MiemBoxApp - Privacy Policy

Privacy Policy

In accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE)

Last updated: March 2026

1. Data Controller

MiemBoxApp is a SaaS platform operated by [COMPANY_NAME], with tax ID [NIF] and registered address at [ADDRESS]. For data protection inquiries, contact us at [PRIVACY_EMAIL].

Within this platform:

• Your organization (the entity that invited you) is the Data Controller — they determine the purposes and means of processing your personal data.
• MiemBoxApp acts as the Data Processor — we process your data solely on behalf of and under the instructions of your organization.

For questions about why your data is processed or to exercise your rights, contact your organization's administrator. For questions about how the platform handles your data technically, contact us at [PRIVACY_EMAIL].

2. What Data We Process

Category	Data	Purpose
Account	Email, username, display name, preferred language	Authentication, identification within the platform
Security	Hashed password, login timestamps, IP address, user agent	Account security, fraud prevention, audit logging
Profile	First name, last name, avatar	Display within the organization
Membership	Phone, address, date of birth, tax ID (if provided by your organization)	Organization management as determined by your Data Controller
Activity	Event attendance, meeting responses, communication read status	Organization coordination
Financial	Donation records, tax certificates (if applicable)	Financial management and legal tax obligations
Preferences	Communication preferences, privacy settings	Respecting your choices about notifications and visibility

3. Legal Basis for Processing

Your personal data is processed on the following legal bases:

• Contract performance (Art. 6.1.b GDPR): Processing necessary to provide your user account and platform access
• Legitimate interest (Art. 6.1.f GDPR): Security measures, audit logging, fraud prevention
• Legal obligation (Art. 6.1.c GDPR): Retention of financial records where required by Spanish tax law
• Consent (Art. 6.1.a GDPR): Non-essential communications (meeting notifications, newsletters) — you can withdraw consent at any time via Settings > Privacy

4. Your Rights

Under the GDPR and LOPDGDD, you have the following rights:

Right	Description	How to exercise
Access	Obtain a copy of your personal data	Contact your organization admin; data export is available
Rectification	Correct inaccurate data	Edit your profile in Settings, or contact your admin
Erasure	Request deletion of your data	Contact your organization admin
Portability	Receive your data in a structured format	Excel export available through your organization
Restriction	Limit how your data is processed	Contact your organization admin
Objection	Object to specific processing activities	Use communication preferences in Settings > Privacy
Automated decisions	Not be subject to decisions based solely on automated processing	Not applicable — MiemBoxApp does not perform automated profiling or decision-making

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.

5. Communication Preferences

You can control which non-essential communications you receive:

• Meeting notifications: Email notifications about meetings created, updated, or cancelled
• General communications: Announcements, newsletters, and other organization messages
• Cross-organization messages: Messages from users in other organizations

These preferences can be changed at any time in Settings > Privacy. Transactional emails (password resets, security alerts, invitation links) cannot be disabled as they are essential for account operation.

6. Data Retention

• Account data: Retained while your account is active. Upon deactivation, your data is soft-deleted and can be permanently erased by your organization admin.
• Audit logs: Retained for the duration of the service agreement for security and compliance purposes.
• Financial records: Donation and tax certificate data may be retained as required by Spanish tax legislation (typically 4–5 years).
• Authentication tokens: Expired tokens are automatically purged within 30 days.

7. Data Security

We implement the following technical measures to protect your data:

• All data transmitted over HTTPS/TLS encryption
• Passwords stored using BCrypt one-way hashing (never in plain text)
• Multi-tenant isolation — your organization's data is strictly separated from other organizations at the database level
• No personal data stored in authentication tokens (JWT)
• Personal data masked in server logs and audit records
• Role-based access controls within each organization
• Automatic account lockout after repeated failed login attempts

8. Cookies and Local Storage

MiemBoxApp uses only essential storage mechanisms required for the application to function:

Storage	Purpose	Duration
Session Storage	Authentication token (JWT)	Browser session only
Local Storage	Theme preference, language, organization info	Until cleared

We do not use tracking cookies, analytics services, advertising pixels, or any third-party tracking technologies.

9. International Data Transfers

Your data is hosted within the European Union. If any sub-processor requires data transfer outside the EU, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are applied in accordance with Chapter V of the GDPR.

10. Sub-processors

MiemBoxApp uses the following sub-processors to provide the service:

Sub-processor	Purpose	Location
Cloud hosting provider	Infrastructure and data storage	EU
Email service provider	Transactional email delivery	EU/US (with appropriate safeguards)

For details on processor obligations and sub-processor management, see our Data Processing Agreement.

11. Children's Data

MiemBoxApp does not knowingly collect personal data from children under the age of 14 (as per LOPDGDD Article 7). Organization administrators are responsible for ensuring that minors' data is processed with appropriate parental or guardian consent.

12. Limitations of Liability

• Data Controller obligations: MiemBoxApp acts exclusively as a Data Processor. Each organization using the platform is the Data Controller and is solely responsible for complying with GDPR and LOPDGDD obligations toward its members, including obtaining valid consent, responding to data subject requests, and ensuring a lawful basis for processing. MiemBoxApp shall not be liable for any non-compliance by the Data Controller.
• Data accuracy: Users and organization administrators are responsible for ensuring the accuracy and completeness of the personal data entered into the platform. MiemBoxApp does not independently verify the data provided and shall not be held liable for consequences arising from inaccurate or outdated information.
• Third-party links and services: The platform or its email notifications may contain links to external websites or services not operated by MiemBoxApp. We are not responsible for the privacy practices, content, or data handling of any third-party sites accessed through such links.
• Exported data: MiemBoxApp provides data export tools (Excel, PDF) to assist Data Controllers in fulfilling their obligations. Once data is exported from the platform, MiemBoxApp has no control over and assumes no responsibility for how that data is subsequently stored, shared, or processed by the Data Controller or its agents.
• Security incidents beyond reasonable control: While MiemBoxApp implements robust technical and organizational security measures, no system can guarantee absolute security. MiemBoxApp shall not be liable for data breaches resulting from attacks, vulnerabilities, or circumstances beyond our reasonable control, provided we have fulfilled our security obligations under GDPR Article 32 and the Data Processing Agreement.
• User credential responsibility: Users are responsible for maintaining the confidentiality of their login credentials and must not share their accounts with others. MiemBoxApp shall not be liable for unauthorized access resulting from a user's failure to protect their credentials or from shared account usage.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do, the "Last updated" date at the top will be revised. For significant changes, we will notify users through the platform.

14. Contact

For questions about this Privacy Policy or how MiemBoxApp handles your data, contact us at [PRIVACY_EMAIL].

To exercise your data subject rights, please contact your organization administrator, who is the Data Controller responsible for your personal data.