1. Data controller
The data controller for personal data collected through this website is Marai, with contact email maraiagenda@gmail.com.
2. Data we collect
We may collect the following data:
- Contact data: name, email and phone number when you fill out the contact form or register.
- Usage data: pages visited, time on site, device and browser (through anonymous web analytics).
- Payment data: managed entirely by Stripe, Inc. We do not store card data.
3. Purpose of processing
We use your data to:
- Provide you with Marai's appointment management service.
- Respond to your inquiries and support requests.
- Send you information about the service if you have requested it.
- Improve the website and service through aggregated and anonymous analysis.
4. Legal basis
Processing is based on:
- Contract performance: to provide the contracted service.
- Consent: for marketing communications, which you can withdraw at any time.
- Legitimate interest: to improve the service and prevent fraud.
5. Data retention
We retain your data as long as you maintain an active Marai account. After cancellation, we delete them within a maximum of 30 days, unless legally required to retain them longer. Specific retention periods by data type are:
| Data type | Retention period | Legal basis |
|---|---|---|
| Account data | While account is active + 30 days after cancellation | Contract performance |
| Contact form | 12 months from inquiry | Legitimate interest |
| Billing data | 5 years (Art. 30 Spanish Commercial Code) | Legal obligation |
| GA4 analytics logs | 14 months | Consent |
| Clarity sessions | 13 months | Consent |
6. Your rights
Under GDPR, you have the right to:
- Access: know what data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: delete your data ("right to be forgotten").
- Portability: receive your data in a structured format.
- Objection: object to certain processing.
- Restriction: restrict processing in certain cases.
You can exercise these rights by writing to maraiagenda@gmail.com. You can also file a complaint with the Spanish Data Protection Agency (AEPD).
7. International transfers
We use the following providers that may process data outside the European Economic Area (EEA). All have adequate safeguards under GDPR:
| Provider | Purpose | Country | GDPR safeguard |
|---|---|---|---|
| Google Analytics 4 | Web analytics | USA | Standard contractual clauses + Data Privacy Framework |
| Microsoft Clarity | Heatmaps | USA | Standard contractual clauses |
| Umami | Cookieless web analytics | EU | GDPR compliant; does not process personal data |
| Cloudflare | CDN and bot protection | USA/EU | Standard contractual clauses |
| Stripe, Inc. | Payment processing | USA | PCI-DSS Level 1 + Standard contractual clauses |
| Google Tag Manager | Tag management | USA | Standard contractual clauses |
All transfers are covered by standard contractual clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.
8. Cookies
We use technical cookies necessary for the website to function. For more information, see our Cookie Policy.
9. Changes to this policy
We may update this privacy policy. We will notify you of significant changes by email or through a notice in the service.