Privacy Policy
This Privacy Policy informs you about the nature, scope, and purpose of personal data processing by mi media intelligence SL.
1. General Information
We process your data in accordance with the EU General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection and Digital Rights (LOPDGDD – Ley Orgánica 3/2018), and the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC).
2. Data Controller
Data Controller (pursuant to Article 4(7) GDPR):
mi media intelligence SL
C/ La Rambla 13 — Centre
07003 Palma de Mallorca
Illes Balears · Spain
NIF: B19480979
CEO: Tobias Hager
Email: contact@mi.network
Website: https://mi.network
3. Supervisory Authority
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es
Email: info@aepd.es
4. Collection and Processing of Personal Data
4.1 Contact Form / Sovereignty Oath
Data processed: message content, chosen intent (Invest / Partner / Build), IP address, timestamp.
Purpose: responding to your inquiry, continuing the conversation, and where applicable performing pre-contractual or contractual steps.
Legal basis: Art. 6(1)(b) GDPR (steps prior to entering a contract) and Art. 6(1)(f) GDPR (legitimate interest in handling business correspondence).
Retention: messages and metadata are kept for the duration of the active commercial conversation and thereafter for the period strictly necessary to defend or pursue legal claims, capped at the statutory limitation periods of (i) 4 years for tax-relevant correspondence (Art. 66 Ley General Tributaria 58/2003), (ii) 5 years for general civil claims (Art. 1964 Código Civil), and (iii) 6 years where the message forms part of accounting documentation (Art. 30 Código de Comercio). Where none of these apply, the message is deleted no later than 24 months after the last meaningful contact.
4.2 AQUILA Conversational Layer
When you interact with the AQUILA concierge, your typed input is transmitted to Anthropic PBC (Claude AI) solely for the purpose of generating a response in our voice.
Legal basis: Art. 6(1)(a) GDPR (consent — the chat is opt-in by clicking AQUILA) and Art. 6(1)(f) GDPR (legitimate interest in providing a conversational interface).
International transfer: USA under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.
Retention: we do not persist chat content on our own servers. Edge runtime memory is discarded at the end of each request. Diagnostic edge logs that may incidentally contain a request body are kept for a maximum of 24 hours and then automatically purged. Anthropic processes the input under its own published retention schedule and deletes it within 30 days of receipt unless a trust-and-safety review applies.
4.3 Website Usage Analytics
We use Plausible Analytics, a privacy-first, cookie-less analytics service. Plausible does not set cookies, does not use device fingerprinting, does not collect personal data, and does not track across sites.
Data processed: aggregated referrer, country-level location, device class, page views — all anonymous and non-rejoinable to an individual.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring aggregated use). No consent banner is required because no terminal-equipment storage occurs (Art. 22.2 LSSI-CE).
Hosting: EU (Germany).
Retention: aggregated counters are retained indefinitely as anonymous statistics; no individual record exists that could be deleted.
4.4 Server Logs & Security
Our hosting provider (Vercel) automatically records standard edge logs on each request (IP address, user agent, timestamp, requested resource, response code).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in network and information security, debugging, abuse mitigation, and operational continuity).
Retention: edge access logs are retained for a maximum of 30 days and then rotated or deleted. Logs flagged as part of a security incident may be retained for the duration of the investigation and the statutory limitation period for the underlying offence.
4.5 Cookies
At present we set no cookies on this website. Our analytics provider (Plausible) is cookie-less by design. Should we ever introduce cookies for functional or analytics purposes, we will obtain prior informed consent in accordance with Article 22.2 LSSI-CE. For details, see our Cookie Policy.
5. Data Recipients and Third-Party Service Providers
| Provider | Purpose | Location | Transfer Safeguard |
|---|---|---|---|
| Vercel Inc. | Web hosting, CDN, edge firewall, DDoS mitigation | USA (HQ), global edge POPs incl. EU | SCCs (Art. 46 GDPR), DPF where applicable, TLS 1.3 in transit |
| Anthropic PBC | AQUILA concierge (Claude AI) | USA | SCCs (Art. 46 GDPR), DPF, encrypted transport |
| Resend Inc. | Transactional email delivery | USA, EU sending region (Ireland, eu-west-1) | SCCs (Art. 46 GDPR), DPF, encrypted transport |
| Plausible Analytics | Cookie-less, anonymised usage analytics | EU (Germany) | EU-based processing |
6. International Data Transfers
Some services may transfer data to the USA. Such transfers are protected by the European Commission’s Standard Contractual Clauses (SCCs) under Article 46 GDPR, supplemented by encryption in transit (TLS 1.3), data minimisation, and limited scope.
7. Retention Periods
| Category | Retention | Statutory Anchor |
|---|---|---|
| Contact / Oath submissions (general) | Up to 24 months after last contact | Art. 6(1)(b)/(f) GDPR — necessity |
| … where tax-relevant | 4 years | Art. 66 Ley General Tributaria |
| … where civil-claim relevant | 5 years | Art. 1964 Código Civil |
| … where part of accounting records | 6 years | Art. 30 Código de Comercio |
| AQUILA edge diagnostic logs | ≤ 24 hours | Operational debugging |
| Vercel edge access logs | 30 days | Security & operations (Art. 6(1)(f)) |
| Plausible analytics | Anonymous aggregates only | Not personal data |
Where multiple anchors apply to the same record, the longest applicable period governs. Once the period has elapsed, the record is deleted, anonymised, or rotated.
8. Automated Processing
AQUILA generates answers via Claude AI. This is assistive automation, not an automated decision that produces legal or similarly significant effects under Article 22 GDPR. You may request a human reply at any time by emailing contact@mi.network.
9. Your Rights
- Right of Access (Art. 15 GDPR)
- Right to Rectification (Art. 16 GDPR)
- Right to Erasure — “right to be forgotten” (Art. 17 GDPR)
- Right to Restrict Processing (Art. 18 GDPR)
- Right to Data Portability (Art. 20 GDPR)
- Right to Object (Art. 21 GDPR)
- Right to Withdraw Consent at any time (Art. 7(3) GDPR)
- Right to Lodge a Complaint with the AEPD
To exercise these rights, contact us at contact@mi.network with the subject “Data Subject Right Request”. We respond within 30 days of a valid request.
10. Data Security
- Transport Security: TLS 1.3 for all data in transit (HTTPS everywhere).
- Server hardening: CSP, HSTS, SRI, rate-limiting.
- Access Control: role-based access control (RBAC) for staff and systems.
- Continuous monitoring: intrusion and anomaly detection.
- Data Minimisation: we collect only what is strictly needed.
However, no security system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
11. Children’s Privacy
This website is not intended for users under 18 years of age. We do not knowingly collect data from minors.
12. Data Protection Impact Assessment (DPIA)
We have assessed the processing operations carried out via this website against Article 35 GDPR and the AEPD’s published list of processing operations subject to a mandatory DPIA. Our processing is limited to (i) name, email address and free-form message submitted by the visitor through the contact form, (ii) free-form text submitted to AQUILA, (iii) standard server logs, and (iv) cookie-less, anonymous aggregate analytics. We do not engage in large-scale processing of special categories of data (Art. 9 GDPR), systematic monitoring of public spaces, profiling that produces legal or similarly significant effects, or any of the other criteria listed by the AEPD that would trigger a mandatory DPIA. We have therefore concluded that no DPIA is required for the current scope. We will reassess this position before introducing any new feature that materially changes the type, volume or sensitivity of data processed.
13. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy. Material changes will be announced on this page with an updated effective date.
14. Contact
For questions, requests, or privacy concerns:
mi media intelligence SL
Email: contact@mi.network