Privacy Policy

Introduction

Last Updated: March 4, 2026

MiniaturZ, operated by Jesús Izquierdo with registered address at Av. de los Antiguos Baños de la Isabela 5, Vilalbilla, Madrid, Spain (28810) and tax identification number 09066343L ("we", "us", or "our"), provides an interactive 3D platform for online therapeutic sessions.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our platform and related services (the "Service"). It applies to therapists who register accounts and to patients who access sessions via secure links.

Data Controller

For therapist account data, the data controller is:

  • Jesús Izquierdo
  • Address: Av. de los Antiguos Baños de la Isabela 5, Vilalbilla, Madrid, Spain (28810)
  • Tax ID (NIF): 09066343L
  • Contact: [email protected]

For patient data processed during therapy sessions, the therapist is the data controller and MiniaturZ acts as a data processor under GDPR Art. 28. The therapist is responsible for establishing the appropriate legal basis (such as patient consent or legitimate interest) for using MiniaturZ in their professional practice.

Information We Collect

Account and Profile Data

  • Name and email address
  • Authentication data (via email magic link or Google OAuth)
  • Professional profile information and preferences
  • Language and communication preferences
  • Country, locale, and timezone (derived from your IP address at registration)
  • Information provided through contact or support forms (name, email address, and message content)

Technical and Usage Data

  • IP address at registration (stored in your user profile) and during platform usage (logged with usage events)
  • Device type and browser information
  • Session activity metrics: miniatures used, session duration, therapeutic technique selected, whether a patient joined, and your country/locale during the session
  • Platform usage events: account creation, onboarding steps, session creation, feature interactions, payment events, and similar product analytics — each event may include your IP address and contextual metadata
  • Video call connection data (transmitted peer-to-peer between devices, not stored on our servers)
  • Real-time interaction data (miniature positions, camera movements) — held in server memory during the active session only, never persisted to disk or database

Payment Data

  • Stripe customer identifier linked to your account. We do not store credit card numbers, CVVs, or full payment details — these are handled entirely by Stripe under their own privacy policy

Feedback and Survey Data

  • Post-session satisfaction ratings (1–5 scale)
  • Ease-of-use ratings (1–5 scale)
  • Optional free-text feedback and testimonials (only when you choose to provide them)

Patient Session Data

  • Patient first names may be displayed during sessions for identification purposes but are never permanently stored on our servers
  • Video and audio streams are transmitted peer-to-peer with end-to-end encryption between therapist and patient devices — they are never recorded, intercepted, or stored by MiniaturZ

Information From Third Parties

  • Google OAuth: when you sign in with Google, we receive your name, email address, and profile picture from Google

Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): to provide the Service, manage your account, process payments, and deliver the features included in your subscription plan
  • Legitimate interest (Art. 6(1)(f)): to improve the Service, prevent fraud and abuse, ensure platform security, and conduct aggregated internal analytics
  • Legal obligation (Art. 6(1)(c)): to comply with applicable tax, accounting, and regulatory requirements
  • Consent (Art. 6(1)(a)): for optional communications, post-session surveys, and publication of testimonials — you may withdraw consent at any time without affecting the lawfulness of prior processing

How We Use Your Information

  • To create, manage, and authenticate your account
  • To provide real-time video communication and interactive 3D therapy sessions
  • To process payments and manage subscriptions through Stripe
  • To send transactional communications (account verification, magic login links, session notifications, trial status updates, subscription changes)
  • To analyze aggregated usage patterns and improve platform quality and reliability
  • To detect and prevent fraud, abuse, and unauthorized access
  • To comply with legal obligations and respond to lawful requests from authorities

Cookies and Similar Technologies

We use a minimal set of cookies strictly necessary for the Service to function:

  • Authentication cookies: essential for maintaining your logged-in session and protecting against cross-site request forgery. These cookies expire after 30 days of inactivity or at the end of the authentication process. Without these cookies, you cannot use the Service
  • Language preference cookie: stores your selected language (English or Spanish). Persistent until you change it

We do not use advertising cookies, third-party tracking cookies, or external analytics platforms that set cookies. Our contact form uses a bot protection service that may set a functional cookie solely for spam prevention. Since we only use strictly necessary cookies, no cookie consent banner is required under ePrivacy Directive Art. 5(3).

Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of all data in transit between your browser and our servers
  • Peer-to-peer encrypted video and audio sessions — media never passes through our servers
  • Encrypted real-time connections for session interaction data
  • Database access restricted to authorized application services
  • Secure authentication via magic links and third-party identity providers
  • Infrastructure hosted in EU data centers with physical and logical access controls

Data Sharing and Third-Party Processors

We share your personal data only when necessary to provide the Service or when legally required. Our processors and the data they receive are:

  • Stripe, Inc. (United States): payment processing — receives your email and payment method details. Stripe acts as an independent controller for payment data under its own privacy policy
  • Email service provider (United States/EU): transactional email delivery — receives your email address and name to send account-related communications
  • CDN and security provider (United States): content delivery, DDoS protection, and bot prevention — may process your IP address and browser metadata
  • Infrastructure hosting provider (Germany/Finland, EU): your data is stored on servers located within the European Union
  • Google LLC (United States): OAuth authentication (if you sign in with Google, Google receives and shares your profile data) and connectivity services for peer-to-peer video calls
  • Law enforcement or judicial authorities: only when required by a binding legal obligation, court order, or to protect our legal rights in legal proceedings

We do not sell, rent, or trade your personal data to third parties. We do not share data with advertisers, data brokers, or any party for marketing purposes.

International Data Transfers

Your data is primarily stored and processed within the European Union (Germany/Finland). Some third-party processors may process data outside the EEA:

  • Payment processor (United States): covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses
  • Authentication and connectivity provider (United States): covered by the EU-U.S. Data Privacy Framework
  • CDN and security provider (United States): covered by Standard Contractual Clauses
  • Email provider (United States, if applicable): covered by Standard Contractual Clauses and/or adequacy decisions

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V (Art. 44–49), including Standard Contractual Clauses adopted by the European Commission.

Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

  • Account data: retained for the duration of your active account. Upon account deletion, personal data is erased within 30 days, except where legal retention obligations apply
  • Authentication tokens: expire shortly after use and are periodically purged
  • Session metrics: retained for the duration of your active account for analytics purposes and deleted when your account is removed
  • Usage events: retained for up to 90 days for internal analytics and automatically deleted thereafter
  • Payment and billing records: retained as required by applicable tax and accounting regulations (typically 5–7 years under Spanish tax law)
  • Survey responses: retained in aggregated form for service improvement; identifiable survey data is deleted with your account
  • Real-time session data: exists only in server memory during an active session — automatically discarded when the session ends
  • Video and audio streams: never stored — transmitted directly between participants via encrypted peer-to-peer connection
  • Inactive accounts: accounts that have never been used (no sessions conducted, onboarding not completed) may be automatically removed after a reasonable period of inactivity as part of routine data hygiene

Your Privacy Rights

Rights Under GDPR (EU/EEA Users)

Under the General Data Protection Regulation, you have the right to:

  • Access: obtain confirmation of whether we process your data and request a copy (Art. 15)
  • Rectification: request correction of inaccurate or incomplete personal data (Art. 16)
  • Erasure: request deletion of your personal data when it is no longer necessary for the purposes collected (Art. 17)
  • Restriction: request temporary restriction of processing in certain circumstances (Art. 18)
  • Portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20)
  • Objection: object to processing based on legitimate interest at any time (Art. 21)
  • Withdraw consent: withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing (Art. 7(3))

You also have the right to lodge a complaint with a supervisory authority. For users in Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD) — www.aepd.es. For other EU/EEA member states, contact your local Data Protection Authority.

Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you additionally have the right to:

  • Know what personal information we collect, use, disclose, and sell (we do not sell personal data)
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (not applicable — we do not sell or share data for cross-context behavioral advertising)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at [email protected]. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA), as required by applicable law. Requests are free of charge unless manifestly unfounded or excessive.

Children's Privacy

MiniaturZ is designed for use by licensed therapists. Therapists may conduct sessions with minor patients, subject to these requirements:

  • In Spain: for patients under 14 years of age, the therapist must obtain verifiable parental or guardian consent, in accordance with LOPDGDD Art. 7 and GDPR Art. 8
  • In other EU/EEA countries: the applicable age of digital consent varies by member state (13–16 years) — the therapist must comply with their local implementation of GDPR Art. 8
  • In the United States: for patients under 13 years of age, the therapist must ensure compliance with COPPA (Children's Online Privacy Protection Act)
  • The therapist, as data controller for their patients, is solely responsible for obtaining, documenting, and retaining evidence of appropriate parental consent
  • MiniaturZ does not knowingly collect personal data directly from children. If we become aware that personal data from a minor has been collected without appropriate consent, we will take steps to delete it promptly

Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects concerning you (GDPR Art. 22). Usage analytics are processed only in aggregate form for service improvement and do not result in individual decisions affecting your access to or terms of the Service.

Contact Us

For questions about this Privacy Policy, to exercise your privacy rights, or to report a data protection concern, contact us at:

MiniaturZ
Email: [email protected]
Jesús Izquierdo — Av. de los Antiguos Baños de la Isabela 5, Vilalbilla, Madrid, Spain (28810)

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our data practices or applicable law. If we make material changes, we will notify you by email or through a prominent notice on the platform at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you disagree with the changes, you may delete your account before the effective date.