Privacy Policy

1. Data Controller

The data controller for your personal data is Victor Berthelius, with tax ID (NIF) 54052380B, operating as a self-employed professional under the trade name Frihet, with fiscal address at C/ Cervera n9, Radazul 38109, S/C de Tenerife, Spain. You can contact us regarding data protection matters at [email protected].

2. Data We Collect

We collect the following types of data: Account data: name, email address, password (encrypted), company name, and tax details you provide when registering. Usage data: information about how you use the Service, including pages visited, features used, frequency of use, and configuration preferences. Payment data: your credit or debit card details are processed directly by Stripe; Frihet does not store full card numbers on its servers. Technical data: IP address, browser type, operating system, device identifiers, and connection data.

3. Legal Basis for Processing

We process your personal data on the following legal bases: Contractual performance (Art. 6(1)(b) GDPR): processing is necessary to provide the Service you have subscribed to. Consent (Art. 6(1)(a) GDPR): for sending marketing communications and newsletters, which you can withdraw at any time. Legitimate interest (Art. 6(1)(f) GDPR): for Service improvement, fraud prevention, and platform security. Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable tax and legal obligations.

4. Purposes of Processing

We use your data for the following purposes: providing and managing the contracted Service; processing payments and billing; communicating with you about your account, Service updates, and technical support; sending marketing communications (with prior consent); improving and personalizing the user experience; statistical and aggregated analysis of Service usage; complying with legal and tax obligations; detecting and preventing fraud and abuse.

5. Data Recipients

We share your data only with the following service providers, necessary for delivering the Service: Stripe (payment processing, based in the US, DPF certified). Firebase/Google Cloud (infrastructure and authentication, based in the US, DPF certified). Resend (transactional email delivery, based in the US). Google Analytics 4 (web analytics with cookies, activated only after explicit user consent, based in the US, DPF certified). Vercel Inc. (web hosting and cookieless analytics, based in the US). PostHog (product analytics, activated only after explicit user consent, based in the US). Umami (web analytics, self-hosted in the EU, cookieless, privacy-friendly). All providers have been selected to ensure they offer adequate security measures and comply with applicable data protection regulations.

6. International Transfers

Some of our service providers are located outside the European Economic Area, specifically in the United States. These transfers are made under: the EU-US Data Privacy Framework for certified providers; standard contractual clauses approved by the European Commission; or adequacy decisions by the European Commission, where applicable. You can request additional information about the safeguards applied to these transfers by writing to [email protected].

7. Data Retention Period

We retain your personal data for as long as necessary for the purposes for which it was collected: Account data and user content: for the duration of your account and up to 30 days after cancellation, to allow data export. Billing data: for the legally required period for tax compliance (currently 4 years under the Spanish General Tax Law). Usage and analytics data: in anonymized and aggregated form, without time limit. Marketing communications: until you withdraw your consent.

8. Your Rights

Under the GDPR and the Spanish LOPDGDD, you have the following rights: Access: know what personal data we process about you. Rectification: correct inaccurate or incomplete data. Erasure (right to be forgotten): request deletion of your data when it is no longer needed. Objection: object to the processing of your data in certain circumstances. Portability: receive your data in a structured, commonly used format (CSV, JSON). Restriction: request limitation of processing in certain cases. You can exercise these rights by sending an email to [email protected] with a copy of your identity document. We respond within a maximum of 30 days. You also have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. Cookies and Analytics

On frihet.io we use the following analytics tools: Umami (self-hosted in the EU, cookieless, no personally identifiable data, GDPR-compliant without requiring consent). Google Analytics 4 (uses tracking cookies, activated only after explicit user consent via our cookie banner). PostHog (product analytics, activated only after consent). Vercel Analytics and SpeedInsights (cookieless, anonymous performance metrics). When you first visit our website, a cookie consent banner is displayed. Tools that use cookies (GA4, PostHog) are only activated if you expressly accept. You can withdraw your consent at any time from the cookie settings. In our web application (app.frihet.io), we use local storage (localStorage) to save your language preferences and session, which is strictly necessary for the operation of the Service.

10. Data Controller Contact

For any questions regarding the processing of your personal data or the exercise of your rights, you can contact the data controller at: [email protected]. Victor Berthelius, C/ Cervera n9, Radazul 38109, S/C de Tenerife, Spain. We are committed to addressing your requests with the utmost diligence and transparency.