Privacy Policy

1. Data Controller

The data controller for HolaNolis is the legal entity operating the service from Barcelona, Spain. For any privacy-related inquiries, you can contact us at privacy@holanolis.com.

2. Data We Collect

We collect only the data strictly necessary to provide the service:

• Account information: name, email address, date of birth (for minors), language preference.
• Conversation data: messages exchanged between minors and Nolis, encrypted at rest with AES-256-GCM using per-user Data Encryption Keys (DEK).
• Usage metadata: session timestamps, message counts, feature usage — used for reports and safety monitoring.
• Payment data: processed exclusively by Stripe. We never store credit card numbers on our servers.
• Device information: browser type, operating system — used for compatibility and security purposes only.

3. Legal Basis for Processing

• Contract performance: processing necessary to provide the HolaNolis service you subscribed to.
• Legitimate interest: safety monitoring, crisis detection, and fraud prevention.
• Consent: marketing communications (you can opt out at any time).
• Legal obligation: data retention required by applicable law.

4. Children's Data

HolaNolis is designed for minors aged 10-20. We take the protection of children's data extremely seriously:

• Minor accounts are created by a parent or legal guardian (tutor).
• The tutor provides verifiable consent for data processing of the minor's data.
• All conversation data is encrypted at rest with per-user encryption keys.
• We comply with GDPR Article 8 (conditions for child consent), COPPA (for US users), and the EU AI Act's provisions for AI systems interacting with minors.
• Minors can exercise their data rights through their tutor.

5. Data Sharing

We do not sell personal data. We share data only with:

• AI providers: conversation content is sent to LLM providers to generate responses. We use providers that comply with GDPR and do not train on user data.
• Stripe: for payment processing.
• Postmark: for transactional email delivery (crisis alerts, account notifications).
• Law enforcement: only when required by valid legal process.

6. Security

• All personal data is encrypted at rest using AES-256-GCM with per-user Data Encryption Keys.
• All communications are encrypted in transit via TLS 1.2+.
• JWT-based authentication with short-lived access tokens (15 min) and secure refresh tokens (7 days).
• Audit log with SHA-256 hash chain for tamper detection.
• Regular security reviews and dependency auditing.

7. Your Rights

Under GDPR, you have the right to:

• Access: request a copy of all personal data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: request deletion of your data ("right to be forgotten").
• Portability: receive your data in a structured, machine-readable format.
• Restriction: limit how we process your data.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@holanolis.com. We will respond within 30 days.

8. Data Retention

• Account data: retained while the account is active. Deleted within 30 days of account deletion request.
• Conversation data: retained according to the supervision level and tutor preferences. Fully deleted upon account deletion.
• Payment records: retained for the period required by applicable tax and accounting laws.
• Audit logs: retained for 2 years for security and compliance purposes.

9. Data Protection Officer

For any questions about this privacy policy or how we handle your data, contact our Data Protection Officer:

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Spain, the supervisory authority is the Agencia Espanola de Proteccion de Datos (AEPD).