TROBARE
Login

Privacy Policy

Last updated: 19 April 2026

**Last updated:** 19 April 2026

1. Data controller

NEWEN VENTURES, S.L. (hereinafter "Newen Ventures" or "we") is the controller of the personal data collected through the website trobare.com and the services associated with the Trobare brand.

- **Company name:** NEWEN VENTURES, S.L. - **Spanish Tax ID (NIF):** B25925108 - **Registered office:** Travessera de Gràcia 283, 08025 Barcelona, Spain - **Contact for privacy matters:** info@trobare.com

Trobare has not appointed a Data Protection Officer (DPO), as this is not mandatory for our activity under Article 37 of Regulation (EU) 2016/679 (GDPR).

2. Personal data we process

**Data provided directly by the user:**

- When creating an account with email and password: email address, password (stored in encrypted form), name (optional). - When subscribing to a paid plan: name, surname, billing address, tax ID/VAT where applicable, country. Card data is processed directly by Stripe; Newen Ventures does not store it. - When contacting us by email: the data the user chooses to include in the message (name, email, content).

**Data received from third parties:**

- From Google (Google OAuth login, if the user chooses this option): email address, name, profile picture and unique identifier (sub ID) provided by Google to authenticate the user. - From Stripe: payment status, amount, last 4 digits of the card, country of issue and fraud check results.

**Data collected automatically during use:**

- IP address, device type, browser, operating system, language. - Pages visited, time spent, clicks and usage patterns (only if the user consents to analytical cookies). - Cookie identifiers and similar technologies (see Cookie Policy).

3. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases (GDPR Art. 6):

**Account management and service provision.** Creating and managing the account, authenticating the user (with email and password or through Google OAuth), managing favourites and preferences. Legal basis: performance of a contract (Art. 6.1.b).

**Paid subscription management.** Processing subscriptions, charges, renewals, cancellations and invoicing. Legal basis: performance of a contract and legal obligation (Art. 6.1.b and 6.1.c).

**Payment processing.** Charging subscription amounts through Stripe. Legal basis: performance of a contract (Art. 6.1.b).

**Invoicing and tax compliance.** Keeping records of payments and issuing invoices under Spanish tax law. Legal basis: legal obligation (Art. 6.1.c).

**User support.** Responding to enquiries sent by email. Legal basis: performance of a contract or pre-contractual measures (Art. 6.1.b) or legitimate interest (Art. 6.1.f).

**Transactional communications.** Registration confirmations, password recovery, subscription notifications and relevant service notices. Legal basis: performance of a contract (Art. 6.1.b).

**Web analytics.** Understanding use of the site and improving the product via Google Analytics. Legal basis: consent (Art. 6.1.a), given through the cookie banner.

**Advertising and campaign measurement.** Measuring conversions and Google Ads campaigns. Legal basis: consent (Art. 6.1.a).

**Security and fraud prevention.** Detecting misuse, preventing unauthorised access and protecting service integrity. Legal basis: legitimate interest (Art. 6.1.f).

4. Retention periods

We retain personal data only for as long as strictly necessary for the purposes described:

- **Account data:** while the account is active, plus 12 months after deletion for fraud prevention and security obligations. - **Invoicing and payment data:** 6 years after the end of the relationship, under Article 30 of the Spanish Commercial Code and tax law. - **Email communications:** up to 1 year from the last interaction, unless a legal retention obligation applies. - **Cookies and analytics data:** as indicated in the Cookie Policy (maximum 14 months for Google Analytics). - **Server logs:** between 7 and 30 days, unless a security incident requires longer retention.

Once these periods expire, data is securely deleted or anonymised.

5. Recipients of personal data

We share personal data only with the following processors, who provide essential services for operating Trobare:

- **Stripe Payments Europe, Ltd.** (Ireland) and **Stripe, Inc.** (United States): payment processing and subscription management. - **Vercel Inc.** (United States): website hosting, serverless functions and logs. - **Supabase Inc.** (United States, infrastructure in Paris/EU): storage of place images. - **Resend** (United States): transactional email delivery. - **Zoho Corporation:** corporate email management for info@trobare.com. - **Google LLC** (United States): user authentication through Google OAuth (Sign in with Google), Google Analytics and Google Ads for analytics and measurement, Google Tag Manager as tag manager, Google Places API to retrieve information and photographs of establishments, and outbound links to Google Maps for user navigation. - **Mapbox, Inc.** (United States): interactive mapping service. When a map is displayed on the site, the user's browser downloads tiles from Mapbox's servers, which involves transmitting the user's IP address. - **Anthropic PBC** (United States): automated translation of our own editorial content and automated classification of editorial images (no user data is sent).

All processors have signed or accepted data processing agreements under Article 28 of the GDPR. We may also disclose personal data to competent public authorities where legally required.

6. International data transfers

Some of the above processors are located in the United States. These transfers are based on:

- The **EU-US Data Privacy Framework (DPF)**, for certified providers (Google, Vercel, Supabase, Resend, Anthropic and Stripe, among others). - **Standard Contractual Clauses (SCCs)** approved by the European Commission, for any additional transfer, including those made to Mapbox.

The user may request a copy of these safeguards by writing to info@trobare.com.

7. Your rights

Under the GDPR and Spanish Organic Law 3/2018 on Data Protection, users have the following rights:

- **Access:** obtain confirmation that their data is being processed and access it. - **Rectification:** have inaccurate or incomplete data corrected. - **Erasure:** request deletion of their data when no longer necessary. - **Restriction of processing:** request temporary restriction of processing. - **Portability:** receive their data in a structured, commonly used format. - **Objection:** object to processing based on legitimate interest. - **Withdrawal of consent:** withdraw consent at any time, without retroactive effect. - **Not to be subject to automated decisions** with legal or significant effects (Trobare does not carry out profiling with such effects).

**How to exercise these rights:** by sending an email to info@trobare.com indicating the right being exercised and attaching a copy of your ID to verify your identity. We will respond within a maximum of one month.

**Complaints before the supervisory authority.** If the user believes that the processing breaches their rights, they may file a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, or through its electronic headquarters at www.aepd.es.

8. Minors

Trobare's services are directed at persons aged 16 and over. Users under this age must not register or provide personal data. If we detect that an account has been created by a minor under 16 without parental consent, we will delete it.

9. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss or destruction, including:

- Encryption in transit (TLS) and at rest. - Authentication based on JSON Web Tokens (JWT) managed by NextAuth. - Passwords stored using hash functions (bcrypt). - Role-based access controls at the application level. - Automated backups and recovery plans. - Periodic review of third-party access and permissions.

No system is completely secure; in the event of a security breach affecting users' rights and freedoms, we will notify it under Article 34 of the GDPR.

10. Cookies

The website uses its own and third-party cookies. Detailed information on types, purposes, duration and consent management is available in the Cookie Policy, accessible from the site footer and from the cookie configuration banner.

11. Users resident in the United Kingdom

Users resident in the United Kingdom are protected by the UK GDPR and the Data Protection Act 2018. The rights described in section 7 are equivalent to those recognised under UK law. The competent supervisory authority is the Information Commissioner's Office (ICO), ico.org.uk.

12. Users resident in California (USA)

If the user resides in California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, grants them the following rights: to know what personal data we collect and for what purpose, to request access and a copy, to request deletion, to request correction, to opt out of the "sale" or "sharing" of personal data, and not to be discriminated against for exercising these rights. Trobare does not sell personal data within the meaning of the CCPA. Users may exercise their rights by writing to info@trobare.com.

13. Changes to this Policy

We may update this Privacy Policy to reflect legal or technical changes or changes to our services. The version in force is always the one published on the Website, with the last updated date clearly indicated. When changes are significant, we will notify registered users by email.