Privacy Policy & Data Processing Notice

This Privacy Policy and Data Processing Notice (the "Policy") constitutes a legally binding and enforceable instrument between the natural person accessing, browsing, registering for, or otherwise utilising the B'local web platform, its business dashboard, its administrative console and its supporting backend services (the "User", "Data Subject" or "You"), and BL PLATFORM S.L., a limited liability company duly organised and existing under the laws of the Kingdom of Spain, with registered domicile in Barcelona, acting in its capacity as Data Controller (the "Controller", "Company", "We" or "Us").

By affirmatively interacting with the website published at the domains blocalapp.com, www.blocalapp.com and any subdomain, preview deployment or staging environment operated by the Controller (collectively, the "Platform"), the User unequivocally stipulates to having read, fully understood, and freely consented to the data processing methodologies set out herein. Where the User does not concur with any provision, clause or technical mechanism described in this Policy, the User's exclusive and immediate remedy is to cease all use of the Platform and, where applicable, to exercise the right of erasure pursuant to Article 17 GDPR.

This Policy is drafted in compliance with, and shall be construed by reference to: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"); (ii) Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"); (iii) Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce ("LSSI-CE"); (iv) Directive 2002/58/EC ("ePrivacy Directive"); (v) the Digital Services Act (Regulation (EU) 2022/2065); (vi) and any further mandatory provisions of the laws of the User's habitual residence.

For the avoidance of doubt, this Policy governs the web platform only. The privacy regime applicable to the B'local mobile application is set out in a separate instrument available at /app-privacy-policy.

For the purposes of this Policy, the capitalised terms below shall bear the ascribed meanings:

Pursuant to Article 4(7) GDPR and the parallel provisions of LOPDGDD, BL PLATFORM S.L. acts as the sole Data Controller in respect of the Personal Data Processed through the Platform.

Statutory inquiries, Data Subject Access Requests ("DSARs"), erasure, portability, objection, restriction or rectification requests, and any regulatory correspondence shall be directed in writing to the Controller at the e-mail address set out above. The Controller shall respond within one (1) calendar month from receipt, extendable by two (2) further months where required by the complexity or volume of requests, in accordance with Article 12(3) GDPR.

This Policy applies extraterritorially to the Processing of Personal Data of all Users of the Platform, irrespective of the User's place of residence and irrespective of whether the Processing itself takes place within the European Economic Area. The Controller asserts compliance with the extraterritorial reach provisions of Article 3 GDPR.

Materially, this Policy governs every interaction with the Platform, including but not limited to: browsing of public pages, account registration and authentication, business onboarding, content creation, content moderation, customer support correspondence, billing and invoicing operations, and any access by the Controller's personnel through the administrative console.

The Controller, observing the principle of data minimisation enshrined in Article 5(1)(c) GDPR, Processes the following categories of Personal Data:

The Controller does not intentionally Process Sensitive / Special Category Data within the meaning of Article 9 GDPR. Where such data may incidentally be contained in User-Generated Content (for example, a review revealing dietary or religious preferences), the User affirmatively consents to such Processing by submitting the content, pursuant to Article 9(2)(a) GDPR.

The Controller collects Personal Data from the following enumerated sources:

1. Directly from the User — at the moment of registration, profile completion, content submission, support request or any other voluntary interaction with the Platform;
2. Automatically from the User's device — by way of server-side request logging, cookies, similar technologies and bot-detection signals, as further described in Articles X and XVII;
3. From federated identity providers — where the User elects to authenticate via Google OAuth 2.0 or another supported social identity provider, limited to the sub-claim, e-mail address and display name disclosed by the provider;
4. From the payment service provider — where applicable, by way of webhook callbacks reporting the status of subscriptions and invoices, limited to non-card metadata;
5. From abuse-prevention services — by way of risk scores returned by bot-detection providers in respect of the User's request;
6. From public registries — where strictly necessary to verify the legitimacy of a Business User account.

Personal Data is Processed exclusively for the following enumerated purposes:

1. Provision, maintenance, improvement and security of the Platform;
2. Account creation, authentication, multi-factor verification and identity management;
3. Operation of the business dashboard, including establishment onboarding and content publication;
4. Content moderation and enforcement of the Platform's Terms of Service;
5. Detection, prevention, investigation and remediation of fraud, abuse, scraping, automated bot traffic and security incidents;
6. Performance of contractual obligations, including the processing of subscription fees and the issuance of invoices;
7. Compliance with legal, regulatory, accounting, tax and law-enforcement obligations;
8. Establishment, exercise or defence of legal claims;
9. Transactional communications (account lifecycle, security alerts, billing notifications);
10. With separate opt-in consent: direct marketing, product announcements and user research.

Each Processing operation is supported by at least one lawful basis identified below:

The Platform is engineered as a server-side rendered React application deployed at the edge. The following infrastructure components participate in the Processing of Personal Data:

In accordance with Article 28 GDPR, the Controller engages the following sub-processors, each of which is bound by a written data processing agreement imposing obligations no less protective than those set out in this Policy:

A current and exhaustive list of sub-processors is maintained by the DPO and disclosed upon written request. The Controller shall provide at least thirty (30) days' prior notice of the addition or replacement of any sub-processor involved in the Processing of Personal Data, during which period Users may object on reasonable grounds.

The Controller operates a minimal-footprint observability stack designed to satisfy legitimate security and reliability interests without engaging in invasive profiling:

The Controller operates an internal administrative console (the "Admin Panel") accessible exclusively to a strictly limited number of authorised personnel of the Controller. The Admin Panel is governed by the following safeguards:

The Controller operates a private, access-controlled Discord workspace exclusively for the purpose of receiving real-time operational alerts (security events, error spikes, billing failures, moderation queues). The following safeguards apply:

1. Alerts are aggregated and pseudonymised — no End-User name, e-mail address, password, payment instrument or User-Generated Content is transmitted to Discord;
2. Where an alert necessarily references a specific record, it does so by way of an opaque identifier (e.g., a UUID) that has no meaning outside the Controller's own systems;
3. The Discord workspace is restricted to authorised personnel under contractual confidentiality obligations and protected by mandatory two-factor authentication;
4. Discord is engaged purely as a notification transport; it is not a system of record and the Controller does not rely upon it for the storage of Personal Data;
5. The legal basis for this Processing is the Controller's legitimate interest pursuant to Article 6(1)(f) GDPR in maintaining the security, availability and integrity of the Platform.

The Controller dispatches transactional e-mail messages — strictly necessary to the operation of the Platform — through the e-mail service provider identified in Article IX. The pipeline implements the following guarantees:

Authentication is delegated to a managed identity service (Supabase Auth). The following cryptographic and procedural safeguards apply:

1. Passwords are never stored in plaintext; they are processed through an industry-standard memory-hard password-hashing function with per-record salts;
2. Session and refresh tokens are signed JSON Web Tokens (JWT) transmitted over TLS 1.2+ and bound to a server-side session record;
3. Sign-in attempts are subject to rate limiting and bot scoring; suspicious attempts trigger an additional verification challenge;
4. Sensitive sessions require a second-factor (2FA) verification by way of an e-mail OTP, with a ninety (90) second cooldown between code regenerations to prevent abuse of the resend channel;
5. Trusted-device tokens are short-lived, cryptographically bound to the originating browser, and may be revoked individually from the User's account settings.

The Controller deploys layered defences to preserve the integrity of the Platform and the trust that legitimate Users place in it:

Where the User subscribes to a paid plan, payment is processed by Stripe Payments Europe, Ltd., which acts as an independent Data Controller in respect of card data. The Controller never sees, never stores and never transmits full card numbers, security codes or cardholder authentication credentials.

The Controller stores only the limited transactional metadata strictly necessary for the performance of the contract and the fulfilment of its accounting and tax obligations under Spanish law, including the invoice identifier, the subscription tier, the amount, the currency, the billing country, the VAT identification number (for Business Users), the last four digits of the payment instrument and the payment status. Such records are retained for six (6) years pursuant to Article 30 of the Spanish Commercial Code.

The Platform uses the strict minimum of first-party cookies and similar technologies necessary for its operation. The following categories are deployed:

Where any non-essential cookie is introduced, it shall be conditioned upon the User's prior, granular, freely-given, specific and revocable consent expressed through the cookie consent banner. The User may at any time review or withdraw consent through the dedicated preferences centre.

Certain sub-processors enumerated in Article IX are established outside the European Economic Area. In respect of such transfers, the Controller relies upon the following Article 46 GDPR transfer mechanisms:

1. The European Commission's Standard Contractual Clauses (SCCs) — Decision (EU) 2021/914 — executed with each non-adequate-jurisdiction sub-processor;
2. For transfers to the United States, the EU-U.S. Data Privacy Framework where the recipient is self-certified thereunder;
3. Transfer Impact Assessments (TIAs) performed in line with EDPB Recommendations 01/2020, supplemented by technical measures (encryption in transit and at rest, pseudonymisation) and contractual measures (challenge of public-authority access requests).

A copy of the executed SCCs and the corresponding TIA may be obtained upon written request to the DPO, subject to redaction of commercially sensitive terms.

The Controller retains Personal Data for the minimum period strictly necessary to fulfil the purposes for which it was collected, in accordance with the following schedule:

Under the GDPR and the LOPDGDD, Data Subjects established in the European Union are entitled to exercise the following rights at any time and free of charge (save where requests are manifestly unfounded or excessive):

• Right of Access (Art. 15): Obtain confirmation of whether Personal Data is being Processed and, if so, a copy thereof.
• Right to Rectification (Art. 16): Obtain the rectification of inaccurate Personal Data without undue delay.
• Right to Erasure (Art. 17): Obtain the erasure of Personal Data where one of the grounds set out in Article 17(1) applies.
• Right to Restriction (Art. 18): Obtain restriction of Processing in the circumstances enumerated by Article 18.
• Right to Portability (Art. 20): Receive Personal Data in a structured, commonly used and machine-readable format.
• Right to Object (Art. 21): Object on grounds relating to the User's particular situation to Processing based on Article 6(1)(f).
• Right not to be Subject to Automated Decisions (Art. 22): Not be subject to a decision based solely on automated processing producing legal or similarly significant effects.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior Processing.
• Right to Lodge a Complaint: Lodge a complaint with the Agencia Española de Protección de Datos (www.aepd.es) or with the supervisory authority of the User's habitual residence.

Requests shall be addressed in writing to support@blocalapp.com, accompanied by sufficient information to verify the requester's identity. The Controller shall respond within one (1) calendar month from receipt, extendable by two (2) further months under Article 12(3) GDPR.

The Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Such measures include, without limitation:

1. Encryption of all data in transit by way of TLS 1.2 or higher, with HSTS, OCSP stapling and modern cipher suites;
2. Encryption of data at rest by way of AES-256 at the storage layer;
3. Row-Level Security policies enforced at the database engine, evaluated against the JWT claims of the requesting User;
4. HMAC-SHA256 pseudonymisation of IP addresses where retained beyond the strictly necessary period, with a server-side keyed hash whose key is rotated quarterly;
5. Hardware-backed multi-factor authentication for all staff with access to the production environment;
6. Network-level isolation of the production environment from corporate networks;
7. Immutable infrastructure deployments with full provenance tracking from source code to production artefact;
8. Regular dependency scanning, static application security testing (SAST) and security regression tests prior to deployment;
9. Periodic restoration tests of database backups;
10. An internal incident response plan and a documented data-breach notification procedure.

For the purpose of preserving the integrity of the Platform and meeting the Controller's accountability obligations under Article 5(2) GDPR, the following events are logged:

IP addresses stored in security logs beyond the strictly necessary technical window are pseudonymised by way of a server-side HMAC-SHA256 function. The pseudonymisation key is never transmitted to the client, is rotated periodically and is held under strict access controls.

In the event of a Personal Data breach within the meaning of Article 4(12) GDPR, the Controller shall, without undue delay and where feasible not later than seventy-two (72) hours after having become aware of it, notify the breach to the Agencia Española de Protección de Datos, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the breach to the affected Data Subjects without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences and the measures taken or proposed to address it.

Every member of the Controller's personnel with access to Personal Data is bound by a written confidentiality undertaking surviving the termination of the engagement. Access is provisioned on a strict need-to-know basis through the role-based access control system described in Article XI and is reviewed periodically by the DPO. Privileged access events are recorded in the audit trail described in Article XXII.

The Platform is not directed at children below the age of fourteen (14) years, the threshold of digital consent under Article 7 LOPDGDD. The Controller does not knowingly Process Personal Data of children below that age. Where the Controller becomes aware that Personal Data of a child below fourteen has been collected without the verifiable consent of the holders of parental responsibility, such data shall be deleted without undue delay.

The Platform may contain links to third-party websites, social networks or embedded content (e.g., map tiles, video embeds). Such third parties operate as independent Data Controllers in respect of any Personal Data Processed through their services, and their privacy policies apply autonomously. The Controller bears no responsibility for the data practices of such third parties and recommends that Users consult the relevant privacy policies prior to interacting with embedded content.

The Controller engages in limited automated processing for the strict purposes of fraud prevention, content moderation triage and bot mitigation. Such processing produces risk scores and moderation classifications that may result in automated friction (additional verification, temporary rate limiting, queueing for human review) but does not produce decisions producing legal effects or similarly significantly affecting the Data Subject within the meaning of Article 22(1) GDPR.

Where an automated process results in the suspension or termination of an account, the Data Subject shall have the right to obtain human intervention, to express their point of view and to contest the decision by writing to support@blocalapp.com.

The Controller dispatches marketing communications exclusively where the recipient has provided prior, freely-given, specific, informed and unambiguous opt-in consent, in accordance with Article 22 LSSI-CE and Article 6(1)(a) GDPR. Every marketing communication includes a one-click unsubscription mechanism. Unsubscription requests are reconciled into the suppression list described in Article XIII and honoured without undue delay.

Users whose habitual residence lies outside the European Economic Area benefit from the substantive guarantees of this Policy. The Controller voluntarily extends the procedural guarantees of the GDPR — including the rights of access, rectification, erasure, portability and objection — to such Users, subject to the applicable mandatory provisions of their local law.

The Controller reserves the right to amend, alter or supplement this Policy at any time. Material amendments shall be communicated through an in-platform notice and, where the User has provided an e-mail address, by e-mail, at least thirty (30) calendar days prior to entry into force. Continued use of the Platform following such notice constitutes binding ratification of the revised instrument. The historical versions of this Policy are archived and may be obtained upon written request to the DPO.

If any provision of this Policy is held by a court of competent jurisdiction to be invalid, illegal or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be construed to give it maximum lawful effect in accordance with the intent of the Parties. The failure of the Controller to enforce any provision shall not constitute a waiver of its right to enforce that or any other provision. This Policy, together with the Terms of Service and any document expressly incorporated by reference, constitutes the entire understanding of the Parties in respect of the Processing of Personal Data through the Platform.

This Policy shall be governed by and construed in accordance with the laws of the Kingdom of Spain. The Courts of Barcelona shall have exclusive jurisdiction over any dispute arising from or in connection with this Policy, without prejudice to the User's non-waivable right to bring proceedings in the courts of their place of residence pursuant to Regulation (EU) 1215/2012 (Brussels I bis) or equivalent local consumer protection statutes.