Privacy Policy
Last updated: May 8, 2026
1. Controller and scope
The controller is Roberto Diaz (Spanish Tax ID / NIF 71655922C), a self-employed sole trader established in Spain.
- Privacy contact: [email protected]
- Professional address: Calle Vázquez de Mella 75, 33012 Oviedo, Asturias, Spain
- Tax ID / fiscal number: 71655922C
No Data Protection Officer (DPO) is appointed under Art. 37 GDPR. The sole-trader controller can be reached at
[email protected]for any privacy matter.
This Policy explains how Verxion processes personal data on the public site, waitlist forms, authenticated app, API, widgets, MCP servers, connected applications, and coaching surfaces. If you use Verxion through any MCP-compatible third-party client you authorize (non-exhaustive examples: ChatGPT, Claude, Gemini, Cursor, OpenCode, etc.), that provider may process data separately under its own terms.
2. Data we may process
Depending on your use, Verxion may process:
- Account and authentication data: email, OAuth provider identifiers (Apple, Google), session tokens, legal acceptance versions.
- Profile and preferences: username, name, date of birth, sex, height, fitness goals, language, theme, AI preferences.
- Health-related data (Art. 9 special category): workout sessions and set logs, body measurements (weight, perimeter), nutrition and supplement logs, water intake, sleep / wellness signals, free-text notes, tracking and projection images, monthly snapshots, exercise analytics. Encrypted at rest with a per-user data encryption key (DEK) wrapped by AWS KMS in
eu-north-1. - Coaching data: coach-client relationships, scoped assignments, coach notes about clients (encrypted with the coach’s key).
- Social data (when enabled per feature): athlete profile, follows, blocks, mutes, profile views, activity feed events.
- OAuth + connected app data: client identifiers, granted scopes, access/refresh tokens, idempotency keys, MCP tool execution audit events.
- Security and operational logs: request IDs, audit log entries (no IP), rate-limit data, error traces (PII-scrubbed).
- Communications: transactional emails, optional waitlist subscription state.
3. Purposes and legal bases (Art. 13.1.c, 13.1.d)
| Purpose | Legal basis |
|---|---|
| Account creation, login, OAuth flow | Art. 6(1)(b) contract |
| Health, training, nutrition, progress tracking | Art. 9(2)(a) explicit consent (recorded in health_data_consents) |
| Coach-client features (when both parties opt in) | Art. 6(1)(b) contract + Art. 9(2)(a) explicit consent for client health data |
| OAuth, connected apps, MCP execution | Art. 6(1)(b) contract + Art. 6(1)(f) legitimate interest in security |
| AI-assisted features (chat, narrative generation) | Art. 6(1)(f) legitimate interest with explicit Art. 22 disclosure (see §6) |
| Security, abuse prevention, audit logs | Art. 6(1)(f) legitimate interest + Art. 6(1)(c) legal obligation |
| Privacy rights handling | Art. 6(1)(c) legal obligation |
| Transactional email | Art. 6(1)(b) contract |
| Waitlist | Art. 6(1)(a) consent |
| Public profile / social features | Art. 6(1)(a) consent (per-feature toggle) + Art. 9(2)(e) where data is manifestly made public by the user |
Health-related processing requires explicit consent (Art. 9.2.a), recorded versioned in our system. You can withdraw consent at any time (see §8) — withdrawal does not affect processing carried out before withdrawal.
4. Authentication
Verxion uses Sign In with Apple and Sign In with Google as the only authentication methods. We do not store passwords. When you sign in, we receive a unique account identifier and your email address from Apple or Google — Apple optionally provides a private relay address to mask your real email. We do not share data with Apple or Google beyond the standard OAuth flow.
5. MCP, OAuth, and LLM clients
Verxion is MCP first and works with any MCP-compatible client you choose to authorize via OAuth. The list of compatible clients evolves with the ecosystem; common, non-exhaustive examples include ChatGPT, Claude, Gemini, Cursor, OpenCode, Cline, Continue, Cody, custom-built agents, and more.
When you authorize a client, Verxion processes client identifiers, scopes, consent, sessions, tokens, and audit events to fulfill the authorized request. Verxion only shares or mutates data within the granted scope. Once data is shown or processed inside an external client, that third party handles it under its own terms and privacy policy — Verxion does not control its model, memory, retention, moderation, or any additional processing purposes.
The legal treatment is the same for every MCP client a user authorizes: the client is a separate controller, not a Verxion processor.
6. Automated processing and AI features (Art. 22)
Verxion does not perform automated decision-making with legal or similarly significant effects on you (Art. 22).
Verxion does not call any large-language-model (LLM) API server-to-server. There is no Verxion-hosted “AI assistant” that processes your data on our infrastructure.
When you choose to use an MCP-compatible AI client (ChatGPT, Claude, Gemini, Cursor, OpenCode, etc.) and authorize it via OAuth to read your Verxion data, the AI processing happens entirely inside that third party’s product, governed by your own contract with that provider — not by Verxion. That third party is an independent controller for the session (see §5). Verxion’s role is limited to fulfilling the scoped API calls the client makes on your behalf and to logging the audit events required to honour your data-subject rights.
If we ever introduce a Verxion-hosted AI feature that processes your
data server-to-server through an LLM provider, we will update this
policy, sign a processor DPA with that provider before going live, and
publish the change in /sub-processors with notice.
7. Source of data (Art. 14)
Some data is provided by people other than the data subject:
- When you use Verxion as a coach’s client, your coach may add notes, assignments, or measurements about you. The coach is the source of that data; you can see it via your privacy export and request deletion.
- Public profiles you opt into may contain data about your interactions with other users (follows, profile views).
8. Recipients and processors (Art. 13.1.e)
We do not sell personal data. The following processors and recipients handle your data on our behalf:
| Provider | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Railway | Application hosting + Postgres database | EU West (EEA) | n/a |
| AWS KMS | Key encryption key custody (eu-north-1) | EEA | n/a |
| Sentry | Error tracking (EU instance) | EEA (DE) | n/a |
| Upstash | Rate-limit + idempotency Redis | UK (eu-west-2, London) | UK adequacy decision |
| Resend | Transactional email + waitlist | Ireland (eu-west-1, EEA) | n/a (EEA data residency; entity-level access covered by DPA SCCs) |
| Vercel | Static site hosting + global CDN | Global CDN incl. EEA PoPs (Vercel Inc. entity in US, Delaware) | SCCs |
Separate controllers (not Verxion processors): Apple, Google (sign-in providers), OpenFoodFacts (food metadata source), any MCP-compatible client you authorize (non-exhaustive examples: ChatGPT, Claude, Gemini, Cursor, OpenCode, Cline, etc.), active coaches and clients with whom you have an authorized relationship.
The full list with DPA links is published at
/sub-processors. Material changes are recorded in the
changelog.
9. International transfers (Art. 13.1.f / Chapter V)
For US-based processors (Resend, Vercel) Verxion relies on Standard
Contractual Clauses (SCCs) executed as part of each provider’s Data
Processing Agreement. Where additional safeguards are required by recent
EDPB guidance, we apply technical measures: field-level encryption with
EEA-resident keys (AWS KMS eu-north-1), pseudonymisation in logs, and
strict scope-limited access.
10. Retention (Art. 13.2.a)
| Data | Retention |
|---|---|
| Account, profile, training, nutrition, social data | Lifetime of account |
| Sessions and OAuth tokens | 30 days |
| Audit logs | 30 days |
| Privacy export download URLs | 15 minutes |
| Privacy export job records | 30 days |
| Legal acceptance records (proof of consent) | Account lifetime + 6 years post-deletion (Art. 7.1 record-keeping) |
| Dormant accounts (no activity for 24 months) | Auto-purged after 30-day warning email (planned) |
When you delete your account, Verxion erases your data across all relevant tables in a single transaction, with a post-transaction integrity check that rolls back the deletion if any orphan rows remain (defense against misconfiguration).
11. Your rights (Art. 13.2.b)
Under GDPR you have the right to:
- access your data (Art. 15) — via in-app “Download my data” or
[email protected]; - rectify incorrect data (Art. 16) — directly in the app;
- erase your data (Art. 17) — via “Delete my account” in Settings;
- restrict processing (Art. 18) — by email;
- object to processing based on legitimate interest (Art. 21);
- portability in machine-readable JSON (Art. 20) — via the export flow;
- withdraw consent at any time (Art. 7.3) — via the consent revocation endpoint or Settings; withdrawal is as easy as granting and does not affect lawfulness of past processing.
You can also lodge a complaint with the Spanish Data Protection Agency (AEPD): https://www.aepd.es
12. Whether providing data is required (Art. 13.2.e)
Account creation, the legal acceptance, and onboarding profile data are contractual: without them you cannot use Verxion. All other data (measurements, nutrition, social, AI usage) is optional — you choose what to log.
13. Cookies
Verxion uses cookies or similar technologies mainly for authentication, security, core functionality, preferences, and OAuth flows. Details and an itemized table are in the Cookie Policy.
14. Changes
We may update this Policy to reflect product, legal, or technical changes. Material changes trigger a re-acceptance flow — you will be asked to accept the new version on your next sign-in. The published version always shows the last updated date and version identifier (top of this page).