Privacy Policy

Last updated: April 17, 2026

1. Data Controller

The data controller for the personal data processed through Comuvi is:

Company: Craft Lab, SLU
NIF: B42627893
VAT: ESB42627893
Address: Calle Leonardo Da Vinci 12A, Nave 8, 03203, Elche, Alicante, Spain
Email: info@comuvi.app
Data Protection Officer (DPO): info@comuvi.app

2. What Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

Name: provided during registration or profile setup.
Email address: used for authentication (magic link, password login), notifications, and account recovery.
Password or PIN: stored as a salted scrypt hash; we never store credentials in plain text.

2.2 Community Data

Unit/apartment identifier: (e.g., "2nd A", "Ground B") linked to your community membership.
Role: your role within the community (owner, board member, property manager, president).
Community membership: which communities you belong to.

2.3 Content Data

Incident reports: text descriptions and photographs (up to 6 images per incident, max 8 MB each).
Announcements, votes, survey responses, messages: content you create within the platform.
Documents: files uploaded by board members (minutes, budgets, rules).

2.4 Technical Data

Session tokens: stored in your browser's localStorage to maintain your authenticated session.
Push notification subscriptions: Web Push endpoint URLs and encryption keys (VAPID).
IP addresses: collected in server logs for security and abuse prevention.
Browser and device information: User-Agent string included in standard HTTP requests.

2.5 Payment Data

Stripe customer and subscription data: when you subscribe to a paid plan, payment information is collected and processed directly by Stripe. We do not store your full card number. We receive from Stripe: customer ID, subscription status, last 4 digits of the card, and billing history.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Purpose	Legal Basis
Providing the Comuvi service (account management, community features)	Performance of a contract (Art. 6.1.b)
Processing payments	Performance of a contract (Art. 6.1.b)
Sending transactional emails (magic links, notifications)	Performance of a contract (Art. 6.1.b)
Push notifications	Consent (Art. 6.1.a) — you opt in via your browser
Security, fraud prevention, server logs	Legitimate interest (Art. 6.1.f)
Improving the service and fixing bugs	Legitimate interest (Art. 6.1.f)
Compliance with legal obligations (tax, accounting)	Legal obligation (Art. 6.1.c)

4. Data Retention

We retain your personal data for the following periods:

Data Category	Retention Period
Account data (name, email)	Duration of your account + 30 days after deletion
Community content (announcements, incidents, votes)	Duration of the community's existence + 30 days after community deletion
Uploaded photos and documents	Same as community content
Session tokens	Configurable by the community board (default: 90 days), or until logout
Push notification subscriptions	Until you unsubscribe or revoke browser permission
Server logs (IP addresses)	90 days
Billing and payment records	As required by Spanish tax law (minimum 4 years under Ley General Tributaria; up to 6 years under Codigo de Comercio)

When you cancel your account, your personal data is deleted within 30 days. Anonymized or aggregated data may be retained for analytics.

5. Third-Party Processors

We use the following third-party service providers (data processors) to operate Comuvi:

Processor	Purpose	Location
Railway (Railway Corp.)	Application hosting and PostgreSQL database	United States
Resend (Resend, Inc.)	Transactional email delivery	United States
Stripe (Stripe, Inc.)	Payment processing (PCI DSS Level 1 certified)	United States / Ireland
Signaturit (Signaturit Solutions, S.L.)	Advanced electronic signatures for meeting minutes	Spain / EU
Web Push (browser vendors)	Push notification delivery via VAPID protocol	Varies by browser vendor

Each processor is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.

6. International Data Transfers

Some of our processors (Railway, Resend, Stripe) are based in the United States. These transfers are protected by:

The EU-US Data Privacy Framework (DPF), where the processor is certified; or
Standard Contractual Clauses (SCCs) approved by the European Commission; or
Other appropriate safeguards as required by Chapter V of the GDPR.

You may request a copy of the relevant transfer mechanism by contacting info@comuvi.app.

7. Your Rights

Under the GDPR and the Spanish LOPDGDD (Ley Organica 3/2018, de 5 de diciembre), you have the following rights:

Right of access: obtain confirmation of whether we process your data and a copy of it.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your data when it is no longer necessary or you withdraw consent.
Right to restriction of processing: limit how we process your data in certain circumstances.
Right to data portability: receive your data in a structured, machine-readable format (JSON or CSV).
Right to object: object to processing based on legitimate interest.
Right to withdraw consent: withdraw consent at any time (e.g., push notifications) without affecting the lawfulness of prior processing.
Right to lodge a complaint: file a complaint with the Spanish Data Protection Agency (Agencia Espanola de Proteccion de Datos, AEPD) at www.aepd.es.

8. How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer:

Email: info@comuvi.app
Postal address: Craft Lab, SLU — Calle Leonardo Da Vinci 12A, Nave 8, 03203, Elche, Alicante, Spain

We will respond within one month of receiving your request. This period may be extended by two additional months if the request is complex or we receive numerous requests, in which case we will inform you of the extension within the first month.

We may ask you to verify your identity before processing your request.

9. Cookies and Local Storage

Comuvi uses browser localStorage (not traditional HTTP cookies) to store your session and preferences. For full details, please see our Cookie Policy.

10. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

All data in transit is encrypted via HTTPS/TLS.
Passwords and PINs are hashed using scrypt with unique salts.
Database hosted on managed infrastructure with automated backups.
Payment data is handled by Stripe (PCI DSS Level 1) and never touches our servers in raw form.
Access to production systems is restricted to authorized personnel.

11. Children's Privacy

Comuvi is not directed at children under 14 years of age (the minimum age under Spanish LOPDGDD Article 7). We do not knowingly collect personal data from children under 14. If you become aware that a child under 14 has provided us with personal data, please contact us at info@comuvi.app and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify registered users via in-app notification or email for significant changes.

We encourage you to review this page periodically.

13. Contact

For general inquiries about this policy: info@comuvi.app

For data protection matters and rights requests: info@comuvi.app