Privacy policy

Last updated: February 13, 2026

At Vestigia, we take the protection of your personal data very seriously. This policy describes how we collect, use, and protect your information in accordance with the General Data Protection Regulation (GDPR).

Data controller

The data controller is Vestigia, based in Spain. You can contact us at info@vestigia.me.

Data we collect

We collect the following types of personal data:

Registration data: name, email address, and encrypted password.
Profile data: biography, photo, profession, location, and any content you choose to publish in your legacy.
Usage data: information about how you interact with the platform, including pages visited and actions taken.
Technical data: IP address, browser type, operating system, and cookies.
Managed profile data: name, relationship with the manager, published content (photographs, texts, achievements), and vital status (alive or deceased) of the represented person.

Purpose of processing

We process your data for the following purposes:

To manage your account and provide you with access to the platform.
To publish and maintain your public legacy profile according to your preferences.
To improve our services and the user experience.
To send you service-related communications (never commercial spam without your consent).
To comply with our legal obligations.

Legal basis for processing

The processing of your data is based on:

Consent by registering and creating your profile, you consent to the processing of your data for the described purposes.
Performance of a contract the processing is necessary to provide you with the service you have subscribed to.
Legitimate interest to improve our services and ensure the security of the platform.
Legal obligation when necessary to comply with applicable legislation.

Your rights (GDPR)

As a data subject, you have the following rights that you can exercise at any time:

Access the right to know what personal data of yours we process.
Rectification the right to correct inaccurate or incomplete data.
Erasure the right to request the deletion of your data ("right to be forgotten").
Restriction the right to restrict the processing of your data in certain circumstances.
Portability the right to receive your data in a structured and commonly used format.
Objection the right to object to the processing of your data.

To exercise any of these rights, contact us at info@vestigia.me. We will respond within a maximum of 30 days.

Cookies

We use cookies to improve your experience on the platform. You can consult our cookie policy for detailed information about the cookies we use and how to manage them. cookie policy

Data retention

We retain your personal data as long as your account is active or as long as necessary to provide you with the service. You can request the deletion of your account and data at any time.

Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Managed profile data

When a user creates a managed profile, we collect and process data about the represented person (name, relationship with the manager, published content, vital status). The manager is responsible for ensuring they have sufficient authorization or legitimacy to provide such data. The represented person (or their heirs) may exercise their GDPR rights over this data by contacting us at info@vestigia.me.

Data processors and sub-processors

To provide our services, we share data with the following providers:

OpenAI (United States) -- AI content processing. Only data you voluntarily enter in the legacy assistant is sent. OpenAI does not use this data to train their models.
Resend (United States) -- Transactional email delivery (account verification, password reset).
Hetzner (Germany) -- Server infrastructure hosting and data storage.

International data transfers

Some of our providers (OpenAI, Resend) are based in the United States. These transfers are carried out under the standard contractual clauses approved by the European Commission and the EU-US Data Privacy Framework. Only data strictly necessary for providing the service is transferred.

Biometric data

Vestigia does not collect, store, or process biometric data. Photographs uploaded to the platform are treated exclusively as images, without applying facial recognition technology or any type of biometric analysis. IP addresses are anonymized using SHA-256 hashing before storage.

Contact

If you have questions about this privacy policy or the processing of your data, you can contact us at info@vestigia.me.

You also have the right to file a complaint with the Spanish Data Protection Agency (AEPD) if you believe your rights have been violated.

Data we collect

We collect the following types of personal data:

Registration data: name, email address, and encrypted password.

Profile data: biography, photo, profession, location, and any content you choose to publish in your legacy.

Usage data: information about how you interact with the platform, including pages visited and actions taken.

Technical data: IP address, browser type, operating system, and cookies.

Managed profile data: name, relationship with the manager, published content (photographs, texts, achievements), and vital status (alive or deceased) of the represented person.

Purpose of processing

We process your data for the following purposes:

To manage your account and provide you with access to the platform.

To publish and maintain your public legacy profile according to your preferences.

To improve our services and the user experience.

To send you service-related communications (never commercial spam without your consent).

To comply with our legal obligations.

Legal basis for processing

The processing of your data is based on:

Consent by registering and creating your profile, you consent to the processing of your data for the described purposes.

Performance of a contract the processing is necessary to provide you with the service you have subscribed to.

Legitimate interest to improve our services and ensure the security of the platform.

Legal obligation when necessary to comply with applicable legislation.

Your rights (GDPR)

As a data subject, you have the following rights that you can exercise at any time:

Access the right to know what personal data of yours we process.

Rectification the right to correct inaccurate or incomplete data.

Erasure the right to request the deletion of your data ("right to be forgotten").

Restriction the right to restrict the processing of your data in certain circumstances.

Portability the right to receive your data in a structured and commonly used format.

Objection the right to object to the processing of your data.

To exercise any of these rights, contact us at info@vestigia.me. We will respond within a maximum of 30 days.

Managed profile data

Data processors and sub-processors

To provide our services, we share data with the following providers:

OpenAI (United States) -- AI content processing. Only data you voluntarily enter in the legacy assistant is sent. OpenAI does not use this data to train their models.

Resend (United States) -- Transactional email delivery (account verification, password reset).

Hetzner (Germany) -- Server infrastructure hosting and data storage.