Privacy Policy

Last updated: 24 April 2026

This is an English courtesy translation of the Spanish original, which prevails in case of conflict.

At prisma we take data protection seriously. This Policy explains what data we process, why, how long we keep it and what rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and the Spanish Organic Act 3/2018 on Data Protection and Digital Rights (LOPDGDD).

Contents 1. Data controller 2. What data we process 3. Purposes and legal bases 4. Retention periods 5. Recipients and processors 6. International transfers 7. Your rights 8. Automated decisions 9. Security measures 10. Minors 11. Cookies 12. Changes to this policy 13. Complaints (AEPD) 14. Contact

1. Data controller

Controller: QuantumNova Agency
Email: info@quantumnovaagency.com
Data Protection Officer (DPO): info@quantumnovaagency.com

Full registration details appear on invoices and are available on request.

2. What personal data we process

2.1 Account data

Name, email, password (Argon2id hashed), role (admin, agency_owner, agency_member, client, user, trial, developer).
Registration date, last seen, session token (256-bit opaque), email verification and MFA flags.

2.2 Service usage data

Domains, projects and queries you enter.
Historical snapshots of the analyses you run.
Quota counters (analyses/GEO/content/SerpAPI per day).
Audit events (registration, login, plan changes, super-owner impersonation).

2.3 Technical data

IP address (used for anti-abuse and audit), user-agent, timestamp, session identifier.

2.4 Billing data

Full card processing happens at Stripe; we only retain the opaque customer ID (cus_…), the subscription ID (sub_…) and the status (active, past_due, canceled).

3. Purposes and legal bases

Data processing purposes and applicable GDPR legal basis
Purpose	Legal basis (GDPR)
Provide the contracted service and manage your account	Art. 6(1)(b) — contract performance
Invoicing and tax obligations	Art. 6(1)(c) — legal obligation
Security, fraud prevention	Art. 6(1)(f) — legitimate interest
Transactional communications (email verification, password reset, team invites, trial-ending notices)	Art. 6(1)(b) — contract performance
Marketing of our own similar services	Art. 6(1)(f) — legitimate interest (with right to object on every message)
Non-essential cookies (if any)	Art. 6(1)(a) — consent

4. Retention periods

Account data: while your account is active.
Analysis snapshots and history: while the account is active; after closure, deleted within 30 days unless retention is required for legal compliance.
Audit logs: 12 months from generation.
Invoices and accounting records: 6 years (Spanish Commercial Code, art. 30) and the applicable tax limitation periods (generally 4 years).
Reset / verification tokens: 1–48 hours (invalidated on use or expiry).

5. Recipients and processors

We disclose data only to the following recipients, with whom we have (or will have) a processor agreement under art. 28 GDPR:

Recipients/processors with purpose and location
Provider	Purpose	Location
Stripe Payments Europe, Ltd.	Payment processing and subscription management	Ireland (EU) / USA (SCCs)
Anthropic PBC	Claude API (GEO analysis)	USA (SCCs)
OpenAI, LLC	ChatGPT API (GEO and generation)	USA (SCCs)
Google LLC	PageSpeed, Search Console, Business Profile, Gemini, Knowledge Graph	USA (SCCs)
Perplexity AI, Inc.	Perplexity API	USA (SCCs)
X.AI LLC / xAI	Grok API	USA (SCCs)
DeepSeek AI	DeepSeek API	China (explicit user consent to enable)
Mistral AI	Mistral API	France (EU)
Microsoft Azure	Copilot / OpenAI Service API	EU (operator-selectable region)
SerpApi, LLC	SERP data (Google/Bing)	USA (SCCs)
Foursquare Labs, Inc.	Places API (citations)	USA (SCCs)
Twilio, Inc.	SMS review invitations (optional)	USA (SCCs)
Hetzner Online GmbH	Hosting and infrastructure	Germany / Finland (EU)
Your configured SMTP provider	Transactional email delivery	Depends on provider

Where required by law we also disclose data to judicial authorities, law enforcement and tax authorities.

6. International transfers

Some of the processors listed above are outside the European Economic Area. For those transfers we rely on the EU Commission's Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures (encryption in transit and at rest, pseudonymisation).

You may request a copy of the specific SCCs at info@quantumnovaagency.com.

7. Your rights

As a data subject you have the right to:

Access (art. 15 GDPR): know what data we hold.
Rectification (art. 16): correct inaccurate data.
Erasure / right to be forgotten (art. 17).
Restriction of processing (art. 18).
Portability (art. 20): receive your data in a structured format (we provide a JSON export).
Object (art. 21): to legitimate-interest processing, including direct marketing.
Withdraw consent at any time, without retroactive effect.

To exercise any of these rights write to info@quantumnovaagency.com stating the right you invoke and providing proof of identity. We respond within one month (extendable by two months in complex cases).

8. Automated decisions

We do not make automated decisions producing legal or significant effects on users. Scoring, classifications and quotas are internal tools that do not take legal decisions by themselves.

9. Security measures

TLS encryption across the transport layer (HTTPS).
Argon2id hashing (OWASP 2023 baseline) for passwords; never stored in clear.
256-bit opaque tokens; 0600 (owner-only) file permissions on secrets.
Per-tenant isolation at every data endpoint.
Audit log rotated and restricted to the super-owner.
Strict origin control (CORS) and per-IP / per-user rate limiting.
Regular dependency reviews and ad-hoc code audits.

10. Minors

The Service is not directed to children under 14. If we detect an account of a minor without guardian consent we will cancel it.

11. Cookies

Cookie use is detailed in the Cookie Policy. By default we only use strictly necessary cookies (authentication session), which the Spanish DPA's cookie guidance exempts from consent.

12. Changes to this policy

We will publish any material change at this URL at least 15 days in advance and notify you by email. Continued use of the Service implies acceptance of the current version.

13. Complaints to the AEPD

If you believe the processing of your data breaches applicable law, in addition to contacting us you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, C/ Jorge Juan 6, 28001 Madrid.

14. Contact

Any query about personal data processing: info@quantumnovaagency.com.