Legal

Privacy and Data Protection Policy (GDPR)

1. Summary in one read

We process your data to provide the service, bill you and protect the platform. We do not sell your data or share it with third parties, except with the providers that are essential to operate (for example, the payment gateway or the identity verification provider) or when the law requires it.

Account verification is performed by Didit, a company with a legal entity in Spain that complies with the GDPR. In the standard flow you can choose between a brief liveness check (a selfie), with no need to show your identity document, or the validation of your mobile number through an SMS code, with no camera and no biometric data. In the Manager we only keep a textual summary of the result: we never store images of your document, selfies, videos or biometric templates in the Manager's systems.

You can exercise your data protection rights at any time, as explained at the end of this document.

2. Who the data controller is

  • GINERNET S.L.
  • Tax ID (NIF/CIF): B54660485
  • Registered office: Pza. San Cristóbal 14, 03002 Alicante, Spain

For any question about your data you can open a support ticket from the Manager.

3. What data we process

  • Account data: first and last name, email, phone number, address, and company name and tax/VAT ID if you provide them.
  • Billing and payment data: tax contacts, invoices, balance top-ups and payment references. We do not store your full card numbers; they are handled directly by the payment gateway.
  • Technical and security data: access IP addresses, session history, activity performed in the panel and the records needed to prevent fraud and abuse.
  • Support: the messages and tickets you send us.
  • Account verification: if you complete the verification, the result summary described in section 5.
  • Providing the service and managing your account: performance of the contract.
  • Issuing invoices and complying with tax and accounting obligations: legal obligation.
  • Protecting the platform and preventing fraud, abuse and non-payment: legitimate interest.
  • Sending you notices about your services (renewals, balance, incidents, security): performance of the contract.
  • Sending you commercial communications or offers: only if you expressly opt in, and you can opt out at any time (consent).

5. Account verification with Didit (liveness check or SMS code)

To prevent fraud and, if you accept it, enable account recovery, we may ask you to verify your account. Verification is performed by Didit, a provider specialised in identity verification, and in the standard flow you can choose between two paths: a facial liveness check or the validation of your mobile number by SMS.

The entity providing this service for European Union clients is Didit Identity Spain, S.L. (Tax ID B22929327, Calle Nápoles 227, 08013 Barcelona, Spain). Didit acts as a data processor on behalf of GINERNET, complies with the GDPR and its lead supervisory authority is the Spanish Data Protection Agency (AEPD).

Facial verification (no document): the liveness check is a short video selfie confirming you are a real person. Your identity document is not captured. Where necessary to check the capacity to contract or to apply risk controls, Didit may return an age estimate derived from the liveness check.

SMS verification (no biometrics): as an alternative to the liveness check, you can verify your account by validating your mobile phone number through a one-time code that Didit sends by SMS. This path captures no image or video and processes no biometric data. Didit processes your phone number and associated technical data (carrier, line type and country of the number) to complete the validation and generate the anti-fraud signals described below, for example whether the number is virtual, disposable or associated with several accounts. This processing is based on GINERNET's legitimate interest in verifying accounts and preventing fraud, abuse, impersonation and the evasion of restrictions, under GDPR art. 6.1.f; by choosing this path, you confirm that the number is yours and authorise sending the SMS code to that number.

Full verification (with document): only in specific risk cases (for example, indications of fraud, duplicated identities, impersonation, payment disputes or a legal request) we may require a full verification, in which Didit captures the image of your identity document and matches it against your face.

In both cases, the process happens entirely on Didit's secure platform: the images and videos never pass through the Manager's servers.

In the Manager we only keep a textual summary of the result: the verification status, the date, the session reference, the necessary anti-fraud signals, the age estimate when computed, if the verification included a document, the textual data extracted from it (name, document type and number, dates and nationality) and, if the verification was done by SMS, the verified phone number with its carrier, line type and country. We never store images, videos, selfies or biometric templates in the Manager's systems.

Before starting a facial verification we show you specific information and ask for your explicit consent for Didit to process your liveness/facial data where such processing may qualify as biometric, in accordance with GDPR art. 9.2.a. The general purpose of verifying accounts, preventing fraud, abuse, spam, phishing, DDoS, impersonation, payment disputes and non-payment, and protecting the network, the platform and other clients, is based on GINERNET's legitimate interest under GDPR art. 6.1.f.

We also ask for a separate, optional consent to keep the verification reference so a new facial check can be compared if you request face-based account recovery. This consent is revocable at any time from your account settings and its absence does not prevent you from completing the standard verification.

As part of the fraud prevention covered by the consent above and by GINERNET's legitimate interest, Didit may generate risk signals about possible duplicated, inconsistent or potentially abusive verifications, including the use of the same facial identity or the same phone number across several accounts. These signals are recorded internally, are used solely for risk review and are never shown to other clients.

Didit does not sell or trade biometric data, encrypts data at rest and in transit, and if any operation involves an international data transfer it does so with the safeguards provided by the GDPR (adequacy decisions or Standard Contractual Clauses).

You can read Didit's privacy policy at https://didit.me/terms/privacy-policy

6. Account recovery by verifying your identity

If you have completed the account verification and keep the recovery consent active, you can recover access to your account when you lose your password and passkeys by proving your identity through the same path you verified with: a new facial check if you verified with a selfie, or an SMS code to your verified number if you verified by phone.

Facial recovery: the face match is performed entirely by Didit, using the verification reference safekept by Didit and the new facial check you perform during the recovery process. The Manager never stores images, selfies, videos or biometric templates: it acts as a mere technical intermediary to initiate the check and only keeps the result.

SMS recovery: we will ask you to type your phone number. That number is used solely to check, at that moment, that it matches the one you verified (the comparison is made against a cryptographic fingerprint and the typed number is not stored) and, if it matches, Didit sends a one-time code to that number. For security, the Manager never displays or pre-fills your number during recovery.

You can revoke the recovery consent at any time from your account settings. Once revoked, this recovery path is disabled immediately and the verification data enters the deletion schedule described in section 9.

7. Billing in USD (NEURALIA LLC)

If you choose billing in US dollars, NEURALIA LLC, the USD billing entity, will process the administrative and tax data needed to issue your invoices and manage payments.

This may involve a limited transfer of that administrative data to the United States, exclusively for that billing and collection purpose.

8. Who we share your data with

We do not sell or rent your personal data.

Only the providers essential to operating the service have access to it: payment gateways, the identity verification provider (Didit), email delivery providers and the technical infrastructure. Each one processes only the minimum data needed for its function.

We will respond to requests from courts, law enforcement or public bodies only when there is a valid legal basis and they are submitted through official channels.

9. How long we keep your data

  • Your account data, for as long as the account is active.
  • Invoices and accounting records, for the statutory tax and commercial retention periods.
  • Security logs and technical records, for the limited time needed for security and abuse prevention.
  • The account verification result summary, for as long as the account exists, as proof of the verification performed.

The verification data safekept by Didit (images or phone number, depending on the path used, and the results) follows a layered retention: (a) while you keep the recovery consent active, it is retained for as long as your account is active and that consent has not been revoked, so account recovery keeps working; (b) if you never gave that consent or you revoke it, the verification reference stops being used for recovery and the verification data is deleted from Didit within a maximum of 2 years after the verification, a window during which it is kept solely to prevent abusive re-verification, duplicated identities or numbers, recurring fraud, payment disputes and the creation of accounts to evade restrictions (legitimate interest, GDPR art. 6.1.f), unless it must be retained longer due to fraud, abuse, impersonation, a payment dispute, non-payment, a legal request, an investigation, network security or the defense of claims; and (c) if you close your account and no legitimate retention grounds such as the above exist, we request its deletion from Didit without undue delay, regardless of your consent. You can also request its early deletion by exercising your rights (section 12); in every case, once deleted, face-based account recovery is no longer available until you verify again.

10. Account closure and right to erasure

You can close your account from the Manager at any time, provided you have no active services, debts or pending items. The closure is immediate and irreversible and anonymizes your personal data: name, email, tax details, phone, payment methods, account-verification summary and the content of communications are deleted or replaced with anonymous values. We also request, without undue delay, the deletion of your customer record at the payment gateway and the deletion of your verification data at Didit (images, videos, phone number and results of all your sessions), unless it must be retained due to fraud, abuse, a dispute, a legal request or the defense of claims.

Some data must be retained by law and is not anonymized: issued invoices and their PDFs are kept intact for the tax and commercial retention periods, with restricted access. Technical records (IP assignments, balance entries, payments and security audit) are retained associated with the anonymized account, without personal data, based on our legitimate interest in fraud prevention and defense against claims.

Your email address is released: you can register again with it if you ever want to come back. Your username (nic-handle) is permanent, contains no personal data and is never reused.

If your account holds balance when you close it, the closure form will ask you to expressly accept its waiver; GINERNET will donate an equivalent amount to REFORESTA.ES. We keep a minimal closure record (date, IP, consent and your encrypted email) as proof, for a period aligned with the invoices.

Anonymized data may temporarily persist in backup copies until their natural rotation.

11. Security

We apply technical and organisational measures to protect your data: passwords stored encrypted, optional two-factor authentication (2FA) and passkeys, secrets encrypted at rest and encrypted communications.

If we detected a security breach affecting your data, we would notify you with the available information and the measures taken.

12. Your rights

You can exercise your rights of access, rectification, erasure, objection, restriction of processing and portability at any time, as well as withdraw your consent when processing is based on it.

To exercise them, open a support ticket from the Manager.

If you believe we have not handled your data correctly, you can file a complaint with the Spanish Data Protection Agency (aepd.es).

13. Changes to this policy

We may update this policy to adapt it to legal, technical or operational changes. The date in the header indicates the latest version in force.

When the changes are significant, we will let you know through the Manager or by email.