) | 12 months |
| Fraud detection | Account signals, payment data, device fingerprints | Legitimate interests | Art. 6(1)(f) | 12 months |
| Data breach investigation and response | Affected account data, incident logs | Legal obligation + Legitimate interests | Art. 6(1)(c) + Art. 6(1)(f) | 5 years |
| Regulatory compliance documentation | Data subject request records, consent records | Legal obligation | Art. 6(1)(c) | 5 years |
| AEPD correspondence and audit cooperation | Correspondence records, processing records | Legal obligation | Art. 6(1)(c) | 10 years |
| Legal proceedings and dispute resolution | Relevant account and transaction data | Legitimate interests + Legal obligation | Art. 6(1)(f) + Art. 6(1)(c) | 10 years |
| Processing Activity | Personal Data Involved | Legal Basis | GDPR Article | Retention |
|---|---|---|---|---|
| Strictly necessary cookies | Session tokens, CSRF tokens, auth tokens | Strictly necessary - no consent required | ePrivacy Dir. Art. 5(3) | Session / 30 days |
| Functional and preference cookies | Language, theme, layout preferences | Consent | Art. 6(1)(a) | 6–12 months |
| Analytics cookies | Anonymised usage data, session identifiers | Consent | Art. 6(1)(a) | 14–24 months |
| Marketing and targeting cookies | Referral data, campaign identifiers | Consent | Art. 6(1)(a) | 30–90 days |
| Recording cookie consent decisions | Consent timestamp, consent choices | Legal obligation | Art. 6(1)(c) | 12 months |
Where TechVision Mallorca SL relies on legitimate interests (GDPR Art. 6(1)(f)) as the legal basis for processing, we have conducted Legitimate Interests Assessments (LIAs) confirming that:
| Processing Activity | Our Legitimate Interest | Data Subject Impact | Balance |
|---|---|---|---|
| Security monitoring | Protecting platform integrity and user accounts | Minimal - technical logs only, no content analysis | ✅ Interests override |
| Fraud prevention | Preventing financial loss and protecting users | Minimal - automated signals, no manual profiling | ✅ Interests override |
| Platform analytics | Improving product quality and user experience | Low - aggregated, anonymised where possible | ✅ Interests override |
| Product update communications | Informing users of relevant service changes | Low - easily objected to, relevant to service | ✅ Interests override |
| Support communications | Resolving user issues and maintaining service quality | Minimal - user-initiated communications | ✅ Interests override |
| Legal defence | Protecting legal rights in proceedings | Minimal - limited to data relevant to claims | ✅ Interests override |
TechVision Mallorca SL is committed to maintaining this Privacy Policy as an accurate, current, and complete reflection of our data processing practices. The digital and regulatory landscape - particularly in the fields of AI, data protection, and ePrivacy - evolves rapidly, and we will update this Policy promptly to reflect any material changes.
We will review and update this Privacy Policy in the following circumstances:
| Trigger | Description |
|---|---|
| New data processing activities | Any new category of personal data collected or new purpose for processing |
| New third-party processors | Addition of any new sub-processor or material change in existing processor arrangements |
| New international transfers | Any new transfer of personal data to a third country |
| Legal or regulatory change | Any change in applicable EU or Spanish data protection law, AEPD guidance, or EDPB recommendations |
| AI model changes | Addition or removal of AI model providers integrated into UBEX.ai |
| New cookie or tracking technologies | Addition of any new cookies or tracking technologies |
| Security incident | Any data breach or security incident that materially affects our security posture |
| Business change | Any merger, acquisition, restructuring, or change in business activities affecting data processing |
| EU AI Act developments | Any new obligations arising from EU AI Act implementation timeline |
| Periodic review | Scheduled annual review of all Policy provisions |
| Type of Change | Notification Method | Notice Period |
|---|---|---|
| Material change - affects your rights or significantly changes how we process your data | Email notification to all registered users + prominent banner on ubex.ai and app.ubex.ai | Minimum 30 days before change takes effect |
| New consent required - change requires fresh consent from users | Email notification + re-display of consent mechanism | Minimum 30 days before change takes effect |
| Minor change - clarifications, corrections, formatting, non-material updates | Updated "Last Updated" date on Policy + notice on website | Effective immediately upon publication |
| Legally required urgent change - required by law with no notice period | Immediate update + prompt notification to users | As soon as practicable |
TechVision Mallorca SL maintains a version history of this Privacy Policy. Previous versions are available upon request by contacting adelina@ubex.ai with the subject line "Privacy Policy Version Request".
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | 29 May 2026 | Initial publication of Privacy Policy for UBEX.ai |
| 2.0 | 29 May 2026 | Comprehensive update including EU AI Act compliance, AI processing disclosures, and expanded data subject rights |
The data controller responsible for the processing of your personal data in connection with https://www.ubex.ai and https://app.ubex.ai is:
| Detail | Information |
|---|---|
| Legal Entity Name | TechVision Mallorca SL |
| Trading Name | UBEX.ai |
| Company Type | Sociedad Limitada (SL) - Spanish Private Limited Company |
| CIF (Tax ID) | B72772940 |
| Registered Address | Calle Bartomeu Ferra 16, A, 07141 Marratxi, Mallorca, Balearic Islands, Spain |
| Registered in | Registro Mercantil de Mallorca, Balearic Islands, Spain |
| Website | https://www.ubex.ai |
| Application Platform | https://app.ubex.ai |
| Privacy Policy URL | https://ubex.ai/en/privacy |
For all data protection enquiries, data subject rights requests, and privacy-related matters, please contact:
| Detail | Information |
|---|---|
| Contact Name | Adelina Bolota |
| Role | CEO & Privacy Contact, TechVision Mallorca SL |
| adelina@ubex.ai | |
| Postal Address | TechVision Mallorca SL, Calle Bartomeu Ferra 16, A, 07141 Marratxi, Mallorca, Spain |
| Response Commitment | We will acknowledge all privacy enquiries within 3 business days and provide a full response within 30 calendar days |
| Languages | English, Spanish |
Under GDPR Article 37, the appointment of a Data Protection Officer is mandatory where:
Processing is carried out by a public authority or body Core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale Core activities consist of processing special categories of data or personal data relating to criminal convictions on a large scale TechVision Mallorca SL's DPO Assessment:
| Criterion | Assessment |
|---|---|
| Public authority or body | ❌ No - private commercial entity |
| Large-scale systematic monitoring | ❌ No - platform processes user-submitted content, not systematic monitoring of individuals |
| Large-scale special category data | ❌ No - no special category data processed as core activity |
| DPO Required? | ❌ No - DPO appointment is not mandatory for TechVision Mallorca SL at current scale |
Note: While a formal DPO is not currently required, TechVision Mallorca SL takes data protection governance seriously. Adelina Bolota serves as the primary privacy contact and is responsible for overseeing data protection compliance. As UBEX.ai grows, we will reassess the need for a dedicated DPO appointment and will appoint one if and when required by GDPR Article 37. If a DPO is appointed in the future, their contact details will be published in this Policy and registered with the AEPD.
As TechVision Mallorca SL is established within the European Union (Spain), we are not required to appoint an EU representative under GDPR Article 27. Our registered address in Mallorca, Spain serves as our EU establishment for all GDPR purposes.
The lead supervisory authority for TechVision Mallorca SL is:
| Detail | Information |
|---|---|
| Authority | Agencia Española de Protección de Datos (AEPD) |
| Address | C/ Jorge Juan, 6, 28001 Madrid, Spain |
| Telephone | +34 912 663 517 |
| Website | https://www.aepd.es |
| Online Complaint Portal | https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/tramitesCiudadano.jsf |
| Purpose | Contact Method |
|---|---|
| General privacy enquiries | adelina@ubex.ai |
| Data subject rights requests | adelina@ubex.ai - subject: appropriate rights request subject line |
| Data breach reporting | adelina@ubex.ai - subject: "Security Vulnerability Report" |
| Cookie consent queries | adelina@ubex.ai - subject: "Cookie Inquiry" |
| International transfer queries | adelina@ubex.ai - subject: "International Transfer Inquiry" |
| Minor account reports | adelina@ubex.ai - subject: "Minor Account Report" |
| LIA documentation requests | adelina@ubex.ai - subject: "LIA Documentation Request" |
| Policy version history requests | adelina@ubex.ai - subject: "Privacy Policy Version Request" |
| Postal correspondence | TechVision Mallorca SL, Calle Bartomeu Ferra 16, A, 07141 Marratxi, Mallorca, Spain |
This Privacy Policy and all data processing activities of TechVision Mallorca SL are governed by and construed in accordance with the following legal framework:
European Union Law:
| Regulation / Directive | Full Title | Applicability |
|---|---|---|
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data | Primary data protection framework - directly applicable |
| ePrivacy Directive | Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector | Cookies, electronic communications, tracking |
| EU AI Act | Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence | AI system obligations and transparency |
| eCommerce Directive | Directive 2000/31/EC on certain legal aspects of information society services | Online service obligations |
| Digital Services Act | Regulation (EU) 2022/2065 | Online platform obligations |
| Consumer Rights Directive | Directive 2011/83/EU | Consumer protection in digital services |
Spanish National Law:
| Law | Full Title | Applicability |
|---|---|---|
| LOPDGDD | Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales | Spanish implementation of GDPR + additional digital rights |
| LSSI-CE | Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico | Information society services, cookies, electronic commerce |
| LGDCU | Real Decreto Legislativo 1/2007 - Ley General para la Defensa de los Consumidores y Usuarios | Consumer protection |
| Ley 58/2003 | Ley General Tributaria | Tax record retention obligations |
| Código de Comercio | Real Decreto de 22 de agosto de 1885 - Spanish Commercial Code | Commercial record retention obligations |
| LSSICE | Ley 9/2014, de 9 de mayo, General de Telecomunicaciones | Telecommunications and electronic services |
| Matter | Jurisdiction |
|---|---|
| Data protection disputes | Primary jurisdiction - AEPD (administrative); Spanish courts (judicial) |
| Consumer disputes | Spanish courts - competent courts of Mallorca, Balearic Islands |
| Commercial disputes | Spanish courts - Juzgados de lo Mercantil, Balearic Islands |
| EU cross-border matters | AEPD as lead supervisory authority; EDPB consistency mechanism where applicable |
| International matters | Spanish courts retain jurisdiction as place of establishment of data controller |
TechVision Mallorca SL is committed to resolving all privacy disputes amicably and without the need for formal legal proceedings. In the event of a dispute regarding this Privacy Policy or our data processing practices:
First step: Contact us directly at adelina@ubex.ai - we will endeavour to resolve all disputes within 30 calendar days Second step: If unresolved, you may refer the matter to the AEPD for mediation or investigation Third step: You retain the right to seek judicial remedy before the competent Spanish courts at any stage
This Privacy Policy is published in English as the primary language. Where a Spanish language version is published, in the event of any conflict or inconsistency between the English and Spanish versions, the English version shall prevail unless otherwise required by applicable Spanish law.
The following definitions apply throughout this Privacy Policy and are provided to ensure full clarity and legal precision:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Art. 4(1)) |
| Processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Art. 4(2)) |
| Data Controller | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (GDPR Art. 4(7)) - in this context, TechVision Mallorca SL |
| Data Processor | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (GDPR Art. 4(8)) |
| Data Subject | An identified or identifiable natural person whose personal data is processed by the controller |
| Consent | Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (GDPR Art. 4(11)) |
| Special Categories of Data | Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation (GDPR Art. 9(1)) |
| Pseudonymisation | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures (GDPR Art. 4(5)) |
| Anonymisation | The irreversible process of altering personal data in such a way that a data subject cannot be identified directly or indirectly, either by the controller alone or in collaboration with any other party - anonymised data falls outside the scope of the GDPR |
| Profiling | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (GDPR Art. 4(4)) |
| Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (GDPR Art. 4(12)) |
| Third Country | Any country outside the European Union and the European Economic Area |
| Standard Contractual Clauses (SCCs) | Standardised contractual terms adopted by the European Commission under GDPR Art. 46(2)(c) that provide appropriate safeguards for the transfer of personal data to third countries |
| Supervisory Authority | An independent public authority established by an EU member state responsible for monitoring the application of the GDPR (GDPR Art. 4(21)) - in Spain, the AEPD |
| AEPD | Agencia Española de Protección de Datos - the Spanish Data Protection Agency, the competent supervisory authority for TechVision Mallorca SL |
| EDPB | European Data Protection Board - the independent EU body that ensures consistent application of data protection rules throughout the EU |
| LOPDGDD | Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales - the Spanish Organic Law on Data Protection and Guarantee of Digital Rights |
| LSSI-CE | Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico - the Spanish Law on Information Society Services and Electronic Commerce |
| GDPR | General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC |
| ePrivacy Directive | Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector |
| EU AI Act | Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence |
| Transfer Impact Assessment (TIA) | A documented assessment conducted by a data controller or processor to evaluate whether the level of protection afforded to personal data in a third country is essentially equivalent to that guaranteed within the EU/EEA, required following the Schrems II judgment |
| Legitimate Interests Assessment (LIA) | A structured three-part test conducted to assess whether legitimate interests can serve as a valid legal basis for processing, comprising: (1) purpose test - is the interest legitimate?; (2) necessity test - is processing necessary?; (3) balancing test - do the interests override the data subject's rights? |
| Data Processing Agreement (DPA) | A legally binding contract between a data controller and a data processor setting out the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller, as required by GDPR Art. 28 |
| Sub-processor | A third party engaged by a data processor to carry out specific processing activities on behalf of the data controller |
| Cookie | A small text file placed on a user's device by a website, used to store information about the user's visit, preferences, or session |
| AI Model | A machine learning system trained on large datasets capable of generating text, images, code, or other outputs in response to user inputs - in the context of UBEX.ai, refers to ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), and Grok (xAI) |
| AI Workflow | A user-configured automated sequence of AI-powered processing steps created and executed within the UBEX.ai platform |
| Large Language Model (LLM) | A type of AI model trained on extensive text data capable of understanding and generating human language - the underlying technology powering the AI models integrated into UBEX.ai |
| API (Application Programming Interface) | A set of protocols and tools that allows software applications to communicate with each other - used by UBEX.ai to connect with AI model providers and third-party integrations |
| Encryption at Rest | The encryption of data stored on a storage medium (database, disk, backup) to prevent unauthorised access to stored data |
| Encryption in Transit | The encryption of data while it is being transmitted between systems or over a network, using protocols such as TLS (Transport Layer Security) |
| TLS (Transport Layer Security) | A cryptographic protocol designed to provide communications security over a computer network - the successor to SSL |
| AES-256 | Advanced Encryption Standard with a 256-bit key length - the current industry standard for strong symmetric encryption |
| PCI-DSS | Payment Card Industry Data Security Standard - a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment |
| ISO/IEC 27001 | An international standard for information security management systems (ISMS) providing a systematic approach to managing sensitive company information |
| SOC 2 Type II | Service Organisation Control 2 Type II - an auditing standard that evaluates the security, availability, processing integrity, confidentiality, and privacy of a service organisation's systems over a defined period |
| OWASP Top 10 | The Open Web Application Security Project's list of the ten most critical web application security risks, widely used as a benchmark for application security testing |
| Data Minimisation | The principle that personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (GDPR Art. 5(1)(c)) |
| Storage Limitation | The principle that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (GDPR Art. 5(1)(e)) |
| Purpose Limitation | The principle that personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (GDPR Art. 5(1)(b)) |
| Data Protection by Design | An approach whereby data protection principles are integrated into the design and architecture of systems and processes from the outset, rather than as an afterthought (GDPR Art. 25(1)) |
| Data Protection by Default | The principle that, by default, only personal data which is necessary for each specific purpose of the processing is processed, applying to the amount of personal data collected, the extent of processing, the period of storage, and accessibility (GDPR Art. 25(2)) |
| Right to Be Forgotten | The colloquial term for the right to erasure under GDPR Art. 17, referring to the right of data subjects to request deletion of their personal data in certain circumstances |
| Data Portability | The right of data subjects to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller (GDPR Art. 20) |
| Schrems II | The informal name for the Court of Justice of the European Union judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18), which invalidated the EU-US Privacy Shield and established requirements for Transfer Impact Assessments |
| EU-US Data Privacy Framework (DPF) | The adequacy framework adopted by the European Commission on 10 July 2023 (Decision 2023/1795) replacing the invalidated Privacy Shield, allowing transfers of personal data from the EU to certified US organisations |
| Bcrypt | A password hashing function designed to be computationally expensive to resist brute-force attacks, used by TechVision Mallorca SL to hash all user passwords |
| CSRF (Cross-Site Request Forgery) | A type of web security attack that tricks a user's browser into performing unwanted actions on a website where the user is authenticated - mitigated through CSRF tokens |
| XSS (Cross-Site Scripting) | A type of web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users - mitigated through output encoding and Content Security Policy |
| WAF (Web Application Firewall) | A security tool that monitors, filters, and blocks HTTP traffic to and from a web application to protect against common web exploits |
| DDoS (Distributed Denial of Service) | A cyberattack in which multiple compromised systems flood a target with traffic to disrupt normal service - mitigated through Google Cloud Armor on the UBEX.ai platform |
| VPC (Virtual Private Cloud) | An isolated section of a cloud provider's network infrastructure where resources are launched in a logically isolated virtual network |
| ENS (Esquema Nacional de Seguridad) | The Spanish National Security Framework - a set of security principles and requirements applicable to information systems in Spain |
| ENISA | European Union Agency for Cybersecurity - the EU agency responsible for achieving a high common level of cybersecurity across Europe |
| NIST | National Institute of Standards and Technology - a US federal agency whose Cybersecurity Framework is widely adopted internationally as a best-practice security standard |
TechVision Mallorca SL declares that this Privacy Policy:
| Detail | Information |
|---|---|
| Document Title | Privacy Policy - TechVision Mallorca SL / UBEX.ai |
| Version | 2.0 |
| Publication Date | 29th May 2026 |
| Last Updated | 29th May 2026 |
| Next Scheduled Review | 29 May 2027 |
| Published At | https://ubex.ai/en/privacy |
| Language | English (primary) |
| Prepared By | TechVision Mallorca SL |
| Applicable Jurisdiction | Spain / European Union |
| Governing Law | GDPR; LOPDGDD; LSSI-CE; applicable EU and Spanish law |
For all data protection enquiries, please contact us at adelina@ubex.ai
Hi there 👋
How can we help you today?