Privacy Policy — ManipulaPro
Last updated: 27 April 2026 Version: 1.0
1. Identity of the Data Controller
| Field | Value |
|---|---|
| Name | Fabio Tassone |
| Legal form | Self-employed individual (autónomo, registered with Spanish IAE) |
| NIE | [to be completed] |
| Registered office | [to be completed — Seville, Spain] |
| Privacy contact email | privacy@manipulapro.com |
| General email | hola@manipulapro.com |
| Trading name | ManipulaPro |
| Domains | manipulapro.com, manipulapro.com |
No Data Protection Officer (DPO) has been appointed because the conditions under Art. 37 GDPR do not apply: the activity does not involve large-scale systematic monitoring nor large-scale processing of special categories of data under Art. 9.
2. Personal data processed
| Category | Specific data | Source |
|---|---|---|
| Identification | First name, last name, email | Registration form |
| Authentication | Password hash (managed by Clerk), session tokens | Authentication service |
| Billing | Payment email, amount, Stripe transaction ID | Stripe Checkout |
| Academic | Courses purchased, exam attempts, scores, certificates issued | ManipulaPro platform |
| Technical | IP, user agent, access date, language | Server logs (Vercel) |
| Cookies | See section 9 | User's browser |
We do not process special categories of data under Art. 9 GDPR (racial origin, political opinions, health, biometrics, etc.). We do not process data of minors under 14 (Spanish LOPDGDD Art. 7).
3. Purposes and legal bases of processing
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Provision of online training service (registration, course access, exam, certificate) | Performance of contract (Art. 6.1.b) |
| Payment collection and invoicing | Legal obligation (Art. 6.1.c — tax law) |
| Transactional communications (password reset, invoice, certificate) | Performance of contract (Art. 6.1.b) |
| Handling data subject requests (Art. 15-22 GDPR) | Legal obligation (Art. 6.1.c) |
| Service improvement through aggregated analytics | Legitimate interest (Art. 6.1.f) — only with consent to analytics cookies |
| Email marketing | Consent (Art. 6.1.a) — explicit opt-in, no sending without prior consent |
4. Data processors (sub-processors)
ManipulaPro uses the following providers who process personal data on behalf of the Controller. All have a signed Data Processing Agreement (DPA) and, for transfers outside the EEA, Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) or membership in the EU-U.S. Data Privacy Framework.
| Provider | Country | Purpose | Data transferred | Transfer safeguard |
|---|---|---|---|---|
| Clerk Inc. | United States | User authentication, session management | Email, name, IP, tokens | SCC + EU-U.S. DPF |
| Stripe Payments Europe Ltd. | Ireland (EU entity) | Payment processing | Email, amount, transaction ID, IP | Processing within EEA |
| Stripe Inc. | United States | Technical support to payment service | Pseudonymized data | SCC + EU-U.S. DPF |
| Neon Inc. | United States (data in EU region eu-central-1) | PostgreSQL database | All account and academic data | SCC + EU data residency |
| Resend Inc. | United States | Transactional email delivery | Recipient email, message content | SCC |
| Vercel Inc. | United States | Application hosting, serverless function execution | Technical logs (IP, user agent), data in transit | SCC + EU-U.S. DPF |
| Cloudflare Ireland Ltd. | Ireland (EU entity for EEA customers) | DNS and content delivery network (CDN) | IP, technical traffic data | Processing within EEA |
| Upstash Inc. | United States (data in EU region if configured) | Rate limiting and cache | Truncated IP, counters | SCC |
ManipulaPro does not authorise these sub-processors to use the data for their own purposes other than the contracted service. Before adding a new sub-processor, ManipulaPro evaluates technical and organisational guarantees and signs the corresponding DPA.
5. Data retention
| Category | Retention period | Basis |
|---|---|---|
| User account (profile, authentication) | Until user deletion request or inactivity exceeding 36 months | Service performance |
| Payment and invoicing data (amounts, dates, Stripe IDs) | 7 years from invoice issuance date | Legal obligation: Art. 30 Spanish Commercial Code + Art. 67 LGT |
Exam attempts (QuizAttempt) | Until account deletion | Service performance |
| Issued certificates | Indefinite, anonymised after holder's account deletion | Legitimate interest: integrity of public verification system (anti-counterfeiting) + food business operator obligations under EU Reg. 852/2004 |
Encrypted pg_dump backups | 30 days automatic rotation | Security |
| Technical access logs | 90 days | Legitimate interest: security and fraud detection |
| Cookies | See section 9 | Consent or service performance |
| Marketing communications | Until consent withdrawal | Consent |
Certificate anonymisation: upon a deletion request, the userId field on the Certificate record is unlinked and personal data (name, email) are replaced by irreversible hashes. The unique certificate code and issue date are retained so that public verification by code (/verifica/[code]) remains valid for inspections by health authorities and employers consulting it.
6. Data subject rights (Art. 15-22 GDPR)
You have the right to:
- Access (Art. 15): obtain confirmation of whether your data is being processed and, if so, a copy thereof.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17) — "right to be forgotten": delete your data when no longer necessary or when you withdraw consent, subject to mandatory retention periods (Section 5).
- Restriction of processing (Art. 18): request processing suspension in defined cases.
- Portability (Art. 20): receive your data in a structured format (JSON) and transmit it to another controller.
- Object (Art. 21): object to processing based on legitimate interest (analytics) or to direct marketing.
- Not be subject to automated decision-making (Art. 22): ManipulaPro does not carry out automated decision-making with legal effects on users. Exam scoring is algorithmic but does not constitute a standalone legal decision.
How to exercise your rights: send an email to privacy@manipulapro.com specifying the right you wish to exercise and attaching a copy of your government-issued ID to verify your identity. Response time: one month, extendable to three months in complex cases (Art. 12 GDPR).
Right to lodge a complaint: if you consider that the processing infringes the GDPR, you may lodge a complaint with the Spanish Data Protection Agency (AEPD, Calle Jorge Juan 6, 28001 Madrid, www.aepd.es, tel. +34 901 100 099) or with the supervisory authority of your country of residence.
7. Security
ManipulaPro applies appropriate technical and organisational measures (Art. 32 GDPR), including:
- TLS 1.3 encryption in transit
- Database encryption at rest (Neon uses AES-256)
- Two-factor authentication (2FA) available for administrators
- Password hashing with bcrypt/argon2 (managed by Clerk; ManipulaPro never accesses passwords in plaintext)
- Credential isolation via environment variables (Vercel Encrypted Env Vars)
- Cryptographic verification of incoming webhooks (Stripe signature + Clerk svix)
- Server-side anti-tampering on exam scoring
- Rate limiting on sensitive endpoints
- Encrypted backups with 30-day rotation
- Internal Record of Processing Activities (RoPA) compliant with Art. 30 GDPR
Personal data breach notification: in the event of a breach posing high risk to data subjects' rights and freedoms, ManipulaPro will notify the AEPD within 72 hours (Art. 33 GDPR) and inform affected individuals without undue delay (Art. 34).
8. Disclaimer on certificate validity
ManipulaPro's certificates are issued under the responsibility of the food business operator pursuant to EU Reg. 852/2004. ManipulaPro is not an entity accredited by any Spanish autonomous community or by AESAN. Spanish RD 109/2010 abolished the official manipulator card system; the responsibility to ensure adequate staff training rests with the food business operator.
The training provided by ManipulaPro serves as a technical tool for the food business operator, who remains ultimately accountable to health authorities for ensuring that staff receive training appropriate to their role. The certificate issued by ManipulaPro evidences completion and successful pass of the training programme; its validity in inspections depends on the food business operator's compliance with their specific obligations (HACCP plan, role-based risk, etc.).
If you require a manipulator card accredited by an autonomous community whose specific regulations require it, you should contact an entity accredited by that community.
9. Cookies
ManipulaPro uses only the following cookies:
| Name | Type | Purpose | Duration | Third party |
|---|---|---|---|---|
__session | Strictly necessary | Clerk authentication session | Session / until logout | Clerk |
__client_uat | Strictly necessary | Clerk client validation | 1 year | Clerk |
NEXT_LOCALE | Strictly necessary | User language | 1 year | ManipulaPro |
manipulapro_consent_v1 | Strictly necessary | Stores your cookie preference | 1 year | ManipulaPro |
__stripe_mid, __stripe_sid | Strictly necessary | Payment fraud prevention | 1 year / 30 minutes | Stripe |
We do not use analytics or marketing cookies in the current version of the service. If we add analytics in the future (e.g. Plausible Analytics, self-hosted in EU without cookies) or marketing cookies, this policy will be updated and additional consent will be requested before activation.
Strictly necessary cookies are exempt from the consent requirement under Spanish LSSI Art. 22.2 and AEPD guidelines.
10. Policy changes
ManipulaPro reserves the right to modify this Privacy Policy to reflect legislative changes or service evolution. Substantial changes will be communicated to registered users by email with at least 30 days' notice. The latest update date appears at the top of this document.
11. Applicable law and jurisdiction
This Policy is governed by Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and Spanish Law 34/2002 on Information Society Services (LSSI). For any dispute, the competent courts shall be those of Seville, without prejudice to consumer rights under Art. 90.2 of the Spanish General Consumer Protection Act.
Privacy contact: privacy@manipulapro.com Controller: Fabio Tassone — Seville, Spain