Your privacy and spiritual journey are sacred to us
Last Updated: October 10, 2025
The data controller during the pilot phase is the individual owner indicated in the Legal Notice, who acts temporarily as the service provider. For general and privacy contact purposes, you can write to orareapp@gmail.com. See the Terms and Conditions section "Who We Are" for complete identification of the owner and other contact information.
At this time, no Data Protection Officer has been appointed. If one is appointed in the future or required by law, their contact information will be added to this policy and the Terms and Conditions; until then, any data protection matters will be handled through the above email. See also the Terms and Conditions for the pilot scope, relevant to understanding the data processing context.
This Policy applies to the use of the App during the pilot; for functional scope and pilot conditions, see the Terms and Conditions, Pilot Scope (closed beta).
We process only the data strictly necessary to carry out the closed pilot with testers, as described in the Terms and Conditions. The following details the purposes of data processing.
We use your minimal identifying data to register you as a tester, enable your access, and administer the account during the pilot. The primary legal basis is your consent, which you can withdraw at any time with prospective effect (ex nunc), in accordance with GDPR and Spanish data protection law (LOPDGDD). You can withdraw your consent at any time by writing to orareapp@gmail.com; withdrawing it does not affect the lawfulness of prior processing.
We may process technical and usage logs strictly necessary to operate the service, resolve incidents, prevent abuse, and maintain security during the pilot. This processing is based on the legitimate interest of the controller: to operate and protect the platform, with interest balancing and minimization measures.
We handle your inquiries and communications related to the pilot, without commercial purposes. The Terms and Conditions specify that no commercial communications will be sent during the pilot. For any strictly functional communications, we rely on legitimate interest; any future promotional mailings will require consent.
We will only send notifications if you accept them. You can deactivate them at any time from your device settings or the App; the legal basis is revocable consent. The information society services regulations recognize the right to revoke consent easily and free of charge. See the "Cookie Policy" section for technological preferences.
During the pilot, we may measure limited events and interactions to improve the App. Technologies not strictly necessary require informed and prior consent; details and controls are in the Cookie Policy. What is strictly necessary to provide the service can be processed without additional consent, according to the technical exception of the LSSI-CE.
Certain functions may indirectly reveal your religious beliefs. These functions will only be activated if you grant your explicit consent, separate from the rest, to process data that could reveal such beliefs for the purpose of personalizing content and improving your experience. This consent is optional and revocable at any time from Settings ▸ Privacy or by writing to the contact in this Policy; withdrawal does not affect the lawfulness of what has already been processed. If you do not consent, you can use Orare in basic mode without spiritual personalization.
The pilot requires a minimum age of 14 years or, where applicable, verifiable consent from the person holding parental authority or legal representation, as already provided in the Terms and Conditions. This aligns with GDPR and LOPDGDD enabling national law to set the applicable age and consent for minors.
You can always withdraw your consent as easily as you gave it; we inform you of this right at the time of collection. For the exercise of access, rectification, deletion, opposition, limitation, and portability rights, see section "User Rights".
We process only the data necessary to carry out the pilot and provide the service under test conditions. The detail of what we use each data for and with what legal basis is in the "Purposes and Legal Bases" section; when it involves measurement technologies or equivalents, see "Cookies".
During registration and account management, we use the minimal identification data you provide and, if the invitation flow requires it, a contact detail such as email to enable your access as a tester. See "Purposes and Legal Bases".
To configure the pilot and understand usage by age groups, we may request age and gender. This data is not used for marketing or commercial segmentation purposes during the pilot. See "Purposes and Legal Bases".
To operate the App and maintain its security, we process technical identifiers associated with your account and device, access logs, essential technical events, performance metrics, and error logs. This data is limited to what is strictly necessary for operation and security. See "Purposes and Legal Bases".
With your consent, we can record interaction events that help us improve the experience. Where possible, we apply pseudonymization and aggregation. Activation and withdrawal of this consent is managed from Settings ▸ Privacy; for the technologies involved, see "Cookies".
If you send us comments, responses in the App, or support communications, we will process the information you voluntarily provide solely to attend to the pilot and improve the service. See "Purposes and Legal Bases".
Some functions may indirectly reveal your religious beliefs. Those functions are only activated if you grant your explicit and separate consent; if you don't, you can use the App in basic mode without that personalization. For details and how to withdraw consent, see "Purposes and Legal Bases" and "User Rights".
We do not conduct economic transactions, do not collect precise location, nor perform profiling for advertising or commercial prospecting purposes. If in the future any functionality requires new data or purposes, it will be reported clearly in advance, and consent will be collected when necessary.
The data comes mainly from what you provide us directly when registering, adjusting your profile, or writing to support. Data is also generated by using the App: internal account identifiers, technical logs essential to operate and secure the service, and, if you grant your consent, optional analytics events and notification tokens. See "Purposes and Legal Bases" for details of each case and "Cookies" for the technologies used.
We do not acquire personal data from intermediaries, commercial databases, or public sources during this pilot phase. Our technical providers act as data processors and do not communicate data unrelated to service provision; on recipients and transfers, see relevant sections.
Certain functions may generate derived or inferred data from your interaction. This data is limited to the purposes described in "Purposes and Legal Bases" and can be deactivated when they depend on your consent.
If you participate as a minor under 14 years old in Spain, the information is obtained through verifiable consent from the person holding parental authority or guardianship; for more detail, see Terms and Conditions. If in the future we incorporate new sources or purposes, we will inform you clearly in advance and, when appropriate, request the necessary additional consent.
In this pilot phase, we do not make decisions based solely on automated data processing that produce legal effects on you or similarly significantly affect you. Recommendations or suggested content are for support and experience improvement purposes and do not condition rights or generate legal consequences; if at any time we incorporate a process that fits Article 22 of GDPR, we would inform you in advance and enable human intervention, the possibility to express your point of view, and to challenge the decision, as required by the regulation.
When we talk about profiling, we refer to any form of processing that evaluates personal aspects, for example, understanding basic usage patterns to improve the App. During the pilot, this evaluation is limited to optional and aggregated analytics, activatable only with your consent and deactivatable from Settings ▸ Privacy; it is not used for direct marketing purposes at this stage. In any case, if a profile with relevant effects were created, we will provide significant information about the logic applied, the importance, and the expected consequences, in accordance with GDPR transparency duties.
Spiritual personalization, which could reveal religious beliefs, is only activated with your explicit consent and you can always withdraw it; it is not used to make automated decisions with legal or similar effects.
If in the future we propose a systematic and exhaustive evaluation on which decisions with significant effects are based, we would previously conduct a Data Protection Impact Assessment (DPIA) and apply reinforced safeguards. We would inform you clearly before activating any such processing.
To exercise your right not to be subject to exclusively automated decisions in the cases of Article 22, as well as to oppose profiles when appropriate, see the "User Rights" section and use the channels indicated there.
We apply the principle of storage limitation: we will keep data only for the time necessary for the purposes described in this Policy and, afterwards, delete or anonymize it securely. When it is not possible to indicate an exact number, we inform of the criteria used: pilot duration, incident resolution, and limitation periods for potential liabilities. To know how to exercise deletion or processing limitation, see the Rights section.
In the pilot context, account and basic profile data (name, age, gender, and, where applicable, email) are kept for the duration of your participation or until you request deactivation. After deactivation or pilot completion, they will be deleted or anonymized within a maximum of 90 days, unless there is an open incident or legal obligation requiring them to be kept blocked; blocking means reserving them solely to attend to authority requests or defense of claims, for the strictly necessary time.
Push notification tokens remain active only while you have notifications enabled. If you deactivate them from the App or device, we delete the token immediately and, additionally, apply automatic purging by inactivity that deletes unused tokens within 30 days.
Consent records, including explicit consent for functionalities that may reveal religious beliefs, evidence of layered information, and proof of consent withdrawal are kept during your relationship with the service and, once terminated, maintained blocked exclusively for the formulation, exercise, or defense of claims for a maximum period of 5 years, after which they are permanently deleted.
Support communications and feedback are kept during case management and up to 12 months after closure, solely for technical analysis and service improvement purposes. If the case could lead to liability, the associated information will pass to blocked status until the eventual procedure closes and, at most, during applicable limitation periods.
Raw events are kept up to 90 days for debugging, diagnosis, and system stability. From there, we only maintain aggregated or anonymized reports, which do not allow identification, for up to 24 months to observe pilot trends. For the technologies involved and their legal basis, see the "Cookie Policy".
Security and audit logs are generally kept for 12 months. In case of a security incident or authority request, these logs may remain blocked until the investigation or corresponding procedure ends.
We use rotating retention cycles of between 30 and 90 days, with strictly limited access and solely for service continuity and security purposes. When the cycle expires, copies are automatically overwritten.
If an account remains inactive for 12 months, we may notify you and proceed with its deletion or anonymization; where applicable, we will only keep what is strictly blocked when necessary for potential liabilities. To exercise your right to deletion or opposition, as well as to withdraw consent, see the "Rights" section.
We do not transfer your data to third parties for commercial purposes during the pilot. We will only communicate data when necessary to provide the service, when there is a legal obligation, or when you expressly authorize it. Internal access is limited to personnel who need it to operate the App and is subject to confidentiality duty.
Technical providers who help us host the platform and offer AI functions act as data processors: Supabase and OpenAI. These providers process data on behalf of the controller, with adequate security measures and without using them for their own purposes.
In case of requests from competent authorities, we may communicate information strictly necessary to comply with the law. When possible and lawful, we will inform you of such requests.
The results we share externally are aggregated reports and/or anonymized data prepared so that it is not reasonably possible to identify a person, in accordance with Recital 26 of GDPR. If, despite the measures applied, there were a reasonable risk of re-identification, we will treat that information as personal data, applying the corresponding guarantees and limitations and without communicating microdata or information that allows singularization of data subjects.
Whenever possible, we process and host data within the EEA. We will only transfer data to third countries or international organizations when the conditions of Chapter V of GDPR are met and the level of protection is not undermined. In particular, we will apply the general principle of transfers from Art. 44 and, when it exists, rely on Commission adequacy decisions (Art. 45).
If there is no adequacy, we will use appropriate safeguards according to GDPR and supplementary measures proportionate to the risk. We will inform you of the intention to transfer, the existence or absence of an adequacy decision, and the applicable safeguards, as well as the means to obtain a copy or know where they have been made available, as required by Art. 14.1.f) GDPR. To request details or a copy of the safeguards, write to us at the contact information indicated.
We will not respond to direct access requests for data by third-country authorities that are not covered by a valid international agreement (Art. 48 GDPR). Only in specific and exceptional situations could the exceptions of Art. 49 apply, residually and after evaluating their appropriateness.
When we use processors with global infrastructure, we will act in accordance with Spanish data protection law (LOPDGDD), Title VI, and, where applicable, standard clauses adopted or authorized by the Spanish Data Protection Agency (Arts. 41 and 42 LOPDGDD). The specific recipients and providers are described in the "Recipients and Processors" section.
Certain measurement technologies may involve transfers; their activation depends on your consent and is detailed in the Cookie Policy.
We apply appropriate technical and organizational measures to protect data against unauthorized access, loss, alteration, or disclosure, proportionate to the nature of the data and the pilot risks. This includes data protection by design and by default, periodic review of controls, and the ability to demonstrate compliance.
Non-exhaustively, we employ encryption in transit and, when appropriate, at rest; minimization and pseudonymization when viable; least privilege access controls with enhanced authentication for administrative accounts; secure credential management; activity logs for security; backup copies and restoration procedures; security reviews of providers acting as processors and contractual confidentiality commitments from personnel and third parties.
If, despite the measures, a personal data breach occurs, we will follow a detection, containment, and documentation process, and notify the Spanish Data Protection Agency without undue delay and, when possible, within 72 hours if the incident entails risk to rights and freedoms. When the risk is high, we will communicate the breach to data subjects, unless legal exceptions apply. We will keep evidence of the facts, effects, and measures adopted.
Additionally, when we incorporate new functionalities that may pose high risk to data processing, we will assess the need to conduct an Impact Assessment and apply additional measures before deployment. We may rely on codes of conduct or certifications as elements of compliance evidence.
You can exercise your rights of access, rectification, deletion, opposition, processing limitation, and portability, as well as the right not to be subject to exclusively automated decisions in legally provided cases. When processing is based on your consent, including explicit consent for functionalities that may reveal religious beliefs, you can withdraw it at any time with effects from withdrawal and without prejudice to prior lawfulness; for affected purposes, see the "Purposes and Legal Bases" section.
We provide two main avenues. In the App, you will find a preference center in Settings ▸ Privacy from which you can activate or deactivate Notifications, Analytics, and Spiritual Personalization. You can also exercise your rights by writing to the contact email orareapp@gmail.com. If you make the request by email, we will need to verify your identity proportionately and respond to you, generally, within one month; when the request is complex or numerous, the period may be extended according to applicable regulations, of which we will inform you.
If you request deletion or opposition, we will cease the affected processing unless there are overriding legitimate grounds or legal obligations that justify keeping it blocked. See "Retention Periods and Blocking" section. In portability cases, we will provide you with your data in a structured, commonly used, and machine-readable format when appropriate. At any time you can object to processing based on legitimate interest for reasons related to your particular situation.
We record in a minimal and secure manner the date and version of your consent, as well as its withdrawal, solely for compliance and traceability purposes. This does not enable new processing or extend periods beyond what is indicated in the "Retention Periods and Deletion Criteria" section. Technological preferences linked to cookies are managed from the preference center and described in the "Cookie Policy".
If you consider that we have not properly attended to your rights, you can file a complaint with the Spanish Data Protection Agency (AEPD). Before doing so, we invite you to write to us to try to resolve your case directly and promptly.
In Spain, for information society services, consent for consent-based processing is valid from 14 years of age; below that age, verifiable consent from the person holding parental authority or guardianship is required. This rule derives from Spanish data protection law (LOPDGDD), Art. 7, in development of GDPR, Art. 8.
During the pilot, the general minimum age to participate is 14 years. If we admit a minor, we will request and keep proportionate evidence of the legal representative's consent, and enable mechanisms for its withdrawal at any time with the same guarantees as for adults.
We do not knowingly collect personal data from minors under 14 without the indicated consent. If we detect that data has been processed without the required authorization, we will delete it diligently and deactivate the account, except for what is strictly blocked to attend to potential liabilities. When a functionality is based on consent, its activation for minors will require valid consent from the person holding parental authority or guardianship; otherwise, the minor can only use the App in basic mode.
If you have questions about how we verify age or consent, you can write to orareapp@gmail.com.
In the App, we use storage and information access technologies on your device to enable basic functions and, when you consent, to measure usage and improve experience. Strictly necessary technologies are used to make the App work and for security reasons; non-necessary ones will only be activated with your consent, which you can withdraw at any time from Settings ▸ Privacy. For technical details, the provider list, and the duration of each technology, see the external link to the Cookie Policy.
If you reject non-necessary categories, you can continue using the App, although certain measurement or personalization functionalities may be limited. The processing associated with these technologies is described in "Purposes and Legal Bases", and third parties acting as processors/recipients are indicated in "Recipients and Processors" and "International Transfers".
When the user is a minor under 14 years old in Spain, activation of non-necessary technologies based on consent will additionally require valid consent from the legal representative; otherwise, the App will operate in basic mode. To exercise your right to withdraw consent or to object when appropriate, see "User Rights and How to Exercise Them".
We maintain a Record of Processing Activities that describes, for each purpose, the data categories, legal bases, recipients, transfers, and retention periods or criteria. This record is kept updated and available to the supervisory authority when required. For purposes and bases, see "Purposes and Legal Bases"; for periods, see "Retention Periods".
This Policy may be updated to reflect regulatory, technical, or operational changes. We will indicate the date of last modification and, when changes are material, offer a visible notice in the App and, if appropriate, request your consent again before applying the change. We keep a version history that you can request through the indicated contact.
For any question regarding this Policy or the processing of your personal data, you can write to the contact email indicated in the "Controller and Contact" section. The complete identity of the data controller during the pilot appears in the Terms and Conditions; to avoid duplication, we refer you there for the owner's identifying data.
If you consider that we have not properly attended to your rights, see the "Rights" section, you can file a complaint with the Spanish Data Protection Agency (AEPD). We would appreciate if you contact us first through the indicated email to try to resolve the incident promptly and amicably.
Email: orareapp@gmail.com
App: Orare - Christian Spiritual Companion