Who We Are
Fluensys is an English exam preparation and language performance service. The data controller responsible for your personal data is:
Name: MARQUEZ DANAE WILLIAMS
Trading as: Fluensys
Address: CARRER DE ROS DE OLANO 21, BARCELONA, SPAIN, 08012
Email: privacy@fluensys.es
Website: fluensys.es
For the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR), as applied in Spain and supervised by the Agencia Española de Protección de Datos (AEPD), the data controller determines the purposes and means of processing your personal data.
Data We Collect
We collect personal data in the following contexts:
Diagnostic Tool
- Full name and email address (collected on page one of the diagnostic)
- Exam target, self-reported current level, and exam timeline
- Responses to assessment tasks (reading, use of English, listening, writing)
- Voice recordings, where you complete the speaking section of the paid diagnostic tier
- Diagnostic score outputs, CEFR band estimates, and readiness verdicts generated by the system
Intake Form
- Full name, email address, and telephone number
- Exam target, current level, availability, and programme goals
- Any additional information you provide voluntarily in open-text fields
Programme Delivery
- Session notes, progress records, and assessment results maintained during your programme
- Correspondence by email or messaging platforms
- Payment confirmation data (we do not store full card details; these are held by our payment processor)
Marketing Communications
- Email address, where you have opted in to receive updates from Fluensys
Technical and Usage Data
- IP address, browser type, and device information collected automatically when you use our website or diagnostic tool
- Diagnostic interaction data such as time-on-task and section completion, used to improve system performance
Purposes and Lawful Basis
We process your personal data only where we have a valid lawful basis under Article 6 GDPR. The table below sets out the purpose, data involved, and lawful basis for each processing activity.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Delivering diagnostic results | Name, email, assessment responses, diagnostic output | Performance of a contract (Art. 6(1)(b)) |
| Processing speaking assessment | Voice recording | Explicit consent (Art. 6(1)(a) + Art. 9 where applicable) |
| Programme delivery and progress tracking | All intake and session data | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional communications (results, confirmations, invoices) | Name, email | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing emails (study content, updates) | Email address | Consent (Art. 6(1)(a)) |
| Maintaining client records for legal and financial obligations | Name, payment data, correspondence | Legal obligation (Art. 6(1)(c)) |
| Improving the diagnostic system and content | Anonymised or aggregated diagnostic data | Legitimate interests (Art. 6(1)(f)) |
| Website security and technical operation | IP address, usage data | Legitimate interests (Art. 6(1)(f)) |
How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Diagnostic results and responses (free tier) | 12 months from submission | Service delivery; system improvement |
| Voice recordings (paid diagnostic tier) | Deleted within 30 days of assessment delivery | Assessment purpose fulfilled |
| Intake form submissions (non-enrolled) | 6 months from submission | Reasonable follow-up window |
| Programme client records (session notes, progress, correspondence) | 3 years after programme end | Legal and professional obligation |
| Invoice and payment records | 5 years | Spanish tax law (Ley General Tributaria) |
| Marketing consent records | Until consent withdrawn, plus 1 year | Audit trail for GDPR compliance |
| Technical/usage logs | 90 days | Security monitoring |
When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.
Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with the third-party service providers necessary to operate Fluensys, and only to the extent required for that purpose. Each provider is bound by a Data Processing Agreement (DPA) or equivalent contractual protections.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting and backend infrastructure | All structured data submitted via diagnostic and intake forms | EU (Frankfurt, Germany) where EU region is selected |
| Resend | Transactional and marketing email delivery | Name, email address | United States (see Section 6) |
| Notion | CRM and internal client records | Name, email, programme notes, progress records | United States (see Section 6) |
| Vercel | Website hosting and deployment | IP addresses, request metadata, access logs | United States (see Section 6) |
| GoDaddy | Domain registration | Registrant contact data only | United States |
| Stripe | Payment processing | Payment and billing data | United States |
We will update this section if we add or replace any service providers. We will not introduce a new processor that materially affects your data without updating this policy and, where required, seeking fresh consent.
International Data Transfers
Several of our service providers are based in or process data in the United States. The US does not have an adequacy decision from the European Commission covering all transfers. Where this applies, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): We use providers that have entered into the EU Commission's approved Standard Contractual Clauses, which provide a legal mechanism for transferring personal data outside the EEA.
- EU-US Data Privacy Framework: Where providers are certified under the EU-US Data Privacy Framework, this constitutes an adequate transfer mechanism.
Specific transfer safeguards by provider:
- Supabase: Data is stored in EU-West (Frankfurt) when the EU region is selected. Supabase Inc. is US-incorporated; SCCs apply to any incidental US access. We have confirmed EU region selection for the Fluensys project.
- Resend: US-based. Processes email delivery data under SCCs.
- Notion: US-based. Processes CRM data under SCCs.
- Vercel: US-based. Hosts all Fluensys web properties and processes IP addresses and request metadata. Vercel is certified under the EU-US Data Privacy Framework.
You may request a copy of the transfer safeguards applicable to your data by contacting us at privacy@fluensys.es.
Your Rights
Under the GDPR, you have the following rights with respect to your personal data. These rights are not absolute and may be subject to conditions or limitations in specific circumstances.
You can request a copy of the personal data we hold about you and information about how it is processed.
You can ask us to correct inaccurate data or complete incomplete data we hold about you.
You can request deletion of your personal data where there is no compelling reason for us to continue holding it.
You can ask us to restrict processing of your data in certain circumstances, such as while accuracy is contested.
Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.
You can object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
Where we rely on consent, you may withdraw it at any time. This does not affect prior lawful processing.
The Fluensys diagnostic generates automated outputs. These are informational and do not produce binding legal or similarly significant effects without human review.
To exercise any of these rights, contact us at privacy@fluensys.es. We will respond within one calendar month. We do not charge for standard requests; we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.
Cookies
Our website (fluensys.es) uses cookies to support its operation. Cookies are small text files placed on your device. We use the following categories:
- Strictly necessary cookies: Required for core website functionality, including session management and security. These cannot be disabled.
- Analytics cookies: Used to understand how visitors use the site. We use anonymised data only and do not build individual profiles. These are set only with your consent via our cookie banner.
- Functional cookies: Enable enhanced features such as remembering diagnostic progress across sessions.
You can manage cookie preferences at any time through our cookie settings, accessible in the footer of fluensys.es. Withdrawing consent for non-essential cookies will not affect your use of core features.
A full cookie inventory, including names, providers, and expiry periods, is maintained in our Cookie Policy at fluensys.es/cookies.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:
- Encrypted data transmission (TLS/HTTPS) across all Fluensys web properties
- Database access controls and row-level security policies via Supabase
- Restricted access to client records in Notion on a need-to-know basis
- Regular review of third-party processor security certifications
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and, where required, inform affected individuals without undue delay.
Children's Data
In Spain, the minimum age for valid consent to digital services is 14 years (Real Decreto 1720/2007, as aligned with GDPR). Where Fluensys Academic programmes involve students under 14, parental or guardian consent is obtained prior to data collection. The intake process for minors includes a dedicated parental consent mechanism.
If you believe a child has submitted data to Fluensys without appropriate consent, contact us immediately at privacy@fluensys.es] and we will take prompt action to review and delete the data where required.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will increment the version number at the top of this document and update the effective date. For material changes that affect how we process your data, we will provide notice by email to active clients and by a prominent notice on our website.
Your continued use of Fluensys services after any update constitutes acknowledgment of the revised policy. Where a material change requires fresh consent, we will seek it explicitly before continuing to process your data under the new terms.
Previous versions of this policy are available on request.
Contact and Complaints
To Exercise Your Rights or Raise a Concern
Contact the Fluensys data controller directly:
Postal address: CARRER DE ROS DE OLANO 21, BARCELONA, SPAIN, 08012
Response time: Within one calendar month of receipt
To Lodge a Complaint with the Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish data protection authority:
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es
Telephone: +34 901 100 099
We would appreciate the opportunity to address your concern directly before you contact the AEPD, but you are under no obligation to do so.