Privacy policy
Last updated: 14 July 2026.
This policy describes what data misdatos.es processes, the purpose, how long we keep it, and how to exercise your rights. The service runs on European infrastructure by default and complies with the European General Data Protection Regulation (GDPR).
Data controller
misdatos.es ("the Service"). For any privacy enquiry, write to misdatos.es@imani.es.
What we process
We only process data you choose to connect:
- Account data: the email address used for magic-link sign-in and an optional display name.
- Synced mail and calendar data: when you connect Google Workspace (Gmail and/or Google Calendar) or Microsoft 365 (Outlook and/or its calendar) through the voluntary OAuth flow, the Service reads, in read-only mode: from email messages, their metadata (subject, sender, recipients, date) and the body of recent messages to the extent needed to prepare briefings; from calendar events, their attendees, organizer, description, links and dates. The Service never sends email or modifies anything on your behalf.
- Generated briefings: texts produced by the Service's assistant from the data above, with mandatory citations to the original sources.
- Activity log: actions performed in the Service (syncs, connections, briefing generations, emails sent) with timestamps, for auditability and support.
We do not process special categories of data within the meaning of Article 9 GDPR. We do not sell data to third parties, we do not profile you for advertising, and we do not train AI models on your data.
Purposes
- To deliver the Service: prepare briefings, list meetings, answer your questions about your own information.
- To send transactional notifications: sign-in link, briefing email before each meeting, operational notices.
- Security and improvement: abuse detection, error debugging, aggregated metrics without personal identifiers.
Legal basis
Processing is based on your explicit consent when you create the account and when you authorise each external connector. You may withdraw consent at any time from the Service itself (see "Your rights").
Google user data
misdatos.es's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:
- We only use Gmail and Google Calendar data to provide the Service features (preparing and showing your meeting briefings) that you have enabled.
- We do not transfer that data to third parties except the sub-processors strictly needed to run the Service (listed below), where required by law, or with your explicit consent.
- We do not use that data for advertising and we do not sell it.
- No human reads your Google data except with your explicit consent, for security purposes (e.g. investigating abuse), to comply with the law, or when the data is aggregated and anonymised.
Processors and sub-processors
- Hetzner Cloud (Germany): Service and PostgreSQL hosting on European infrastructure.
- Brevo (France): transactional email delivery (magic link, briefings).
- Anthropic (US): large-language-model provider that drafts the briefings, contracted under a no-training clause on transmitted contents and processing in EU data centres when available.
- Voyage AI (US): generates the numeric representations (embeddings) used to find topically relevant emails; for this it receives the text of indexed emails and events, under a no-training agreement. Users in strict-sovereignty mode are excluded from this indexing.
Each of the above acts as a processor under Article 28 GDPR.
Retention
Synced data is retained while the connection is active.
- Disconnecting an account stops syncing and revokes the grant at the provider, but keeps the already-synced information so you can still review it.
- Deleting an account's data (a separate action under "Connect accounts") immediately and permanently deletes every item synced through it and every derived briefing, including associated internal records.
- The activity log is retained for up to 12 months for audit and support purposes.
Your rights
Under GDPR you have the right to access, rectify, delete, restrict processing, object, and to data portability. Some rights are exercised directly from the Service:
- Delete data: use "Delete data" under "Connect accounts" to immediately delete all data derived from that account.
- Account deletion: write to misdatos.es@imani.es and we will delete the account, all connectors, and all associated data within 30 days.
For any other right, contact misdatos.es@imani.es. You may also lodge a complaint with your national data protection authority.
International transfers
By default, data stays on European infrastructure. Some AI features (briefing drafting and semantic search) involve transmitting content to providers in the United States (Anthropic and Voyage AI); these transfers rely on the European Commission's standard contractual clauses and on no-training agreements. Users in strict-sovereignty mode are excluded from semantic search.
Changes to this policy
We will announce any material change at least 30 days in advance via the email address linked to the account. The "Last updated" date shows when it was last revised.