Skip to main content
← Home

Privacy Policy

Last updated: April 17, 2026

1. Data controller

The data controller for personal data collected through this website and the Marai service is:

Marai Software, S.L. (hereinafter "Marai")
Spanish Tax ID (NIF): 39403669T
Registered office: C/ Ramón y Cajal, núm. 16, Planta 2, Puerta B, 08330 Premià de Mar (Barcelona), Spain
Email: [email protected]
Privacy contact: [email protected]
Data Protection Officer (voluntary designation, Art. 37.4 GDPR): [email protected]

This policy complies with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and Law 34/2002 (LSSI-CE).

2. Data we collect

We collect the following data depending on how you use the service:

  • Contact data: name, email and phone number when you fill out the contact form or register with Marai.
  • Account and business data: business name, schedules, services, professionals and platform configuration.
  • Usage data: pages visited, features used, device and browser (through web analytics).
  • Technical data: IP address and session data, necessary for the service to function and for security.
  • Payment data: managed entirely by Stripe, Inc. Marai does not store credit or debit card data.
  • Optional integration data: if you connect Google Calendar, we receive and store (encrypted) OAuth tokens and synchronise events from your primary calendar (see the dedicated "Google APIs integration" section).

3. Purpose of processing

We use your data to:

  • Provide Marai's appointment management service and perform the subscription contract.
  • Manage billing, payments and applicable taxes on the service.
  • Respond to your inquiries and support requests.
  • Send you information about the service if you have explicitly requested it.
  • Improve the website and service through aggregated and anonymous analysis.
  • Comply with applicable legal, tax and commercial obligations.

4. Legal basis for processing

Each purpose is supported by the following legal basis pursuant to Art. 6 GDPR:

  • Contract performance (Art. 6.1.b GDPR): providing the contracted service, account management and billing.
  • Consent (Art. 6.1.a GDPR): analytics cookies and marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7.3 GDPR).
  • Legitimate interests (Art. 6.1.f GDPR): service improvement, fraud prevention and platform security.
  • Legal obligation (Art. 6.1.c GDPR): retention of billing data in accordance with applicable Spanish tax and commercial law.

5. Data retention

We retain your data while you maintain an active account. After cancellation, we delete it within 30 days, unless legally required to retain it longer:

Account dataWhile account is active + 30 days after cancellationContract performance (Art. 6.1.b GDPR)
Contact form12 months from inquiryLegitimate interest (Art. 6.1.f GDPR)
Billing data6 years (Art. 30 Spanish Commercial Code)Legal obligation (Art. 6.1.c GDPR)
GA4 analytics logs14 months (GA4 setting)Consent (Art. 6.1.a GDPR)
Clarity sessions13 months (Clarity setting)Consent (Art. 6.1.a GDPR)
Google Calendar OAuth tokens (AES-256-GCM encrypted)Until disconnection + 24 hoursConsent (Art. 6.1.a GDPR)

6. Your rights

Under the GDPR and LOPDGDD, you may exercise the following rights:

  • Access (Art. 15 GDPR): know what data we hold about you and how we process it.
  • Rectification (Art. 16 GDPR): correct inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR): request deletion of your data ("right to be forgotten").
  • Portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
  • Objection (Art. 21 GDPR): object to processing based on legitimate interests.
  • Restriction (Art. 18 GDPR): restrict processing in the legally provided cases.
  • Withdrawal of consent (Art. 7.3 GDPR): withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise these rights, write to [email protected]. We will respond within one month (Art. 12.3 GDPR), extendable by two additional months in complex cases. If you consider that processing does not comply with applicable regulations, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es (Art. 77 GDPR).

7. International data transfers

We use the following providers that may process data outside the European Economic Area (EEA). All transfers have adequate safeguards under the GDPR:

Google Analytics 4Web analyticsUSAEU-US Data Privacy Framework (DPF, Art. 45 GDPR)
Microsoft ClarityHeatmaps and session recordingUSA*Standard Contractual Clauses (Art. 46.2.c GDPR)
UmamiCookieless web analyticsEUNo transfer — anonymised data processed in the EU
CloudflareCDN and bot protectionUSA/EUDPF + Standard Contractual Clauses (Art. 46.2.c GDPR)
Stripe, Inc.Payment processingUSAEU-US Data Privacy Framework (DPF, Art. 45 GDPR)
Google Tag ManagerAnalytics tag managementUSAEU-US Data Privacy Framework (DPF, Art. 45 GDPR)
Google LLC (Calendar API)Bidirectional calendar synchronisationUSAEU-US Data Privacy Framework (DPF, Art. 45 GDPR) + Standard Contractual Clauses (Art. 46.2.c GDPR)

* The EEA controller for Microsoft Clarity is Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland. Transfers to Microsoft Corporation (USA) are made under Standard Contractual Clauses approved by the European Commission.

Google APIs integration (Google Calendar)

Marai Agenda offers an optional bidirectional synchronisation between the professional's schedule and their Google Calendar account. This feature is activated only when the professional grants explicit consent through Google's OAuth 2.0 flow.

Requested OAuth scopes:

  • https://www.googleapis.com/auth/userinfo.email — see the primary email address of the user's Google Account. Used only to display which account is connected inside the Marai dashboard.
  • https://www.googleapis.com/auth/calendar.events — view and edit events on the user's primary calendar. Required to create Marai appointments in Google Calendar and to detect external events that block availability.
  • We request no additional scopes (we do not ask for access to email, contacts, Drive, files, location, photos or any other Google service).

Data we receive from Google APIs:

  • Email address of the connected Google Account (via the userinfo.email scope), used only to display which account is connected.
  • Events from the professional's primary calendar (via the calendar.events scope): title, start and end time, description, attendees, location and event status.

Purpose of processing:

  • Create in Google Calendar the events corresponding to appointments booked in Marai.
  • Detect external blockers (personal events created in Google Calendar) and mark them as unavailable time in Marai, avoiding overlaps.
  • We do not read events from secondary calendars to which the user has shared access. We do not access email, contacts, Drive or any other Google service.

Storage and security:

  • OAuth tokens (access token and refresh token) are stored encrypted at rest using AES-256-GCM, with keys managed outside the database.
  • Synchronised data is stored only on servers managed within the European Union (Railway, Frankfurt region).
  • All communications with Google APIs are carried out exclusively over HTTPS/TLS 1.2 or higher.

Limited Use disclosure — Compliance with the Google API Services User Data Policy:

Marai Agenda's use and transfer, to any other app, of information received from Google APIs strictly complies with the Google API Services User Data Policy, including the Limited Use requirements. In particular:

  • Our use of data obtained from Google APIs is strictly limited to providing and improving user-facing features that are prominent in the Marai user interface (appointment synchronisation and detection of external events that block availability). Any other use is expressly prohibited.
  • We do NOT use data obtained from Google APIs to serve advertising, nor for our own marketing, retargeting, personalised advertising or interest-based advertising.
  • We do NOT sell or rent data obtained from Google APIs to third parties, data brokers, advertising platforms or information resellers.
  • We do NOT transfer data obtained from Google APIs except where strictly necessary to provide or improve the user-facing synchronisation functionality (for example, to the sub-processor that hosts our infrastructure within the European Union), to comply with legal obligations, or with the user's explicit consent.
  • We do NOT use data obtained from Google APIs to train, fine-tune or develop generalised or non-personalised artificial intelligence (AI) or machine-learning (ML) models, nor do we transfer such data to any third party for that purpose.
  • We do NOT use data obtained from Google APIs to determine credit-worthiness, assess credit risk or for lending purposes.
  • We do NOT allow humans to read data obtained from Google APIs, except (a) with the user's affirmative, explicit consent regarding specific data, (b) when necessary for security purposes (for example, investigating a bug or abuse), (c) to comply with applicable legal obligations, or (d) where the data is aggregated and anonymised and used for internal operations in line with common privacy practices.

Limited Use disclosure (mandatory English version per Google policy):

Marai Agenda's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Retention and deletion:

  • Tokens and synchronised data are automatically deleted within 24 hours after the user disconnects their Google account.
  • Users can disconnect Google Calendar at any time from Settings > Google Calendar in their dashboard, or by revoking access directly from their Google account: https://myaccount.google.com/permissions.
  • After disconnection or revocation, all encrypted tokens are deleted from our database and no persistent calendar data is retained.

Revocation:

Users can revoke Marai Agenda's access to Google APIs at any time from https://myaccount.google.com/permissions, without affecting any other functionality of their Marai account.

Dedicated contact for questions about Google data:

[email protected] (subject: "Google Calendar — personal data").

8. Marai as data processor

When you use Marai to manage appointments and data of your own clients, you act as the data controller for that data (Art. 4.7 GDPR). In that capacity, Marai acts as the data processor (Arts. 4.8 and 28 GDPR), processing your clients' data solely on your behalf and following your instructions.

As data controller, you are responsible for informing your clients about the use of their data, obtaining the necessary legal bases, and complying with the GDPR and LOPDGDD regarding that data. The Marai service contract includes the data processing clauses required by Art. 28 GDPR. If you have questions about your obligations as data controller, write to us at [email protected].

9. Cookies

Marai uses technical cookies necessary for the service to function and, with your consent, analytics cookies. For more information, see our Cookie Policy.

10. Changes to this policy

Marai may update this policy to reflect regulatory changes, changes in providers or in the services offered. Material changes will be communicated at least 30 days in advance by email or through a prominent notice in the service.