Privacy Policy

Last updated: March 2026

1. General Information

1.1 Data Controller

  • Company name: ENTROPY BAY, S.L.
  • First name comercial: Hermet
  • Tax ID (CIF): B26671842
  • Domicilio social: Madrid, Spain
  • Correo electrónico: hello@hermet.ai
  • Email protección de datos: privacidad@hermet.ai
  • Sitio web: https://hermet.ai

1.2 Legal Framework

This Privacy Policy is governed by:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
  • Spanish Organic Law 3/2018, of December 5, on Personal Data Protection and digital rights guarantee (LOPDGDD).
  • Spanish Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI-CE).

1.3 Data Protection Officer (DPO)

Given the size of the organization and the nature of the processing, ENTROPY BAY, S.L. is not required to appoint a Data Protection Officer. However, you may address any data protection queries to: privacidad@hermet.ai

2. Personal Data We Process

2.1 Data Collected Directly from the User

  • Identification data: Name, surname (Web forms, registration)
  • Contact data: Phone, email (Web forms, registration)
  • Demographic data: Age, date of birth, gender, nickname, province (Service registration)
  • Preferences: Call schedules, topics of interest (Service configuration)
  • Account holder data: Name, phone, email, password (stored encrypted), relationship to the senior (Service registration)
  • Life story: Free-text biographical information, memories, experiences and preferences of the senior (up to 10,000 characters) (Provided by the subscriber during registration or subsequent configuration)
  • Contact form data: Name, email, message (Website contact form)

2.2 Data Generated by the Service

  • Usage data: Call duration, frequency, history (María service use)
  • Conversational summaries: Topics discussed, mood (AI processing)
  • Alerts: Detected changes in wellbeing (Automated analysis)
  • Hermet Family app data: Call summaries, mood trends, alerts, app usage data (AI processing and mobile app usage)

2.3 Special Category Data (Art. 9 GDPR)

The María service may process health-related data, such as:

  • Emotional state and perceived wellbeing
  • References to physical or cognitive state
  • Information about medication, medical appointments, or other health aspects the user voluntarily mentions

This data is considered special category data under Article 9 of the GDPR and receives enhanced protection.

2.4 Technical Data

  • Browsing data: IP address, browser type, device (Website access)
  • Cookies: Identifiers, preferences (See Cookie Policy)
  • Browser local storage: Registration session data (sessionStorage), temporary preferences (Registration process and browsing)

3. Purposes and Legal Bases for Processing

3.1 Processing Table

Purpose Data processed Legal basis (GDPR) Retention period
Provision of María service Identification, contact, preferences, conversations Art. 6.1.b) Contract performance Contract duration + 5 years
Health alert detection Health data, emotional state Art. 9.2.a) Explicit consent Contract duration + 1 year
Communication with account holder Alerts, summaries Art. 6.1.b) Contract performance Contract duration
Customer service and support Identification, contact, queries Art. 6.1.b) Contract performance 3 years from last communication
Commercial communications Email, name Art. 6.1.a) Consent Until consent withdrawal
Waiting list Name, email, phone Art. 6.1.a) Consent 2 years or until voluntary unsubscription
Service improvement and statistical analysis Anonymized/aggregated data Art. 6.1.f) Legitimate interest Indefinite (anonymized data)
Legal compliance Tax, contractual data Art. 6.1.c) Legal obligation As per applicable law (min. 6 years)
Contact form inquiry management Name, email, message Art. 6.1.b) Contract performance / Art. 6.1.f) Legitimate interest 2 years from last communication
Hermet Family app service (mobile app) Call summaries, mood trends, alerts, usage data Art. 6.1.b) Contract performance Contract duration + 1 year

3.2 Special Category Data Processing

For processing health data derived from the María service, the legal basis is explicit consent of the data subject (Art. 9.2.a GDPR), which is obtained at the time of registration.

You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data Recipients

4.1 Authorized Disclosures

  • Account holder: Alerts, call summaries - Account management and wellbeing monitoring (Contract performance)

4.2 Data Processors

Hermet uses service providers who access personal data as data processors:

  • Cloud providers (AWS/GCP): Hosting (EU / EEA) - Standard contractual clauses
  • AI providers: Natural language processing (USA) - Adequacy decision / SCCs
  • Telephony providers: Call service (UE) - Data processing agreement
  • Stripe, Inc.: Payment processing and billing (USA / Ireland) - Adequacy decision / SCCs, PCI DSS certification

All data processors have signed contracts ensuring GDPR compliance.

4.3 International Transfers

Some of our providers may be located outside the European Economic Area. In such cases, transfers are made with appropriate safeguards:

  • European Commission adequacy decisions.
  • Standard Contractual Clauses approved by the European Commission.
  • Supplementary measures when necessary.

4.4 Disclosures to Authorities

We may disclose your data to public authorities when there is a legal obligation or court order.

4.5 No Sale of Data

Hermet does not sell, rent, or transfer personal data to third parties for commercial or advertising purposes.

5. Data Subject Rights

5.1 Recognized Rights

Under the GDPR and LOPDGDD, you may exercise the following rights:

  • Access (Art. 15 GDPR): Obtain confirmation of whether we process your data and access it.
  • Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
  • Erasure (Art. 17 GDPR): Request deletion of your data when no longer necessary, you withdraw consent, or other legal grounds.
  • Restriction (Art. 18 GDPR): Request restriction of processing in certain circumstances.
  • Portability (Art. 20 GDPR): Receive your data in a structured format and transmit it to another controller.
  • Objection (Art. 21 GDPR): Object to processing of your data in certain circumstances.
  • Not to be subject to automated decisions (Art. 22 GDPR): Not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you.

5.2 How to Exercise Your Rights

To exercise your rights, send an email to privacidad@hermet.ai indicating:

  • First and last name
  • Identity document (ID/Passport)
  • Right you wish to exercise
  • Email address associated with your account (if applicable)

Response time: We will respond within a maximum of one month from receipt of the request. This period may be extended by two months for complex or numerous requests, informing you accordingly.

Free of charge: Exercising these rights is free, except for manifestly unfounded or excessive requests.

5.3 Right to Lodge a Complaint with Supervisory Authority

If you consider that the processing of your data violates regulations, you may file a complaint with the Spanish Data Protection Agency (AEPD):

6. Security Measures

ENTROPY BAY, S.L. has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

6.1 Technical Measures

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Restricted access: Role-based access control and principle of least privilege.
  • Secure servers: Infrastructure hosted in the European Union with ISO 27001 certifications.
  • Backups: Encrypted backups distributed geographically.
  • Monitoring: Intrusion detection systems and audit logs.

6.2 Organizational Measures

  • Training: Staff trained in data protection.
  • Confidentiality: Confidentiality agreements with all staff and providers.
  • Assessments: Regular security reviews and impact assessments when appropriate.
  • Incident management: Security breach response protocol.

6.3 Security Breach Notification

In case of a security breach affecting your personal data, we will notify the AEPD within a maximum of 72 hours. If the breach poses a high risk to your rights, we will also notify you directly.

7. Data Retention

We will retain your personal data for the time necessary to fulfill the purpose for which it was collected and to determine any possible liabilities arising therefrom.

7.1 Specific Periods

  • Customer/user data: Contract duration + 5 years - Statute of limitations for contractual actions (Art. 1964 CC)
  • Conversations and alerts: Contract duration + 1 year - Service continuity
  • Tax/billing data: 6 years - Art. 30 Commercial Code
  • Consents: Processing duration + 5 years - Proof of consent
  • Waiting list data: 2 years - Legitimate interest
  • Cookies: See Cookie Policy

7.2 Deletion or Anonymization

Once the periods have elapsed, data will be deleted or irreversibly anonymized for statistical use.

8. Minors

The María service is intended for adults. We do not knowingly process data from children under 14. If we detect that we have collected data from a minor without parental consent, we will delete it immediately.

9. Policy Modifications

We reserve the right to modify this Privacy Policy to adapt it to legislative, jurisprudential, or practical developments.

In case of substantial changes, we will notify you via the email provided or through a prominent notice on the Website, at least 30 days before it takes effect.

We recommend periodically reviewing this policy.

11. Contact

For any inquiries related to this Privacy Policy or the processing of your personal data:

  • Email: privacidad@hermet.ai
  • Email: hello@hermet.ai
  • Web: https://hermet.ai

© 2024-2026 ENTROPY BAY, S.L. All rights reserved.