Effective: March 2026
1. WHO WE ARE AND HOW TO REACH US #
Data Controller:
Michael Hansen
Operating as: SENTINEL / micaready.eu
Email: contact@micaready.eu
Website: micaready.eu
We do not have a Data Protection Officer (we are not required to appoint one under GDPR Article 37). For all data protection enquiries, contact contact@micaready.eu.
2. WHAT PERSONAL DATA WE COLLECT AND HOW #
We collect Personal Data through the following means:
A. Directly from you (Article 13)
Email address
Collection point: Waitlist form, contact form, account creation
Why we collect it: To communicate with you about SENTINEL
Name
Collection point: Contact form, account creation
Why we collect it: To address you correctly
Company name and role
Collection point: Contact form, account creation
Why we collect it: To understand your organisation's needs
Billing name, address, last 4 digits of card
Collection point: Stripe payment flow
Why we collect it: To process your subscription payment
Communications content
Collection point: Email correspondence
Why we collect it: To respond to your enquiries
B. Automatically when you use the Service or website (Article 13)
IP address
Source: Server logs
Why we collect it: Security, fraud prevention, abuse detection
Browser type and version
Source: Server logs
Why we collect it: Technical compatibility
Pages visited and timestamps
Source: Server logs
Why we collect it: Service improvement, security monitoring
Referring URL
Source: Server logs
Why we collect it: Understanding how visitors find us
C. From third parties (Article 14)
We receive limited Personal Data from our payment processor Stripe (transaction confirmation, billing address verification) when you purchase a subscription. Stripe's own privacy policy governs their processing: stripe.com/privacy.
3. LEGAL BASIS FOR PROCESSING #
We process your Personal Data on the following legal bases under GDPR Article 6:
Providing the Service to subscribers
Legal basis: Performance of contract
Article 6 ground: Art. 6(1)(b)
Processing payments
Legal basis: Performance of contract
Article 6 ground: Art. 6(1)(b)
Responding to contact/waitlist requests
Legal basis: Pre-contractual steps or consent
Article 6 ground: Art. 6(1)(b) / Art. 6(1)(a)
Sending product updates to subscribers
Legal basis: Legitimate interests
Article 6 ground: Art. 6(1)(f)
Security monitoring and fraud prevention
Legal basis: Legitimate interests
Article 6 ground: Art. 6(1)(f)
Keeping billing records
Legal basis: Legal obligation (Spanish tax law)
Article 6 ground: Art. 6(1)(c)
Server log analysis for service improvement
Legal basis: Legitimate interests
Article 6 ground: Art. 6(1)(f)
Legitimate interests assessment: Where we rely on legitimate interests, we have assessed that our interests (operating a secure, functioning service; communicating relevant product updates to customers) do not override your interests or fundamental rights, given the limited scope and nature of the data involved.
Consent withdrawal: Where processing is based on your consent (e.g., waitlist sign-up), you may withdraw consent at any time by emailing contact@micaready.eu. Withdrawal does not affect the lawfulness of processing before withdrawal.
4. PURPOSES OF PROCESSING #
We use your Personal Data for the following purposes:
- Service delivery: Providing access to the SENTINEL compliance monitoring platform
- Account management: Creating and managing your account, authentication, and access control
- Payment processing: Billing, invoicing, and payment verification
- Customer support: Responding to technical and commercial enquiries
- Service communications: Sending essential notifications about your subscription, the Service, or relevant regulatory changes (these are not marketing emails and cannot be opted out of while you are a subscriber)
- Product improvement: Analysing usage patterns (using aggregated and anonymised data where possible) to improve the Service
- Security and integrity: Detecting and preventing fraud, abuse, and unauthorised access
- Legal compliance: Meeting our obligations under Spanish, EU, and applicable law
We do not use your Personal Data for automated individual decision-making or profiling as defined in GDPR Article 22.
5. HOW LONG WE KEEP YOUR DATA #
Account and contact data
Retention period: Duration of subscription + 2 years
Reason: Dispute resolution, service continuity
Billing and payment records
Retention period: 7 years from transaction
Reason: Spanish General Tax Law (Ley 58/2003) and Commercial Code obligation
Correspondence and support
Retention period: 3 years from last contact
Reason: Dispute resolution and legal claims
Server logs (IP, access logs)
Retention period: 90 days
Reason: Security monitoring; balancing privacy with incident investigation
Waitlist data (non-subscribers)
Retention period: 18 months from sign-up, or until you ask us to delete it
Reason: Business purpose proportionality
After the applicable retention period, Personal Data is securely deleted or permanently anonymised.
6. WHO WE SHARE YOUR DATA WITH #
6.1 Sub-processors
We use the following third-party processors to provide the Service. Each has been assessed for GDPR adequacy or appropriate safeguards:
Stripe Inc.
Purpose: Payment processing, billing
Location: USA
Transfer safeguard: Standard Contractual Clauses (SCCs); Stripe's DPA available at stripe.com/legal/dpa
Formspree Inc.
Purpose: Contact and waitlist form processing
Location: USA
Transfer safeguard: SCCs; data minimised to email and message content
Vercel Inc.
Purpose: Website and application hosting
Location: USA (with global CDN)
Transfer safeguard: SCCs; Vercel's DPA available at vercel.com/legal/dpa
We do not sell, rent, or trade your Personal Data to any third party for their own marketing purposes.
6.2 Other disclosures
We may disclose Personal Data to:
- Legal authorities: Where required by applicable law, court order, or to protect our legal rights or those of third parties
- Professional advisers: Lawyers and accountants, subject to confidentiality obligations
- Business transfers: In connection with a merger, acquisition, or sale of substantially all assets, with notice to you
7. INTERNATIONAL TRANSFERS #
Our sub-processors Stripe, Formspree, and Vercel are based in the United States. Transfers of your Personal Data to these processors are made subject to Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), which provide appropriate safeguards for your data. Copies of the applicable SCCs are available from us on request at contact@micaready.eu.
We do not transfer Personal Data to countries that lack adequate protection under GDPR without appropriate safeguards.
8. COOKIES AND TRACKING TECHNOLOGIES #
8.1 What we use
We use only technically necessary cookies. We do not use advertising, tracking, or analytics cookies.
Session cookie
Type: Strictly necessary
Purpose: Maintaining your login session
Duration: Session (deleted when browser closes)
CSRF token
Type: Strictly necessary
Purpose: Security — preventing cross-site request forgery
Duration: Session
Preference cookie
Type: Functional
Purpose: Remembering language or display preferences, if applicable
Duration: 12 months
8.2 No consent banner required
Because we use only strictly necessary and functional cookies, no consent banner is required under the Spanish Law on Information Society Services (LSSI-CE) and ePrivacy Directive guidance. If we add non-essential cookies in future, we will update this policy and implement a compliant consent mechanism.
8.3 Third-party scripts
We do not embed third-party analytics scripts (e.g., Google Analytics), social media widgets, or advertising pixels on this website.
9. YOUR RIGHTS UNDER GDPR #
You have the following rights regarding your Personal Data. We will respond to all valid requests within one (1) month, extendable by a further two months where necessary for complex requests.
- 9.1 Right of access (Article 15)
- You have the right to obtain confirmation of whether we process your Personal Data, and if so, to receive a copy of it, together with information about the processing.
- 9.2 Right to rectification (Article 16)
- You have the right to have inaccurate Personal Data corrected, or incomplete data completed.
- 9.3 Right to erasure / "right to be forgotten" (Article 17)
- You have the right to request deletion of your Personal Data where: (a) it is no longer needed for the purpose it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed.
This right does not apply where retention is required by legal obligation (e.g., billing records).
- 9.4 Right to restriction of processing (Article 18)
- You have the right to request that we restrict processing of your Personal Data in certain circumstances, for example while the accuracy of data is disputed.
- 9.5 Right to data portability (Article 20)
- Where processing is based on consent or contract and carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
- 9.6 Right to object (Article 21)
- You have the right to object at any time to processing based on legitimate interests (Article 6(1)(f)), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or processing is necessary for legal claims.
You have an unconditional right to object to processing of your Personal Data for direct marketing purposes.
- 9.7 Rights related to automated decision-making (Article 22)
- We do not make decisions based solely on automated processing that produce legal or similarly significant effects. This right is not currently applicable.
- 9.8 Right to withdraw consent
- Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights: email contact@micaready.eu with a clear description of your request. We will verify your identity before processing any request. There is no fee for reasonable requests.
10. RIGHT TO LODGE A COMPLAINT #
If you believe we have not handled your Personal Data correctly, you have the right to lodge a complaint with a supervisory authority. The competent authority in Spain is:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid
www.aepd.es
teléfono: +34 901 100 099
If you are based in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence.
We would appreciate the opportunity to address your concerns before you approach a supervisory authority, and invite you to contact us first at contact@micaready.eu.
11. SECURITY #
We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- HTTPS encryption for all data in transit
- Access controls limiting who can access Personal Data
- Regular review of our security practices
- Contractual security obligations on all sub-processors
No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.
12. CHILDREN #
The Service is not directed to individuals under 18. We do not knowingly collect Personal Data from children. If you believe we have inadvertently collected data from a child, please contact us at contact@micaready.eu and we will delete it promptly.
13. CHANGES TO THIS POLICY #
We will update this Privacy Policy when necessary. Material changes will be notified by email to active subscribers at least 30 days before taking effect, and the "effective date" at the top of this page will be updated. We encourage you to review this policy periodically.
14. CONTACT #
For any questions about this Privacy Policy or our data practices:
Michael Hansen
contact@micaready.eu
micaready.eu
Response time: within 5 business days for general queries, within 30 days for formal data subject rights requests.
This Privacy Policy is provided in English. In the event of a conflict between this version and any translation, the English version prevails.