PRIVACY FILE // HUMAN DATA
Privacy policy
What data the project processes, why it is needed, what becomes public and how to exercise your rights.
Last updated: 12 June 20261. Data controller
- Controller
- Carlos Antón Benito
- Address
- Carrer de Varsovia,56
- Privacy email
- info@xkema.com
2. Data we process
- Registration and contact data: email address, public name or alias, country, city and any optional profile information you provide.
- Public profile data: approved registry number, name or alias, location, message, optional public photograph, profession, pronouns, year of birth, interests and external links selected by the participant.
- Private verification data: the temporary photograph showing the applicant and the handwritten challenge. It is reviewed manually and is not intended for public display.
- Payment data: transaction identifiers, amount, currency and payment status. Card details are handled by Stripe and are not stored by this application.
- Technical and security data: IP address, session identifiers, request metadata, security events, audit records and information needed to prevent abuse and investigate incidents.
- Communications: information sent through the contact form, reports or support email.
- Analytics data: only where analytics is enabled and the visitor has consented to optional analytics storage.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Process registration, reserve a number, take payment, review the application and publish the approved profile. | Steps requested before entering into the service and performance of the service agreement. |
| Publish optional profile elements, including the public photograph and optional links. | Your affirmative choice to provide those optional elements and the service requested by you. You may request removal, subject to lawful retention requirements. |
| Send verification, payment, review and support communications. | Performance of the service and legitimate interest in operating and supporting it. |
| Prevent fraud, protect the website, enforce rules and maintain audit evidence. | Legitimate interests in security, integrity and legal defence, balanced against user rights. |
| Keep accounting, tax and legally required transaction records. | Compliance with legal obligations. |
| Load optional analytics. | Consent, which can be withdrawn through Cookie settings. |
4. What becomes public
Only an approved public profile is displayed in the registry. The verification proof, email address, payment details, internal review notes and security records are not public.
Public pages can be indexed, cached, archived, copied or shared by search engines and third parties. Removing a profile from this website cannot guarantee immediate deletion of copies controlled by others.
5. Manual verification and automated decisions
A human moderator reviews the submitted proof against the temporary challenge and registry number. The application does not intentionally perform facial recognition, biometric identification or solely automated approval decisions.
6. Service providers and recipients
Data may be processed by providers needed to run the service, including hosting and infrastructure providers, Mailgun for transactional email, Stripe for payments and Google Analytics only if enabled and consented to. Public profile information is disclosed to anyone who visits the public registry.
Providers may process data outside the European Economic Area. Where required, the controller will rely on an applicable adequacy decision, standard contractual clauses or another lawful transfer mechanism.
Data may also be disclosed when required by law, a competent authority or to establish, exercise or defend legal claims.
7. Retention
- Approved public profiles remain available while the registry operates or until lawful removal is requested.
- Private proof photographs are scheduled for deletion after review according to the configured retention policy: normally 30 days for approved proofs and 30 days for rejected proofs, unless longer retention is needed for an active dispute, fraud investigation or legal obligation.
- Unfinished reservations and temporary verification codes expire according to the periods shown in the registration flow.
- Payment, accounting and tax records are retained for the legally required period.
- Security and audit records are retained only as long as reasonably necessary for security, incident response and legal defence.
- Contact messages are retained for the time needed to answer and manage the enquiry, and longer only where needed for legal claims or obligations.
8. Your rights
Subject to applicable law, you may request access, rectification, erasure, restriction, portability or objection, and you may withdraw consent without affecting prior lawful processing. Send a request to info@xkema.com. Identity may be verified before acting on a request.
You may also lodge a complaint with the Spanish Data Protection Agency (AEPD) or the competent supervisory authority in your country.
9. Security, minors and changes
Reasonable technical and organisational measures are used to protect information, including private storage for verification proofs, access controls, upload validation, rate limiting and audit records. No system is invulnerable.
Do not submit another person’s data without authority. Minors should use the service only with the involvement and permission of a parent or legal guardian where required by law.
This policy may be updated when the service, providers or legal requirements change. The current version and update date will remain available on this page.