Privacy policy

Last updated: May 17, 2026

Courtesy translation. In case of any conflict between this version and the Spanish version, the Spanish version shall prevail.

1. Data controller

The data controller of your personal data is:

  • Company name: Bravae Business Services, S.L.
  • Tax ID: B65449522
  • Registered office: Av. Diagonal, 497 — 5th floor (FeuDuNord), 08029 Barcelona, Spain
  • Mercantile registry: [pending publication]
  • Contact and DPO email: customer.service@bravae.com

2. Data we process

We collect and process the following data depending on the type of interaction you have with Bravae:

Website visitors

  • Aggregated browsing data (pages viewed, referrer, device type, country) collected via cookieless server-side analytics (Cloudflare Web Analytics, Vercel Web Analytics).
  • Minimal technical data (masked IP address, user-agent) necessary to serve the site.

Registered users

  • Identification data: name, surname, email address, company or entity you belong to.
  • Authentication data: password stored with secure hash (never in plain text).
  • Service usage data: tenant_id, configuration, product interactions, activity logs.
  • Billing data when you contract a paid plan (managed via Stripe, see section 7).

Content uploaded to the service

Documents, files, and data that you upload to your Bravae tenant space are processed exclusively to provide the contracted service. We do not use them to train general models nor share them with third parties except strictly necessary providers (hosting, infrastructure) under data processing agreement (DPA).

3. Purpose and legal basis of processing

We process your data for the following purposes, with the legal bases indicated (art. 6 GDPR):

  • Service provision contracted and management of the contractual relationship — contract performance.
  • Account management, support and transactional communications — contract performance.
  • Billing and tax compliance legal obligation.
  • Service improvement through aggregated analytics and technical metrics (without individual profiling) — legitimate interest.
  • Commercial communications about Bravae (when applicable) — express revocable consent.
  • Compliance with legal obligations regarding fraud prevention, security, and response to authorities — legal obligation.

4. Data retention

We retain your data for the time necessary to fulfill the purposes for which it was collected and, subsequently, for the applicable legal periods:

  • User account and uploaded content: while you keep your account active. After cancellation, they are deleted or anonymized within a maximum of 90 days, unless legal retention obligations apply.
  • Billing data: 6 years according to the Spanish Commercial Code.
  • Technical and security logs: up to 12 months unless incidents require additional retention.
  • Anonymous aggregated metrics: indefinitely, as they do not allow identification.

5. Recipients of the data

We do not sell or transfer your data to third parties for commercial purposes. Some providers process data on behalf of Bravae under data processing agreement (DPA):

  • Vercel Inc. — website hosting and delivery (EU regions).
  • Cloudflare Inc. — CDN and DDoS protection.
  • RunPod / GPU compute providers — execution of AI models under per-tenant private architecture.
  • Neon (serverless Postgres) — database (EU region when applicable).
  • Stripe — payment processing (subject to its own privacy policy and PCI DSS).
  • Optional LLM fallback providers (OpenAI, Cohere) — only when the client expressly activates them; otherwise they are not used.

We will only provide data to authorities when there is a legal obligation.

6. International transfers

Some of our technology providers are established outside the European Economic Area (EEA). In such cases, transfers are carried out under valid GDPR mechanisms: adequacy decisions, European Commission Standard Contractual Clauses (SCC), or the EU–US Data Privacy Framework when applicable.

7. Your rights

As the data subject, you may exercise the following rights at any time:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Deletion when applicable (right to be forgotten).
  • Limitation of processing.
  • Portability in structured machine-readable format.
  • Objection to processing based on legitimate interest.
  • Withdrawal of consent (without retroactive effect).
  • Not to be subject to automated decisions with significant legal effects.

To exercise any of these rights, write to customer.service@bravae.com clearly indicating the right you wish to exercise and attaching identification document if necessary to verify your identity. We will respond within a maximum of one month from receipt of the request (extendable for two additional months in complex cases, which we will communicate to you).

If you consider that the processing does not comply with regulations, you may file a complaint with the Spanish Data Protection Agency (AEPD).

8. Security measures

We apply appropriate technical and organizational measures to guarantee a level of security adequate to the risk, including:

  • Encryption in transit (TLS 1.3) and at rest.
  • Role-based access control, two-factor authentication where applicable, audit logging.
  • Multi-tenant architecture with per-customer data isolation.
  • Periodic audits, security reviews, and incident response plans.

9. Cookies

For detailed information about the cookies we use, see our Cookie Policy.

10. Changes to this policy

We may modify this privacy policy to adapt to legislative, jurisprudential, or business practice changes. We will inform you of substantial changes through the website or by email if you have an active account.

Privacy policy · Bravae · Bravae