Back to projects

Spain Decides Privacy Policy

Last updated: December 7, 2025

1. Introduction

Welcome to Spain Decides (España Decide). We value and respect your privacy and are committed to protecting the personal data you share with us. This Privacy Policy describes how we collect, use, process and protect your information when you use our citizen participation platform.

Please read this Privacy Policy carefully to understand our practices regarding your personal data and how we will treat it. By using our application, you accept the practices described in this policy.

2. Data Controller

Spain Decides is an application developed by App To Last.

Contact for privacy inquiries:

  • Email: admin@apptolast.com
  • To exercise your data protection rights, please use the email above

3. Information We Collect

3.1 Information You Provide Directly

Account information:

We offer two authentication methods:

A) Email and password authentication:

  • Email address
  • Password (stored in hashed and secure form, never in plain text)

B) Google Sign-In authentication (OAuth):

  • Full name
  • Email address
  • Profile photo (optional)
  • Google account ID
  • Language preferences from your Google account

User-created content:

  • Public policy proposals:

    • Proposal title
    • Detailed description
    • Selected category (Economy, Health, Education, Environment, Justice, Infrastructure, Security, etc.)
    • Date and time of creation
    • Unique proposal identifier

  • Votes and participation:

    • Upvotes cast
    • Downvotes cast
    • Complete voting history
    • Timestamps of each vote

  • Content reports:

    • Inappropriate content reports you submit
    • Report reason
    • Date and time of report

  • User profile:

    • Application preferences
    • Notification settings

3.2 Automatically Collected Information

Device and app usage data (Firebase Analytics):

  • Device model and manufacturer
  • Operating system and version
  • Application version
  • Device language
  • Approximate geographic region (based on IP, at country/city level)
  • App usage events (proposals viewed, votes cast, searches performed)
  • Frequency and duration of app usage
  • Unique device identifiers (Android ID, iOS IDFV)
  • Navigation patterns within the app

Performance and error data (Firebase Crashlytics):

  • Application crash reports
  • Error and exception logs
  • Application performance data
  • Memory and storage state at time of error
  • Stack traces and technical diagnostics

Network and connection data:

  • IP address (collected by Supabase during authentication and API usage)
  • Connection type (WiFi, mobile data)
  • Session information and authentication tokens
  • Real-time synchronization data (WebSockets)

3.3 Third-Party Information

  • If you use Google Sign-In, we receive basic profile information from Google LLC according to the permissions you grant
  • This information is shared between Google and Supabase for authentication purposes

4. Legal Basis for Data Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract execution: Processing necessary to provide the platform services you have requested (create account, publish proposals, vote)
  • Legitimate interest: Improvement of our services, fraud detection, vote manipulation prevention, platform security
  • Consent: For optional functionalities and use of analytical data
  • Legal obligation: Compliance with applicable laws and regulations

5. How We Use Information

We use the information we collect for the following purposes:

Service provision:

  • Create and maintain your user account
  • Enable the creation, publication and management of public policy proposals
  • Process and record your votes (upvotes/downvotes)
  • Calculate proposal rankings based on net votes
  • Synchronize data in real-time across devices
  • Provide search and category filtering functionalities
  • Show relevant proposals based on your participation

Platform integrity and security:

  • Detect and prevent vote manipulation
  • Identify suspicious or fraudulent activities
  • Prevent creation of multiple accounts by the same person
  • Protect against spam and platform abuse
  • Maintain the integrity of the voting system
  • Process inappropriate content reports
  • Review and remove content that violates our policies

Improvement and development:

  • Analyze how users use the platform
  • Identify most popular proposal categories
  • Understand citizen participation patterns
  • Develop new features based on actual usage
  • Optimize performance and user experience

Communication:

  • Send you notifications about activity on your proposals (if you enable them)
  • Respond to your inquiries and support requests
  • Inform you about important service changes
  • Send platform updates (with your consent)

Legal compliance:

  • Comply with applicable legal obligations
  • Respond to valid legal requests from authorities
  • Protect our legal rights

6. Third-Party Services and Sharing Information

6.1 Service Providers We Use

Supabase:

Spain Decides uses Supabase as its main backend:

  • Supabase Authentication: Registration and login management (email/password and Google OAuth)
  • Supabase PostgreSQL Database: Storage of user accounts, proposals, votes and relational data
  • Supabase Realtime (WebSockets): Real-time synchronization of votes and proposals
  • Row-Level Security (RLS): Security policies that control data access

Data location:

  • Your personal data is stored on Supabase PostgreSQL servers located in the European Union (EU)
  • Authentication data remains exclusively in the specified region
  • No data is transferred to other jurisdictions

Regulatory compliance:

  • Supabase is GDPR compliant and provides Data Processing Agreements (DPA)
  • Supabase projects run on isolated PostgreSQL instances (not multi-tenant)
  • Complies with SOC 2 Type II security standards
  • More information at: https://supabase.com/privacy

Firebase (Google LLC):

We use limited Firebase services for analytics:

  • Firebase Analytics: App usage analysis and user behavior
  • Firebase Crashlytics: Error and performance report collection

Firebase data location:

  • Firebase Analytics data may be processed on Google LLC servers located in the United States
  • Google LLC complies with the EU-U.S., UK-U.S. and Swiss-U.S. Data Privacy Frameworks
  • Google provides EU-approved Standard Contractual Clauses (SCC)

6.2 We Do Not Sell Your Data

We do not sell, rent or trade your personal data to third parties for their marketing purposes.

Your proposals and votes are public within the platform (as it is a citizen participation platform), but we do not share your personal contact information with third parties.

6.3 Disclosure by Legal Requirement

We may disclose your information if we are legally required to do so, or if we believe in good faith that such action is necessary to:

  • Comply with legal processes or government requests
  • Protect and defend our rights or property
  • Investigate possible violations of our terms of service
  • Protect the personal safety of application users or the public
  • Protect against legal liability

7. Data Storage and Retention

7.1 Where We Store Your Data

Cloud storage:

  • All your data is stored in the Supabase PostgreSQL database located in the European Union
  • Data is encrypted in transit using SSL/TLS
  • Data at rest is protected by AES-256 encryption
  • Database instances are isolated and dedicated per project

Temporary local storage:

  • The application may temporarily cache some data on your device to improve performance
  • This cache is automatically cleared when you log out

7.2 Retention Period

We retain your personal data according to the following criteria:

  • Active user account: As long as your account remains active
  • Published proposals: Retained indefinitely as part of the public citizen participation archive, even after you delete your account (proposals are anonymized but remain visible)
  • Votes: Retained while your account is active; anonymized after account deletion
  • Content reports: Retained for 2 years for auditing purposes and moderation system improvement
  • Authentication data: Deleted immediately upon account deletion
  • Analytics and Crashlytics data: Retained according to Firebase policies (60 days for analytics, 90 days for crashlytics)
  • Server logs: Retained for 90 days for security purposes

Important: Due to the public nature of the platform, proposals you publish will remain visible on the platform even after you delete your account, but they will be anonymized (they will not show your name or email, only "Anonymous User").

8. Data Security

We implement technical, organizational and physical security measures to protect your personal data:

Technical measures:

  • SSL/TLS (HTTPS) encryption for all communications
  • AES-256 encryption for data at rest
  • Secure password hashing with bcrypt (we never store passwords in plain text)
  • OAuth 2.0 authentication with Google Sign-In
  • Session tokens with automatic expiration
  • Row-Level Security (RLS) in Supabase PostgreSQL for granular access control
  • SQL injection protection through parameterized queries
  • User input validation and sanitization
  • Rate limiting to prevent brute force attacks

Organizational measures:

  • Restricted access to personal data only for authorized personnel
  • Continuous monitoring of suspicious activities
  • Regular security audits
  • Security incident management policies
  • Compliance with SOC 2 Type II standards (via Supabase)

Vote integrity protection:

  • Each user can only vote once per proposal
  • Vote changes (upvote → downvote or vice versa) replace the previous vote
  • Server-side validation to prevent manipulation
  • Audit trail logging for anomaly detection

However, no method of transmission over the Internet or electronic storage is 100% secure. Although we strive to protect your data, we cannot guarantee absolute security.

9. Your Privacy Rights (GDPR)

As a user located in the European Union, you have the following rights regarding your personal data:

9.1 Right of Access

You can view your profile, created proposals and voting history directly from the application.

To obtain a complete copy of all your data, contact us at admin@apptolast.com.

9.2 Right of Rectification

Currently you can edit:

  • Your user profile
  • Application settings

Current limitation: You cannot edit or delete already published proposals or modify individual votes (you can only change your vote from upvote to downvote or vice versa). If you need to correct information in a published proposal, contact us.

9.3 Right of Deletion (Right to be Forgotten)

To delete your account and your personal data:

Currently, account deletion must be requested by contacting: admin@apptolast.com

Email subject: "Account Deletion Request - Spain Decides"

What will be deleted:

  • Your user account and authentication credentials
  • Your personal information (name, email, profile photo)
  • Your voting history (aggregated statistics will be anonymized)
  • Your settings and preferences

What will be anonymized (NOT completely deleted):

  • Proposals you have published will remain visible on the platform as part of the public archive, but will be shown as created by "Anonymous User"
  • This is necessary to maintain the integrity of citizen participation history and public discussions

Processing time:

  • We will process your request within a maximum of 30 days
  • Data in backups will be deleted within 90 additional days

Deletion is permanent and irreversible.

9.4 Right of Data Portability (Export)

Data export:

Currently, we do not have automatic data export functionality in the application.

To obtain a copy of your data, contact us at: admin@apptolast.com

Email subject: "Data Export Request - Spain Decides"

We will provide your data in structured JSON format that will include:

  • Your account information
  • All proposals you have created
  • Your complete voting history
  • Metadata and timestamps

Delivery time: Within 30 days of your request.

9.5 Right to Restriction of Processing

You can request restriction of processing of your personal data in certain circumstances by contacting us.

9.6 Right to Object

You can object to the processing of your personal data for direct marketing purposes (which we currently do not do) or based on legitimate interests.

9.7 Right to Withdraw Consent

When processing is based on your consent (such as analytics), you can withdraw it at any time. This will not affect the legality of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us through:

Information you should include:

  • Your full name
  • Email associated with your account
  • Clear description of the right you wish to exercise
  • Any additional information that helps us verify your identity

We will respond to your request within 30 days. We may request additional information to verify your identity before processing the request.

9.9 Right to File a Complaint

If you are not satisfied with how we handle your personal data, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD) or the data protection authority in your country.

10. International Data Transfers

Primary storage (Supabase):

  • All your personal data, proposals and votes are stored exclusively on servers located in the European Union
  • Supabase does not transfer this data outside the specified EU region
  • This includes authentication data, PostgreSQL database and real-time data

Analytics services (Firebase):

  • Firebase Analytics may process some analytical data on Google LLC servers located in the United States
  • This data is primarily aggregated and anonymous (usage events, performance metrics)
  • Google LLC complies with:
    • EU-U.S., UK-U.S. and Swiss-U.S. Data Privacy Frameworks
    • EU-approved Standard Contractual Clauses (SCC)
    • GDPR-compatible Data Processing Agreements (DPA)

Protection guarantees:

  • All service providers that process data outside the EU comply with GDPR
  • EU Standard Contractual Clauses apply for transfers to the U.S.
  • Data is protected by equivalent security measures regardless of location

11. Children's Privacy and Child Safety

Spain Decides is not directed to children under 13 years of age.

We do not knowingly collect personal information from children under 13 years of age. If we discover that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information from our servers as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal information, contact us immediately at admin@apptolast.com.

11.1 Child Sexual Abuse and Exploitation (CSAE) Policy

App To Last and Spain Decides maintain a zero-tolerance policy against child sexual abuse and exploitation (CSAE).

Strictly prohibited:

  • Upload, distribute or share any content that depicts, promotes or facilitates child sexual abuse
  • Any content involving sexual acts with minors
  • Images or videos depicting child nudity or sexualized behavior
  • Solicitation of sexual acts from minors

Our response:

  • Immediate removal of any detected CSAE content
  • Permanent ban of the responsible account
  • Report to authorities: We will report the content to the National Center for Missing & Exploited Children (NCMEC) and relevant law enforcement authorities as required by law

Reporting mechanism: If you find content that you suspect involves CSAE or endangers minors:

  • Use the "Report" button available on each proposal within the application
  • Send an email to: admin@apptolast.com with subject "CSAE Report - Urgent"
  • All CSAE reports are treated with the highest priority and urgency

Cooperation with authorities: We fully cooperate with law enforcement agencies in investigating and prosecuting individuals who use our application to distribute or promote CSAE content.

12. Public Nature of the Platform and Content Moderation

Important information about the visibility of your data:

Spain Decides is a public citizen participation platform. This means that:

Public information visible to all users:

  • All proposals you publish are public and visible to any platform user
  • Proposal content (title, description, category)
  • The number of net votes each proposal receives (upvotes - downvotes)
  • Proposal publication date

Private information (NOT visible to other users):

  • Your email address
  • Your password
  • How you voted on specific proposals (your voting history is private)
  • Your IP address

Anonymity after account deletion:

  • If you delete your account, the proposals you published will remain visible but will be shown as created by "Anonymous User"
  • There will be no way to link those proposals to you

12.1 Inappropriate Content Reporting System

Spain Decides provides a mechanism to report content that violates our policies:

How to report:

  • Each proposal has a "Report content" button
  • When reporting, you can select the reason (spam, inappropriate content, CSAE, etc.)
  • Reports are sent immediately to our moderation team

What happens with your report:

  • All reports are manually reviewed by our team
  • CSAE reports have the highest priority and are processed within 24 hours
  • If the content violates our policies, it will be removed
  • The user who posted content that violates policies may be sanctioned or permanently banned

Information collected when reporting:

  • ID of the reported proposal
  • Report reason
  • Your user ID (to prevent abuse of the reporting system)
  • Date and time of report

Privacy recommendation:

  • Do not include sensitive personal information in the content of your proposals
  • Proposals should focus on public policies, not personal information

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements or other operational reasons.

Notice of changes:

  • We will notify you of any material changes through notification within the application or by email
  • The "Last updated" date at the beginning of this policy will be updated
  • For significant changes affecting your rights, we may request your explicit consent

Your responsibility:

  • We recommend that you periodically review this policy
  • Continued use of the application after changes constitutes your acceptance of the updated policy

14. Cookies and Tracking Technologies

Spain Decides does not use cookies as it is a native mobile application.

However, we use similar technologies:

Device identifiers:

  • Android Advertising ID (Android) / IDFV (iOS) for Firebase Analytics
  • These identifiers help us analyze app usage
  • You can disable advertising tracking in your device settings:
    • Android: Settings > Google > Ads > Opt out of Ads Personalization
    • iOS: Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"

Session tokens:

  • We use JWT tokens to keep your session authenticated
  • These tokens expire automatically for security
  • They are stored securely on your device

Local storage:

  • Temporary data cache to improve performance
  • Cleared when logging out

15. Use of Analytical Data

We use Firebase Analytics to understand how users interact with Spain Decides:

Data collected:

  • User events (create proposal, vote, search, navigate categories)
  • Approximate demographic data (country, language)
  • Device information (model, OS, app version)
  • Engagement metrics (time in app, most viewed proposals)
  • Most popular proposal categories

Purpose:

  • Understand which public policy topics interest citizens most
  • Improve user experience and navigation
  • Identify technical problems and areas for improvement
  • Optimize platform performance
  • Make informed decisions about developing new features

User options:

  • Analytics data is primarily aggregated and anonymous
  • You can contact us to request exclusion from analytical data collection

16. Contact

If you have questions, comments or concerns about this Privacy Policy or our privacy practices, contact us through:

Email: admin@apptolast.com

For requests to:

  • Exercise GDPR rights (access, deletion, portability, etc.)
  • Delete your account
  • Export your data
  • Correct information in published proposals
  • Report privacy or security issues
  • Report CSAE content or content that endangers minors (URGENT)
  • Inquiries about how we use your data
  • Request exclusion from analytics

Response time:

  • CSAE reports: Within 24 hours
  • Other privacy inquiries: Within 30 days

17. Consent

By creating an account and using Spain Decides, you:

  • Confirm that you have read and understood this Privacy Policy
  • Accept the collection, use and processing of your personal data as described in this document
  • Confirm that you are at least 13 years of age
  • Understand that proposals you publish will be public and visible to all users
  • Understand that published proposals will remain on the platform (anonymized) even if you delete your account
  • Accept the use of Firebase Analytics to improve the application
  • Accept that your data will be stored on servers located in the European Union
  • Understand and accept our zero-tolerance policy against CSAE
  • Accept that you can report inappropriate content and that we will process such reports

If you do not agree with this policy, please do not use our application. You can withdraw your consent at any time by deleting your account by contacting admin@apptolast.com.

This policy has been designed to comply with the General Data Protection Regulation (GDPR) of the European Union, Spain's Organic Law on Data Protection (LOPD), Google Play's Child Safety policies and other applicable privacy laws.