PRIVACY POLICY

Effective Date: 1 June 2025

This Privacy Policy describes how Candela collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Spanish law.

1. DATA CONTROLLER

• Business name: Candela
• Contact email: legal@cande.es
• Location: Spain

2. DATA WE COLLECT

When using Candela, we may collect the following data:

• Account data: email address, username. We DO NOT collect any password.
• File metadata: file name, upload date, file type.
• Transactional communications: confirmations, activity notifications, etc.
• We do NOT store or process your credit card data; all payment information is handled securely by Stripe.

We do not collect sensitive personal data or use your data for commercial or advertising purposes.

3. PURPOSES OF PROCESSING

We process your data only for the following purposes:

• To create and manage your account.
• To provide the file sharing service.
• To send necessary transactional communications.
• To ensure the security, integrity, and legal use of the service.
• To comply with legal obligations.

4. LEGAL BASIS

The legal bases for processing your data are:

• Performance of a contract (Terms and Conditions).
• Your consent (e.g., during registration).
• Legitimate interest (e.g., security and fraud prevention).
• Legal compliance (e.g., criminal activity prevention).

5. DATA RETENTION

We retain your data as long as your account is active. If you request account deletion, we will erase your data unless we are legally required to keep it.

6. DATA SHARING

We do not share your data with third parties, except for:

• Technology providers necessary to deliver the service (e.g., Cloudflare).
• Stripe for subscriptions and payment processing. Your payment data is shared with Stripe only for this purpose.
• Public authorities when legally required.

All service providers comply with the GDPR.

7. USER RIGHTS

You may exercise the following rights:

• Access your data.
• Rectify inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Restrict or object to processing.
• Data portability.

To exercise your rights, contact us at legal@cande.es.

You also have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es).

8. SECURITY

We implement technical and organizational measures to protect your data, including encryption, access controls, and auditing.