Fluensys

Privacy Policy

Version 1.0 Effective: APRIL 3RD, 2026 Last updated: APRIL 3RD, 2026 Jurisdiction: Spain / EU (GDPR)
Contents
  1. Who We Are
  2. Data We Collect
  3. Purposes and Lawful Basis
  4. How Long We Keep Your Data
  5. Who We Share Data With
  6. International Data Transfers
  7. Your Rights
  8. Cookies
  9. Data Security
  10. Children's Data
  11. Changes to This Policy
  12. Contact and Complaints

Who We Are

Fluensys is an English exam preparation and language performance service. The data controller responsible for your personal data is:

Data Controller

Name: MARQUEZ DANAE WILLIAMS
Trading as: Fluensys
Address: CARRER DE ROS DE OLANO 21, BARCELONA, SPAIN, 08012
Email: privacy@fluensys.es
Website: fluensys.es
Note on business registration: Fluensys is currently operating as a sole trader (autónomo). Upon formal business registration in Spain, this section will be updated to reflect the registered legal entity name and number. The version number of this policy will be incremented accordingly.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR), as applied in Spain and supervised by the Agencia Española de Protección de Datos (AEPD), the data controller determines the purposes and means of processing your personal data.

Data We Collect

We collect personal data in the following contexts:

Diagnostic Tool

Intake Form

Programme Delivery

Marketing Communications

Technical and Usage Data

Purposes and Lawful Basis

We process your personal data only where we have a valid lawful basis under Article 6 GDPR. The table below sets out the purpose, data involved, and lawful basis for each processing activity.

Purpose Data Used Lawful Basis
Delivering diagnostic results Name, email, assessment responses, diagnostic output Performance of a contract (Art. 6(1)(b))
Processing speaking assessment Voice recording Explicit consent (Art. 6(1)(a) + Art. 9 where applicable)
Programme delivery and progress tracking All intake and session data Performance of a contract (Art. 6(1)(b))
Sending transactional communications (results, confirmations, invoices) Name, email Performance of a contract (Art. 6(1)(b))
Sending marketing emails (study content, updates) Email address Consent (Art. 6(1)(a))
Maintaining client records for legal and financial obligations Name, payment data, correspondence Legal obligation (Art. 6(1)(c))
Improving the diagnostic system and content Anonymised or aggregated diagnostic data Legitimate interests (Art. 6(1)(f))
Website security and technical operation IP address, usage data Legitimate interests (Art. 6(1)(f))
Withdrawal of consent: Where our lawful basis is consent, you have the right to withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, contact us at privacy@fluensys.es or use the unsubscribe link in any marketing email.

How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.

Data Type Retention Period Reason
Diagnostic results and responses (free tier) 12 months from submission Service delivery; system improvement
Voice recordings (paid diagnostic tier) Deleted within 30 days of assessment delivery Assessment purpose fulfilled
Intake form submissions (non-enrolled) 6 months from submission Reasonable follow-up window
Programme client records (session notes, progress, correspondence) 3 years after programme end Legal and professional obligation
Invoice and payment records 5 years Spanish tax law (Ley General Tributaria)
Marketing consent records Until consent withdrawn, plus 1 year Audit trail for GDPR compliance
Technical/usage logs 90 days Security monitoring

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.

Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with the third-party service providers necessary to operate Fluensys, and only to the extent required for that purpose. Each provider is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.

Provider Purpose Data Shared Location
Supabase Database hosting and backend infrastructure All structured data submitted via diagnostic and intake forms EU (Frankfurt, Germany) where EU region is selected
Resend Transactional and marketing email delivery Name, email address United States (see Section 6)
Notion CRM and internal client records Name, email, programme notes, progress records United States (see Section 6)
Vercel Website hosting and deployment IP addresses, request metadata, access logs United States (see Section 6)
GoDaddy Domain registration Registrant contact data only United States
Stripe Payment processing Payment and billing data United States

We will update this section if we add or replace any service providers. We will not introduce a new processor that materially affects your data without updating this policy and, where required, seeking fresh consent.

International Data Transfers

Several of our service providers are based in or process data in the United States. The US does not have an adequacy decision from the European Commission covering all transfers. Where this applies, we rely on the following safeguards:

Specific transfer safeguards by provider:

You may request a copy of the transfer safeguards applicable to your data by contacting us at privacy@fluensys.es.

Your Rights

Under the GDPR, you have the following rights with respect to your personal data. These rights are not absolute and may be subject to conditions or limitations in specific circumstances.

Right of Access

You can request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification

You can ask us to correct inaccurate data or complete incomplete data we hold about you.

Right to Erasure

You can request deletion of your personal data where there is no compelling reason for us to continue holding it.

Right to Restriction

You can ask us to restrict processing of your data in certain circumstances, such as while accuracy is contested.

Right to Portability

Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.

Right to Object

You can object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.

Right to Withdraw Consent

Where we rely on consent, you may withdraw it at any time. This does not affect prior lawful processing.

Automated Decision-Making

The Fluensys diagnostic generates automated outputs. These are informational and do not produce binding legal or similarly significant effects without human review.

To exercise any of these rights, contact us at privacy@fluensys.es. We will respond within one calendar month. We do not charge for standard requests; we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.

Cookies

Our website (fluensys.es) uses cookies to support its operation. Cookies are small text files placed on your device. We use the following categories:

You can manage cookie preferences at any time through our cookie settings, accessible in the footer of fluensys.es. Withdrawing consent for non-essential cookies will not affect your use of core features.

A full cookie inventory, including names, providers, and expiry periods, is maintained in our Cookie Policy at fluensys.es/cookies.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and, where required, inform affected individuals without undue delay.

Children's Data

In Spain, the minimum age for valid consent to digital services is 14 years (Real Decreto 1720/2007, as aligned with GDPR). Where Fluensys Academic programmes involve students under 14, parental or guardian consent is obtained prior to data collection. The intake process for minors includes a dedicated parental consent mechanism.

If you believe a child has submitted data to Fluensys without appropriate consent, contact us immediately at privacy@fluensys.es] and we will take prompt action to review and delete the data where required.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will increment the version number at the top of this document and update the effective date. For material changes that affect how we process your data, we will provide notice by email to active clients and by a prominent notice on our website.

Your continued use of Fluensys services after any update constitutes acknowledgment of the revised policy. Where a material change requires fresh consent, we will seek it explicitly before continuing to process your data under the new terms.

Previous versions of this policy are available on request.

Contact and Complaints

To Exercise Your Rights or Raise a Concern

Contact the Fluensys data controller directly:

Email: privacy@fluensys.es
Postal address: CARRER DE ROS DE OLANO 21, BARCELONA, SPAIN, 08012
Response time: Within one calendar month of receipt

To Lodge a Complaint with the Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish data protection authority:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es
Telephone: +34 901 100 099

We would appreciate the opportunity to address your concern directly before you contact the AEPD, but you are under no obligation to do so.