Privacy Policy
In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD)
Table of Contents
- Identification of the Data Controller
- Scope of this Policy
- Categories of Personal Data Processed
- Purposes of Processing
- Legal Bases for Processing
- Processors and Third-Party Recipients
- International Data Transfers
- Data Retention Periods
- Data Subject Rights
- Security Measures
- Use of Cookies and Tracking Technologies
- Third-Party Services and External Integrations
- Minors
- Changes to this Privacy Policy
- Governing Law and Jurisdiction
- Contact and Communication Channel
PRELIMINARY NOTICE. This document sets out the privacy policy applicable to the services provided by BetaZetaDev. Please read it carefully to understand how your personal data is collected, processed and protected. By accessing and using any of the services described below, the user confirms that they have read, understood and accepted the terms set out herein, without prejudice to the rights granted by applicable law.
1. Identification of the Data Controller
In accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), and Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and the guarantee of digital rights (the “LOPDGDD”), users are informed of the identity and contact details of the data controller:
| Field | Value |
|---|---|
| Name | BetaZetaDev |
| Contact email | hi@betazeta.dev |
| Country of establishment | Spain |
| Applicable regulations | GDPR (EU) 2016/679 and LOPDGDD 3/2018 |
BetaZetaDev, hereinafter the “Controller”, acts as the data controller for all personal data collected through the services covered by this policy. A Data Protection Officer (DPO) has not been appointed on a mandatory basis. However, the Controller provides a direct communication channel for privacy-related enquiries and for the exercise of data protection rights at the email address indicated above.
2. Scope of this Policy
This privacy policy applies to the personal data processing activities carried out by BetaZetaDev in connection with the two independent services described below. Each service operates on a separate technical infrastructure, and this is reflected in the specific processing conditions applicable to each one.
2.1. betazeta.dev website and blog
The betazeta.dev website is a content publishing platform hosted on servers physically located in France, within the European Economic Area (EEA). Access to the website involves the processing of certain technical data as described in the following sections.
The website may also integrate web analytics tools, specifically Google Analytics 4. Such tools are activated only where the user has given prior, informed and freely given consent, in accordance with Article 7 of the GDPR and Directive 2002/58/EC (ePrivacy). Likewise, the website may include embedded content from YouTube, with the corresponding privacy implications regarding Google Ireland Limited.
2.2. Weekly Trends subscription service
Weekly Trends is a paid subscription service through which the Controller provides registered users with access to periodic newsletter content. This service runs on an independent technical infrastructure made up of the following components:
- Google Cloud Run: execution infrastructure hosted on Google Cloud Platform.
- Turso: distributed database with data storage located in the European Union.
- Stripe: payment and subscription management platform.
- n8n: internal automation tool used to process workflows related to service delivery.
- Infomaniak: email service provider based in Switzerland.
Each of these components may involve the processing of personal data to the extent necessary to provide the contracted service. Their respective providers act as processors under the terms of Article 28 of the GDPR.
3. Categories of Personal Data Processed
In accordance with the data minimisation principle set out in Article 5.1.c) of the GDPR, BetaZetaDev only processes personal data that is strictly necessary for the legitimate purposes described in Section 4 of this policy.
3.1. betazeta.dev website
Browsing the website may involve the processing of the following categories of data:
- IP address: network identifier of the user’s device, required to establish the connection and technically provide the service.
- Browser and device technical data: browser type, version, operating system, screen resolution and language settings, collected automatically by the web server.
- Pages visited and browsing patterns: access paths, time spent on pages and interaction flow within the website.
- Google Analytics 4 analytical identifiers: session and user identifiers generated by the web analytics tool, subject to the user’s prior consent.
- Data derived from embedded content: when the user accesses YouTube content embedded on the website, Google’s platform may collect data in accordance with its own privacy policy.
3.2. Weekly Trends service
The subscription service requires the processing of the following categories of personal data:
- Email address: the subscriber’s main identifying data, used to deliver newsletters and to send communications related to subscription management.
- Stripe customer ID: internal reference generated by the payment platform to associate the user with their transaction history.
- Subscription ID: unique code assigned by Stripe to identify the subscribed plan.
- Subscription status: current status of the contractual relationship, such as active, cancelled or in a grace period.
- Sign-up, update and renewal dates: timestamps used to manage the lifecycle of the subscription.
- Delivery preferences: user-defined settings regarding the frequency or format of the newsletter.
- Temporary management tokens: one-time cryptographic identifiers, stored as hashes and assigned an expiry date, used to authenticate management actions such as cancellation or modification without requiring a password.
IMPORTANT INFORMATION ABOUT PAYMENT DATA. BetaZetaDev does not store credit or debit card numbers, security codes (CVV/CVC) or any other sensitive banking information. All payment processes are handled directly by Stripe, Inc., a PCI DSS Level 1 certified company, which acts as an independent controller of payment data in accordance with its own privacy policy.
4. Purposes of Processing
In accordance with the purpose limitation principle set out in Article 5.1.b) of the GDPR, personal data collected by BetaZetaDev is processed exclusively for the purposes listed below and will not be further processed in a manner incompatible with those purposes:
- Subscription management: processing subscription sign-ups, changes, suspensions and cancellations, administering access to the service and updating the user’s account status.
- Payment processing and renewals: communicating with Stripe to authorise charges, manage automatic renewals and resolve billing-related issues.
- Service delivery and newsletter sending: periodically sending the Weekly Trends newsletter to the email addresses of active subscribers, according to the agreed frequency and format.
- Transactional and management communications: sending account status messages, sign-up or cancellation confirmations, renewal reminders, secure management links and notices about relevant technical incidents.
- Handling enquiries and incidents: processing requests, questions or complaints sent by users through the available contact channels.
- Security and fraud prevention: processing technical data to ensure the integrity, availability and confidentiality of the service, and to detect and prevent unauthorised access, abuse and fraudulent activity.
- Aggregated web analytics: obtaining website usage statistics through Google Analytics 4 in order to improve the user experience and published content. This processing is carried out only with the user’s prior consent.
5. Legal Bases for Processing
Under Article 6 of the GDPR, all processing of personal data must rely on a valid legal basis. The legal bases applicable to the processing carried out by BetaZetaDev are as follows:
5.1. Performance of a contract (Article 6.1.b GDPR)
Processing related to subscription management, payment processing and the provision of the Weekly Trends service is based on the need to perform the service contract entered into between BetaZetaDev and the user. Without such processing, the contracted service could not be provided under the agreed conditions.
5.2. Compliance with a legal obligation (Article 6.1.c GDPR)
Certain processing activities, especially those related to the issuing and retention of invoices and compliance with tax and commercial obligations, are carried out pursuant to applicable Spanish and European legal requirements.
5.3. Legitimate interest of the Controller (Article 6.1.f GDPR)
Processing aimed at ensuring service security, fraud prevention and technical maintenance of the platform is based on BetaZetaDev’s legitimate interest in protecting the integrity of its systems and its users. This interest has been assessed and does not override the fundamental rights and freedoms of data subjects, given the technical and non-intrusive nature of the data involved.
5.4. Consent of the data subject (Article 6.1.a GDPR)
The processing of data through web analytics tools (Google Analytics 4) and the activation of non-essential cookies require the user’s prior, explicit and informed consent. Such consent may be freely withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal, in accordance with Article 7.3 of the GDPR.
6. Processors and Third-Party Recipients
BetaZetaDev relies on third-party service providers to technically operate its platforms. In most cases, these providers act as processors under Article 28 of the GDPR, and the corresponding data processing agreements have been entered into with them to ensure compliance with applicable regulations.
| Provider | Service provided | Location |
|---|---|---|
| Own server | Hosting for the betazeta.dev website and blog | France (EU) |
| Google Cloud Run | Execution of Weekly Trends application logic | Europe-west region |
| Turso | Distributed database for Weekly Trends | Europe (EU) |
| Stripe, Inc. | Payment gateway and subscription management | United States (with appropriate safeguards) |
| n8n | Workflow automation | France (EU) |
| Infomaniak Network SA | Sending transactional emails | Switzerland (adequate level of protection) |
| Google Analytics | Web analytics (with consent) | United States / EU (with safeguards) |
| YouTube (Google) | Playback of embedded content | United States / EU (with safeguards) |
BetaZetaDev does not disclose personal data to third parties for their own commercial purposes, nor does it sell, rent or otherwise commercialise its users’ data under any circumstances.
7. International Data Transfers
Some of the providers listed in the previous section are based in, or may process data in, countries outside the European Economic Area (EEA). In such cases, and pursuant to Article 46 of the GDPR, the Controller requires those providers to adopt appropriate safeguards provided for under applicable law, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, establishing binding data protection obligations between the data exporter and importer.
- Adequacy mechanisms recognised by the European Commission, such as the adequacy decision for Switzerland or applicable sector-specific adequacy frameworks.
- Service level agreements incorporating the technical and organisational safeguards required to ensure a level of protection equivalent to that required within the European Union.
Users may request further information about the specific safeguards applicable to each international transfer by writing to hi@betazeta.dev.
8. Data Retention Periods
In accordance with the storage limitation principle set out in Article 5.1.e) of the GDPR, personal data will be retained only for as long as necessary to fulfil the purpose for which it was collected and, subsequently, for the legally applicable limitation periods:
- Subscription-related data (email address, identifiers, status and dates): for the duration of the contractual relationship and, once it has ended, for the applicable civil and tax limitation periods, which are generally four (4) years for tax matters under the Spanish General Tax Law and five (5) years for personal legal actions under the Spanish Civil Code.
- Billing and transaction data: for a minimum of six (6) years, in accordance with Spanish commercial law (Commercial Code).
- Temporary management tokens: until they are used or, failing that, until their scheduled expiry date, at which point they are automatically deleted from the Controller’s systems.
- Technical records and access logs: for a limited period of time, determined according to system security requirements and applicable cybersecurity regulations, and in no case longer than strictly necessary for the purposes indicated.
- Web analytics data (Google Analytics 4): subject to the retention settings configured in the platform, with a maximum of fourteen (14) months, in line with the recommendations of the Spanish Data Protection Agency (AEPD).
Once the applicable retention periods have expired, the data will be deleted or, where appropriate, irreversibly anonymised.
9. Data Subject Rights
The GDPR and the LOPDGDD grant data subjects a set of rights regarding the processing of their personal data. BetaZetaDev ensures that the following rights may be exercised free of charge by writing to hi@betazeta.dev:
9.1. List of rights
- Right of access (Article 15 GDPR): the data subject has the right to obtain confirmation as to whether BetaZetaDev is processing personal data concerning them and, where applicable, to access such data and receive information about the purposes, data categories, recipients and expected retention periods.
- Right to rectification (Article 16 GDPR): the data subject may request the correction of inaccurate or incomplete personal data concerning them, providing any supporting documentation that may be necessary.
- Right to erasure or “right to be forgotten” (Article 17 GDPR): the data subject may request the deletion of their personal data where, among other circumstances, it is no longer necessary for the purpose for which it was collected, consent has been withdrawn or the processing is unlawful.
- Right to object (Article 21 GDPR): the data subject may object to the processing of their data on grounds relating to their particular situation where the processing is based on the Controller’s legitimate interest.
- Right to restriction of processing (Article 18 GDPR): the data subject may request restriction of the processing of their data in the legally established cases, meaning that the Controller may only retain the data and may not actively process it.
- Right to data portability (Article 20 GDPR): where processing is based on consent or on the performance of a contract and is carried out by automated means, the data subject has the right to receive their data in a structured, commonly used and machine-readable format, and to transmit it to another controller.
- Right to withdraw consent (Article 7.3 GDPR): the data subject may withdraw consent at any time for processing activities based on consent, without affecting the lawfulness of processing carried out before withdrawal.
9.2. Exercise procedure
To exercise any of the rights described above, the data subject must send a written request to hi@betazeta.dev, identifying themselves sufficiently and specifying the right they wish to exercise and the data to which the request relates. BetaZetaDev will respond within a maximum period of one (1) month from receipt of the request, which may be extended to three (3) months in particularly complex cases, in accordance with Article 12.3 of the GDPR.
9.3. Right to lodge a complaint with the supervisory authority
Without prejudice to the rights listed above, the data subject has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), the competent supervisory authority in Spain, through its electronic office (www.aepd.es) or by post. They may also contact the supervisory authority of the EU Member State in which they habitually reside.
10. Security Measures
BetaZetaDev implements appropriate technical and organisational measures pursuant to Article 32 of the GDPR, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of processing, in order to ensure a level of security appropriate to the risk.
10.1. Technical measures
- Encrypted data transmission using the TLS/HTTPS protocol in all communications between clients and the Controller’s servers.
- Passwordless authentication system based on temporary one-time tokens (magic links), generated in a cryptographically secure manner, stored as irreversible hashes and assigned an automatic expiry date.
- Least privilege access controls for internal systems, limiting access to personal data to strictly necessary persons and processes.
- Logical separation between infrastructure components (web server, database, payment engine), limiting the potential scope of security incidents.
- Regular update and patching procedures for the software components used to provide the service.
10.2. Organisational measures
- Execution of Data Processing Agreements with all providers that process personal data on behalf of the Controller.
- Selection of providers that demonstrate appropriate security standards, including recognised certifications such as PCI DSS Level 1 in the case of Stripe.
- Internal procedure for assessing and responding to security incidents, including the ability to notify the supervisory authority and affected individuals in accordance with Article 33 of the GDPR.
NOTE. Despite the security measures implemented, no internet data transmission system can guarantee absolute security. BetaZetaDev undertakes to notify any personal data breach that poses a risk to users’ rights and freedoms to the competent supervisory authority within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.
11. Use of Cookies and Tracking Technologies
The betazeta.dev website may use cookies and similar tracking technologies. For the purposes of this policy, a cookie is a small text file stored on the user’s device when visiting a website, used to remember preferences or collect information about browsing behaviour.
Cookies are classified into the following categories according to their purpose:
- Technical or essential cookies: necessary for the proper operation of the website. They do not require user consent under Article 22.2 of Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI).
- Analytics cookies (Google Analytics 4): used to collect statistical information about website use in aggregated and anonymised form. Their activation requires the user’s prior consent and may be withdrawn at any time through the cookie management panel available on the website.
- Third-party cookies linked to embedded content: playback of YouTube videos may activate cookies belonging to Google Ireland Limited, whose processing is governed by that entity’s privacy policy.
The user may configure their browser to reject or delete cookies, although doing so may affect the functionality of certain sections of the website.
12. Third-Party Services and External Integrations
The Controller integrates third-party tools and platforms into its services. These third parties have their own independent privacy policies. BetaZetaDev does not control the data processing carried out directly by those third parties when they act as independent controllers. Users are encouraged to review the privacy policies of the following entities:
- Stripe, Inc.: payment processing and subscription management. Policy available at stripe.com/privacy.
- Google Ireland Limited (Google Analytics 4 and YouTube): web analytics and embedded multimedia content. Policy available at policies.google.com/privacy.
- Infomaniak Network SA: sending electronic communications. Policy available at infomaniak.com/es/cgv/politica-de-privacidad.
- Turso: storage of Weekly Trends data. Policy available at turso.tech/privacy-policy.
13. Minors
The services provided by BetaZetaDev are not directed at minors under sixteen (16) years of age. In accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD, the processing of data relating to minors below that age requires the consent of the holder of parental authority or legal guardianship.
BetaZetaDev does not knowingly collect personal data from minors under 16. If the Controller becomes aware that a minor under that age has provided personal data without the consent of their legal representatives, such data will be deleted immediately. Users who become aware of such a situation are asked to notify hi@betazeta.dev.
14. Changes to this Privacy Policy
BetaZetaDev reserves the right to update or modify this privacy policy at any time in order to adapt it to regulatory, case-law, technical or functional changes that may occur. Any changes will be published on the website, indicating the date of the latest update shown in the header of this document.
Where the changes introduced are substantial and may significantly affect the rights of users registered for the Weekly Trends service, the Controller undertakes to notify them by email with reasonable prior notice. Continued use of the service after such changes have been communicated will imply acceptance of the amended policy, without prejudice to the user’s right to unsubscribe from the service.
15. Governing Law and Jurisdiction
This privacy policy is governed by Spanish and European personal data protection law, and in particular by:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR).
- Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and the guarantee of digital rights (LOPDGDD).
- Spanish Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE).
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive).
For the resolution of any dispute that may arise from the interpretation or application of this policy, the parties submit to the jurisdiction of the competent courts and tribunals in accordance with applicable procedural law, without prejudice to the user’s right to contact the Spanish Data Protection Agency (AEPD) as the competent supervisory authority.
16. Contact and Communication Channel
For any enquiry, clarification or exercise of rights relating to the processing of personal data, the user may contact the Controller through the following channel:
| Field | Value |
|---|---|
| Contact channel | |
| Address | hi@betazeta.dev |
| Support languages | Spanish and English |
| Response period | Maximum 30 calendar days (extendable to 90 days in complex cases) |
BetaZetaDev undertakes to handle all requests with the utmost diligence and confidentiality, responding within the legally established period and adopting the appropriate measures according to the right exercised or the enquiry submitted.