Privacy Policy

Last updated: May 7, 2026

This Privacy Policy explains how Clevertrek processes personal data when you visit our website, create an Account, and use the Service.

Clevertrek is a service operated by Fernando Beneitez Vela-Hidalgo, a sole proprietor under Spanish law, holder of NIF 75794423Q, with registered address at Avenida del Hotel, 1, 15º, 08860 Castelldefels, Barcelona, Spain. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and the Spanish Law 34/2002 on Information Society Services and Electronic Commerce ("LSSI-CE") to the extent applicable, the Data Controller of your personal data when you use the Service in your personal capacity is Clevertrek.

When you use the Service on behalf of an organization (for example under a Team or Enterprise plan), Clevertrek may act as a Data Processor for personal data that the organization uploads or otherwise causes to be processed through the Service. In that case, the Data Processing Addendum (DPA) governs that processing.

1. Scope

This Policy applies to:

• the Clevertrek website at the public domain;
• the Clevertrek web application;
• the Clevertrek Chrome extension;
• the Clevertrek Progressive Web App (PWA);
• any APIs and integrations operated by Clevertrek.

It does not apply to third-party websites, services, or platforms linked from or integrated with Clevertrek. Those third parties have their own privacy policies, which we encourage you to review.

2. Categories of Personal Data We Process

Depending on how you use the Service, we may process the following categories of personal data:

(a) Account and identity data: name (or pseudonym), username, slug, email address, password (hashed), profile picture, biography, language preferences, time zone.

(b) Authentication data: authentication tokens, password reset tokens, two-factor authentication secrets (where applicable).

(c) Workspace and content data: the names, descriptions, links, notes, comments, tasks, images, attachments, and other content you create or upload to your Workspaces, Visors, Sections, and Groups.

(d) Collaboration data: the identities of users you collaborate with, permissions you grant or receive, mentions, and assignments.

(e) Engagement and interaction data: likes, saves, comments, cross-shares, shortcuts, and similar signals about how you interact with content on the platform, together with the derived engagement scores per URL or content item computed from those signals.

(f) Payment and billing data: plan tier, subscription status, billing address, VAT number (if any), invoices, payment history. Card numbers are not processed or stored by Clevertrek; they are processed directly by Stripe.

(g) Usage and telemetry data: IP address, device type, browser type and version, operating system, pages visited, features used, timestamps, error logs, performance metrics.

(h) Communications data: the content of emails, support tickets, and feedback you send us.

(i) AI Feature data: prompts, inputs, contextual data from your Workspaces, AI-generated outputs, and quota usage.

(j) Cookies and similar identifiers: see the Cookie Policy for details.

(k) Data from connected third-party services: when you connect Google, an MCP Connector, or another integration, we receive only the data within the scopes you authorize.

We do not knowingly process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) and we ask that you do not upload such data into the Service unless strictly necessary for your use case and lawful under the GDPR.

3. Sources of Personal Data

We receive personal data from:

• you, when you register, configure your Account, upload content, or contact us;
• other users, when they invite you, mention you, or share content with you;
• third-party services that you connect (Google, MCP Connectors, etc.);
• Stripe, in the form of billing metadata (not card numbers);
• automated logs generated by your interaction with the Service.

4. Purposes and Legal Bases for Processing (GDPR Article 6)

We process personal data for the following purposes and on the following legal bases:

Where we rely on legitimate interests, you have the right to object — see Section 20.

5. Account and Profile Data

We use your Account and profile data to identify you within the Service, to display your contributions to other users, and to communicate with you. Your username, profile picture, biography, and public Workspaces are visible according to the visibility settings you choose.

6. Workspace, Visor, and Content Data

Your User Content is stored on our infrastructure and processed only as needed to provide the Service to you and to the recipients you choose. Public Workspaces are accessible to anyone with the URL and may be indexed by search engines.

We do not access User Content for any purpose other than (a) operating, securing, and improving the Service, (b) responding to your support requests, (c) complying with applicable law or a valid legal request, or (d) where strictly necessary to investigate suspected violations of these Terms or applicable law.

7. Payment Data (Stripe)

Payments are processed by Stripe Payments Europe, Ltd. When you submit payment details, they are sent directly to Stripe through Stripe's secure forms. Clevertrek never sees or stores full card numbers, CVCs, or full bank-account numbers.

What Clevertrek receives from Stripe and stores: subscription status, plan, last four digits of the card, card brand, country, billing email, billing address, VAT number, and invoice metadata.

Stripe's privacy policy is available at https://stripe.com/privacy.

8. Usage, Telemetry, and Device Data

We automatically collect technical data when you use the Service (IP address, browser, OS, pages, errors). We use this data for security, debugging, capacity planning, fraud detection, and to understand how the Service is used in aggregate.

9. Content Interactions, Engagement Score, and Personalization

Clevertrek records the way you interact with content on the platform — such as likes, saves, comments, cross-shares, shortcuts, and similar engagement signals — to (a) operate the social and collaborative features of the Service, and (b) compute an algorithmic engagement score for each URL, link, Visor, or content item, which Clevertrek then uses internally to rank and personalize the content shown to you and to other users in feeds, walls, search results, discovery surfaces, and recommendations within the Service.

9.1 What we process

For each interaction event, Clevertrek typically stores: your user identifier, the URL or content identifier you interacted with, the type of interaction (e.g., like, save, comment, cross-share, shortcut), a timestamp, and limited contextual metadata (such as the Workspace where the interaction took place).

9.2 How the engagement score is computed

The engagement score for a given URL or content item is computed by a deterministic algorithm that weights different categories of interaction. Different interaction types reflect different strengths of signal: stronger commitments (such as adding a content item as a shortcut, or cross-sharing it to another Workspace) typically weigh more than lighter signals (such as a like), because they reflect a stronger expression of value or curation by the user. The exact formula and weights may evolve over time as we improve the algorithm.

9.3 What we use it for

Clevertrek uses interaction data and the resulting engagement scores only inside the Service, to:

• rank and order content in feeds, walls, search results, and discovery sections;
• personalize content recommendations to you, based on the topics, sources, and types of content you engage with;
• surface high-quality and well-curated content to the wider community of users;
• inform aggregated, anonymized analytics about how content circulates on the platform.

We do not sell, share, or otherwise transfer interaction data or engagement scores to third parties for advertising, profiling, or any unrelated purpose. Engagement data is not transmitted to our AI provider (Anthropic) or to any other external party beyond the strictly necessary infrastructure subprocessors listed in Section 17.

9.4 Legal basis

The legal basis for processing interaction data and engagement scores is Clevertrek's legitimate interest (Article 6(1)(f) GDPR) in operating, securing, and improving the Service, and in providing users with relevant, personalized, and well-curated content. We have balanced our legitimate interest against your rights and freedoms and concluded that this processing has a limited impact on you: it does not produce legal or similarly significant effects, it affects only what content is shown to you inside Clevertrek, and you can object or adjust your interactions at any time.

9.5 No significant automated decisions

This processing is not automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR. The engagement score affects only what content is recommended or ranked higher for you inside the Service. It does not affect any legal, financial, employment, credit, or material right of yours, and it does not produce decisions about you that you cannot influence by changing your interactions.

9.6 Your controls

You can:

• delete individual interactions (e.g., remove a like, save, shortcut, or cross-share) at any time inside the Service, which removes them from the engagement-score calculation going forward;
• close your Account, at which point your interaction history is removed from the system in accordance with Section 19 (Data Retention Periods), except where retention is required by law;
• exercise your right to object (Article 21 GDPR) to processing based on legitimate interest, including for personalization purposes, by writing to privacy@clevertrek.com. If you object, Clevertrek will stop using your interaction data for personalization (where technically feasible) unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defense of legal claims.

10. Cookies and Similar Technologies

We use cookies, local storage, session storage, and service worker caches. See the Cookie Policy for the full list, purposes, retention, and how to manage your preferences.

11. Google API Services Data Handling

This Section 11 describes in detail how Clevertrek accesses, uses, stores, and shares data obtained through Google APIs. It is designed to comply with, and to make verifiable for review purposes, the Google API Services User Data Policy and the Limited Use requirements that apply to it.

For the avoidance of doubt: this Section 11 supplements, and where applicable prevails over, the more general statements in this Privacy Policy with respect to data obtained through Google APIs ("Google User Data").

10.1 Application Identity and Verified Domain

The application that requests Google User Data is registered with Google under the name "Clevertrek" and is operated by Fernando Beneitez Vela-Hidalgo (sole proprietor under Spanish law, NIF 75794423Q). The verified domain associated with the OAuth consent screen and with this Privacy Policy is the public Clevertrek domain. The OAuth consent screen displays the application name, logo, support email, and links to this Privacy Policy and to the Terms of Service.

10.2 Summary of Google APIs and OAuth Scopes Used

Clevertrek requests the minimum set of OAuth scopes required to deliver the features described below. The Service does not request scopes for features it does not actively use, and it does not request "wildcard" or unnecessarily broad scopes when a more limited scope is sufficient.

Clevertrek does not currently request the broader https://www.googleapis.com/auth/drive or auth/drive.readonly scopes, the read-write analytics or analytics.edit scopes, nor any Gmail or Google Calendar scopes. If new scopes are added in the future, this Privacy Policy and the OAuth consent screen will be updated accordingly, and any new scope categorized by Google as Sensitive or Restricted will be subject to Google's verification process before being enabled in production.

10.3 Google Sign-In and OAuth Identity

What we access. When you sign in with Google, Clevertrek receives only your basic OpenID Connect profile information: your Google account ID, name, primary email address, and profile picture URL.

Why we use it. To create or look up your Clevertrek Account, to authenticate you, and to display your name and avatar inside the Service.

Retention. This information is stored in your Clevertrek Account profile for as long as the Account is active. It is deleted in accordance with our retention rules (Section 19) when the Account is closed.

No further use. Clevertrek does not use Sign-In data for advertising, profiling, or AI-model training. It is not shared with third parties beyond the subprocessors listed in Section 17.

10.4 Google Search Console Integration

This is the integration that involves the most sensitive Google User Data, and we describe it in detail.

What we access. When you connect your Google account to the Search Console feature, Clevertrek calls the Google Search Console API with the read-only scope https://www.googleapis.com/auth/webmasters.readonly. Through this scope, we access only the properties (sites) verified to your Google account in Search Console, and the metrics, queries, pages, countries, devices, and dates that you select inside the Clevertrek interface for the property you choose.

We do not access:

• Search Console properties of any other Google account that you have not explicitly connected;
• write/modify endpoints of the Search Console API;
• data outside the property and date range you choose to display.

Why we use it. To display, inside your Workspace, the SEO and search-performance data of your own properties — for example, top queries, top pages, click-through rates, average positions, indexing status, and similar information that helps you organize and curate your knowledge about your own websites.

Where the data flows. Search Console responses flow from Google directly to the Clevertrek server that handles your request, are processed to render charts and tables, and are returned to your browser inside your authenticated Workspace. They are not transmitted to any third party other than the infrastructure subprocessors strictly necessary to operate the Service (Section 17).

Caching and retention. For performance, Clevertrek may cache Search Console API responses for short periods (typically minutes to hours) tied to your session and Workspace, after which the cache expires. We do not build a long-term, server-side database of your Search Console history beyond what is necessary to render the feature. When you disconnect Search Console or revoke access, cached data and stored OAuth tokens for that integration are deleted within a reasonable period (see Section 11.13).

No commercial reuse. Clevertrek does not aggregate, republish, sell, or otherwise commercially exploit Search Console data of any user. Each user's Search Console data is visible only inside their own Workspace and to users to whom they have explicitly granted access within that Workspace.

No AI / ML training. Search Console data is not used to train generalized AI or ML models, neither by Clevertrek nor, by configuration, by any AI provider that powers AI Features.

10.5 Google Picker API

What we access. The Google Picker is a Google-hosted UI that runs inside an iframe in your browser. When you use the Picker to select files from your own Google Drive to attach to a Workspace, Clevertrek receives only the metadata of the files you actively pick (file ID, file name, mime type, web view link, and similar lightweight properties) and an access token scoped to the file-by-file drive.file scope, which limits Clevertrek's access to only the files you have explicitly opened or created with Clevertrek through the Picker.

We do not access files you have not picked, your full Drive contents, your Drive folder structure, or any file's contents beyond what is strictly needed to render a preview or to fetch the file when you ask Clevertrek to do so.

Why we use it. To let you attach Drive-based content to your Workspaces without uploading it again.

Retention. File metadata associated with a Workspace is retained for as long as the Workspace exists or until you remove the attachment. You can disconnect the Drive connection at any time inside Clevertrek and at https://myaccount.google.com/permissions.

10.6 Google Analytics Data API (GA4) — User Data Integration

This subsection covers the GA4 addon through which a user connects their own Google Analytics 4 account to Clevertrek to display their own analytics data inside their Workspace. It is distinct from the public-website measurement described in Section 11.7.

What we access. When you connect your Google account to the GA4 addon, Clevertrek calls the Google Analytics Data API with the read-only scope https://www.googleapis.com/auth/analytics.readonly. Through this scope, we access only the GA4 properties to which your Google account has access, and the dimensions and metrics (such as users, sessions, page views, events, conversions, traffic sources, devices, countries, and date ranges) that you select inside the Clevertrek interface for the property you choose.

We do not access:

• GA4 properties of any other Google account that you have not explicitly connected;
• Universal Analytics (deprecated by Google) data;
• write/modify endpoints of any Google Analytics API;
• the broader analytics or analytics.edit scopes;
• Google Analytics user-management or admin endpoints.

Why we use it. To display, inside your Workspace, the traffic and engagement metrics of your own GA4 properties — for example, top pages, top events, conversion funnels, traffic sources, and audience information that helps you organize and curate your knowledge about your own websites and apps.

Where the data flows. GA4 responses flow from Google directly to the Clevertrek server that handles your request, are processed to render charts and tables, and are returned to your browser inside your authenticated Workspace. They are not transmitted to any third party other than the infrastructure subprocessors strictly necessary to operate the Service (Section 17).

Caching and retention. For performance, Clevertrek may cache GA4 API responses for short periods (typically minutes to hours) tied to your session and Workspace, after which the cache expires. We do not build a long-term, server-side database of your GA4 history beyond what is necessary to render the feature. When you disconnect the GA4 addon or revoke access, cached data and stored OAuth tokens for that integration are deleted within a reasonable period (see Section 11.13).

No commercial reuse. Clevertrek does not aggregate, republish, sell, or otherwise commercially exploit GA4 data of any user. Each user's GA4 data is visible only inside their own Workspace and to users to whom they have explicitly granted access within that Workspace.

No AI / ML training. GA4 data is not used to train generalized AI or ML models, neither by Clevertrek nor, by configuration, by any AI provider that powers AI Features. GA4 responses are not transmitted to our AI provider (Anthropic).

10.7 Google Analytics — Clevertrek's Public Website Measurement

Google Analytics is used only on the public website, to understand aggregate visitor behavior. Where EU law applies, it is loaded only after you grant analytics consent through our cookie banner. We use IP-anonymization features where available, do not enable Google's advertising features in our property, and do not use Analytics inside the authenticated Service.

10.8 Limited Use of Google User Data — Affirmative Statement

Clevertrek's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In specific terms, this means:

(a) Allowed use. Clevertrek uses Google User Data only to provide or improve user-facing features that are prominent in the Clevertrek user experience (specifically: Google Sign-In, the Search Console feature inside Workspaces, the Drive file picker for attachments, and the GA4 addon inside Workspaces).

(b) No transfer. Clevertrek does not transfer Google User Data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior notice to users.

(c) No advertising or unrelated AI training. Clevertrek does not use Google User Data for any advertising purpose, including personalized advertising, retargeting, or sale of advertising inventory; Clevertrek does not use Google User Data to develop, improve, or train generalized AI or machine-learning models, whether its own or those of third parties.

(d) No human reading. Clevertrek does not allow humans to read Google User Data unless: (i) we have obtained your affirmative consent for specific Google User Data; (ii) it is necessary for security purposes (such as investigating abuse or a security incident); (iii) it is necessary to comply with applicable law; or (iv) the data has been aggregated and anonymized and is being used for internal operations.

10.9 Sharing of Google User Data with Subprocessors

Google User Data may be processed by the following categories of subprocessors only to the extent strictly necessary to operate the Service:

• the hosting and infrastructure provider that hosts Clevertrek's servers and database;
• where applicable, an error-monitoring provider that may receive technical error traces (configured to scrub Google User Data from payloads where reasonably possible).

Google User Data is not transmitted to:

• the AI provider (Anthropic) — Search Console responses, Drive metadata, GA4 responses, and other Google User Data are not sent to Anthropic;
• payment processors;
• email-delivery providers;
• analytics providers;
• any advertising or marketing platform.

The current list of subprocessors is available on request and, for Team/Enterprise customers, in Annex III of the DPA.

10.10 Retention of Google User Data

10.11 Human Access to Google User Data

By default, no human at Clevertrek reads any user's Google User Data. Engineering, support, and administration staff (currently limited to the operator named in this Privacy Policy) operate the Service through aggregated metrics, error counters, and structured logs that exclude Google User Data payloads where reasonably possible.

A human may access Google User Data only in the limited cases set out in Section 11.8(d): explicit user consent, security incident investigation, legal obligation, or aggregated-and-anonymized internal operations. Any such access is logged.

10.12 Storage and Security of Google User Data

Google User Data is protected by the security measures described in Section 23 and in Annex II of the DPA, including:

• TLS encryption for all communications between client, Clevertrek, and Google APIs;
• Encryption at rest of OAuth refresh and access tokens (AES-256-CBC), so that tokens are not readable from a database export;
• Least-privilege access controls to the production environment;
• Logging and monitoring of unusual API call patterns;
• Token rotation and revocation when suspected compromise is detected.

10.13 Revoking Access and Deleting Google User Data

You can revoke Clevertrek's access to your Google account at any time in two equivalent ways:

1. From inside Clevertrek, disconnect the relevant integration in Account → Connections (or the equivalent integration management screen).
2. From your Google Account, at https://myaccount.google.com/permissions, by removing Clevertrek from the list of connected applications.

When access is revoked:

• the OAuth tokens stored by Clevertrek for that integration are invalidated and deleted within a reasonable period;
• cached Google User Data tied to that integration is deleted;
• any references to Drive attachments that can no longer be retrieved will be marked as unavailable in your Workspaces; the attachment metadata will be removed if you also remove the attachment.

If you wish Clevertrek to delete all data associated with your Account, follow the procedure in Section 20 (your rights under GDPR).

For a separate, focused disclosure aimed specifically at the Google API Services verification process, see the Google API Services Disclosure document.

12. Chrome Extension Data Handling and Permissions

The Clevertrek Chrome extension requests only the permissions strictly necessary for its functionality (typically activeTab, storage, and access to specific Clevertrek domains).

The extension processes:

• the URL, title, and meta-data of the page you actively choose to capture;
• your Clevertrek session token, to authenticate the capture into your Workspace.

The extension does not:

• track your browsing history in the background;
• read content of pages you have not actively chosen to capture;
• transmit data to any servers other than Clevertrek and the third-party services you have connected.

You can uninstall the extension at any time from your browser's extension manager.

13. PWA, Service Workers, and Push Notifications

When you install Clevertrek as a PWA, the application uses a service worker to cache assets for offline use and improved performance. The service worker stores cached responses on your device and removes them when you uninstall or clear browser data.

If you grant push notification permission, your browser provides a push subscription token which we store and use to deliver notifications. Push payloads are sent through the push provider operated by your browser vendor (e.g., Google FCM for Chrome). We do not include sensitive content in push payloads. You can disable push notifications at any time from your device settings or your Clevertrek preferences.

14. MCP Connectors — How Third-Party Data Flows Work

When you enable an MCP Connector, you authorize Clevertrek to relay relevant requests, prompts, and content from your AI Feature interactions to that external service.

For each MCP Connector you enable:

• we transmit only the data that is necessary to perform the action you requested;
• we do not retain external-service responses beyond what is needed to display them to you and to log the request for security and debugging purposes;
• the external service's privacy practices apply to data received by it.

You can disable an MCP Connector at any time from your Account settings.

15. AI Processing (Anthropic / Claude)

AI Features are powered by Anthropic, PBC (Claude API).

When you use AI Features:

• your prompt and any contextual data needed to fulfill the request are sent to Anthropic via the Claude API;
• Anthropic processes the request and returns the AI output;
• Clevertrek configures requests using Anthropic's API such that, by default, prompts and outputs are not used to train Anthropic's models, in accordance with Anthropic's commercial terms in force at the time;
• the AI output and quota usage are stored in your Account.

Anthropic's privacy policy is available at https://www.anthropic.com/legal/privacy.

For BYOK Plans, requests are made under your own API key. Your relationship with the AI provider in that case is governed directly by the provider's terms.

16. BYOK (Bring Your Own Key) — Handling of User-Provided API Keys

When you provide your own AI provider API key (BYOK):

• the key is encrypted at rest using AES-256-CBC before being stored in our database;
• the key is decrypted only when needed to make a request on your explicit behalf;
• the key is never displayed back to you in clear after submission;
• you can rotate or delete the key from your Account settings at any time;
• when you delete the key or terminate your Account, the encrypted record is removed within a reasonable period.

17. Sharing with Third Parties and Subprocessors

We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary:

• Hosting and infrastructure providers that host the Service and its database;
• Stripe, for payment processing;
• Anthropic, for AI Feature requests when not in BYOK mode;
• Google, for the Google API integrations you have authorized;
• Email-delivery providers, for transactional and (where consented) marketing emails;
• Analytics providers, for usage analytics where consent has been granted;
• Error-monitoring providers, for diagnosing and fixing bugs;
• Professional advisors (lawyers, accountants, auditors) under confidentiality;
• Authorities and courts, where required by a valid legal request.

A current list of subprocessors is available on request and, for Team/Enterprise customers, in Annex III of the DPA.

18. International Data Transfers and Safeguards

Some of our service providers may process data outside the European Economic Area (EEA), particularly in the United States. Where this is the case, we rely on appropriate safeguards under Chapter V of the GDPR, such as:

• the EU–U.S. Data Privacy Framework for certified providers;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• supplementary measures where required, such as encryption.

You may request a copy of the relevant safeguards by contacting us.

19. Data Retention Periods

We keep personal data only for as long as necessary for the purposes for which it was collected, and in any case for the periods required by law:

After the applicable retention period, data is deleted or anonymized.

20. Your Rights Under GDPR

Subject to the conditions and limits set out in the GDPR, you have the following rights:

• Right of access (Art. 15) — to obtain confirmation of whether we process your personal data, and a copy of it;
• Right to rectification (Art. 16) — to have inaccurate or incomplete personal data corrected;
• Right to erasure (Art. 17) — to request deletion in certain circumstances;
• Right to restriction of processing (Art. 18) — in certain circumstances;
• Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller;
• Right to object (Art. 21) — to processing based on legitimate interests, including profiling, and at any time to processing for direct marketing purposes;
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (Art. 22). Clevertrek does not currently make such decisions through the Service.

You also have the right to withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal).

21. How to Exercise Your Rights

To exercise any of these rights, write to us at the contact email below. We may need to verify your identity before responding. We will respond within one (1) month of receiving your request, extendable by a further two (2) months for complex requests.

22. Children's Privacy

The Service is not directed at children under the age of 14 in Spain (or the equivalent age of digital consent in your country). We do not knowingly collect personal data from such children. If you believe we have done so, please contact us and we will delete it.

23. Security Measures

We implement reasonable technical and organizational security measures, including encryption in transit (TLS), encryption at rest of sensitive secrets, access controls, dependency monitoring, and regular updates. See Section 27 of the Terms of Service for further detail.

24. Data Breach Notification Procedure

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Spanish Data Protection Agency (AEPD) within seventy-two (72) hours where feasible, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with Article 34.

25. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice with at least fifteen (15) days' notice before taking effect, except where immediate change is required by law.

26. Supervisory Authority

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority. The competent authority for Clevertrek is:

Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain https://www.aepd.es

You may also lodge a complaint with the supervisory authority of your country of residence within the EU.

27. Contact

For any questions about this Privacy Policy or about how we process your personal data, contact us at:

Clevertrek (Fernando Beneitez Vela-Hidalgo, sole proprietor, NIF 75794423Q) Avenida del Hotel, 1, 15º 08860 Castelldefels, Barcelona, Spain Email: privacy@clevertrek.com (replace with your actual contact email)