Privacy Policy
1. Data controller
The controller of your personal data is Pau Serrano García (sole trader / autónomo), NIF 48059727P, registered at Carrer Orient, 4, 25318 Les Puelles (Lleida), Spain, contact email hello@hmilibrary.com.
2. What data we collect
| Category | Data | When |
|---|---|---|
| Account | Email, name, password (hashed), optional company | On sign-up |
| Billing | VAT/Tax ID, billing address, card data (processed by Stripe — we never see it) | On subscribing |
| Usage | Symbols downloaded, date/time, truncated IP address | While using the app |
| Functional storage | Session token, preferred language | During the session |
3. Why we use your data
- Service delivery — managing your account, authentication, counting downloads, applying plan limits.
- Billing — issuing invoices with your VAT/Tax ID and legal name when you subscribe to a paid plan.
- Support — answering queries you send to hello@hmilibrary.com.
- Operational communications — account confirmation, password reset, payment receipts. No marketing unless you expressly opt in.
- Product improvement — aggregate, anonymous analysis of which symbols are downloaded most, to prioritise new content.
4. Legal basis
- Performance of a contract (Art. 6.1.b GDPR) — to deliver the service you signed up for.
- Legal obligation (Art. 6.1.c GDPR) — to issue and retain invoices for the legally required period.
- Legitimate interest (Art. 6.1.f GDPR) — for aggregate analytics and fraud prevention.
- Consent (Art. 6.1.a GDPR) — for non-transactional marketing communications.
5. Who we share your data with
Your data is stored and processed by the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database & authentication | EU (eu-central-1, Frankfurt) |
| Stripe Payments Europe | Payment processing | EU (Ireland) / US (DPF + SCCs) |
| Cloudflare Inc. | Static hosting & CDN | Global (with SCCs) |
| Google LLC | OAuth (sign-in with Google), optional | US (with SCCs) |
We do not sell or rent your data to third parties for commercial purposes.
6. Retention
- Active account — for as long as your account remains open.
- After account deletion — account data deleted within 30 days; billing data retained for the period required by applicable tax law (in Spain, up to 4–6 years).
- Download logs — 12 months for audit and abuse prevention, then anonymised.
7. Your rights
As a data subject, you have the right to:
- Access — know what data we hold about you.
- Rectification — correct inaccurate data. You can do most of this directly from your account Settings.
- Erasure ("right to be forgotten") — request deletion of your data.
- Restriction — restrict processing while a complaint is verified.
- Portability — receive your data in a structured format (JSON).
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, for processing based on it.
To exercise any of these rights, email hello@hmilibrary.com with "GDPR" in the subject. We respond within 30 days at most.
If you believe processing does not comply with the law, you may lodge a complaint with your local data protection authority — in Spain, the Spanish Data Protection Agency (AEPD).
8. Security
We apply appropriate technical and organisational measures: encryption in transit (TLS 1.3), encryption at rest, role-based access control, audit logs, encrypted backups. Passwords are stored as bcrypt hashes — never in plain text.
9. Minors
HMI Library is aimed at professionals and does not knowingly collect data from minors under 16. If you believe a minor has provided us data, contact us and we will delete it.
10. Changes to this policy
If we update this policy we will notify you by email to the address associated with your account at least 15 days in advance when the changes affect material rights.