1. DATA CONTROLLER

For the purposes of the provisions of the General Data Protection Regulation (GDPR EU 2016/679) and Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), you are informed that your data will be processed confidentially and securely under the responsibility of:

Manuel Alejandro Núñez Liz
CIF: ES33329563X
Dirección Fiscal: Rúa San Lourenzo 10, 1, 27003 Lugo, Galicia, España
Email de Contacto: [email protected]

2. PERSONAL DATA WE COLLECT

RoteiroLab only collects and processes personal data strictly necessary to provide our investment analysis services, tax invoicing and performance telemetry. This includes:

Registration Data: Email and nickname (created upon registration or automatically linked when logging in via Google Auth).
Project Data: Responses provided to the 38-question diagnostic questionnaires, startup name, and market information provided.
Fiscal Invoicing Data: Legal Name/Company Name, Tax ID/VAT, billing address, postal code, and country.
Navigation & Telemetry Data: IP address and User Agent header registered immutably in each GDPR/LGDCU Consent for legal compliance and anonymous technical telemetry from Google Analytics.

3. PURPOSE AND LEGAL BASIS FOR PROCESSING

The legal basis for processing your personal data is based on:

Execution of Contract (SaaS): To process the asynchronous AI pipeline in 8 stages, serve shared hubs via share_hash, and provide dynamic PDF and PowerPoint downloads of investor quality.
Consent of the Data Subject: Freely, expressly and unequivocally granted by checking the mandatory privacy, consumption withdrawal (LGDCU Art. 103.m) or cookies boxes.
Compliance with Legal Obligations: By Spanish invoicing law to declare VAT breakdowns (21% ES / EU OSS) and audit accesses of downloads signed by HMAC.

4. RECIPIENTS OF THE DATA

RoteiroLab does not sell or transfer data to third parties. User data is only communicated to the following processors strictly necessary for the business:

Stripe Inc: Secure international payment gateway to process checkout of plans and European VAT.
Google LLC (Google Analytics & Google Auth): Anonymous technical telemetry of the system and fast federated authentication.
APIs de LLM (Google Gemini, Anthropic, DeepSeek): Artificial Intelligence providers that process questionnaire templates confidentially. None of these providers use the transmitted data to train their own models.

5. USER RIGHTS (ARCO-POL)

The GDPR gives you full control over your privacy. You have the right to:

Access and Rectification: Consult what personal data we have and correct them dynamically from your 'My Profile' panel.
Erasure (Right to be Forgotten): Irreversibly delete your account and all associated projects. You can exercise this right instantly in the data protection section of your user profile.
Portability and Restriction: Request a JSON dump of your personal data and restrict processing.

To exercise these rights, you can do so directly through the Private Panel options, or send a written communication to [email protected] attaching a copy of NIF/CIF or passport for identity verification.

6. RETENTION AND SECURITY

Personal data will be kept as long as the user account remains active or until erasure is requested. Robust organizational and cybersecurity measures (IP middlewares, CSP headers, HMAC signatures with download expiration, TLS encryption) are applied to prevent any loss, alteration or unauthorized access.

PRIVACY POLICY