Privacy Policy
Last updated: {lastUpdated}
Introduction
MiniaturZ, operated by Jesús Izquierdo Cubas (sole proprietor with Tax ID 09066343L and address at Av. de los Antiguos Baños de la Isabela 5, Villalbilla, Madrid, Spain (28810)), provides an interactive 3D platform for online therapeutic sessions.
This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our platform and related services (the "Service"). It applies to therapists who register accounts and to patients who access sessions via secure links.
Data Controller
The data controller of the personal data collected through the Service is the owner identified in the Legal Notice:
- Jesús Izquierdo Cubas — Sole proprietor
- Tax ID (NIF): 09066343L
- Contact: [email protected]
For patient data processed during therapy sessions, the therapist is the data controller and MiniaturZ acts as a data processor under GDPR Art. 28. The therapist is responsible for establishing the appropriate legal basis (such as patient consent or legitimate interest) for using MiniaturZ in their professional practice.
Information We Collect
Account and Profile Data
- Name and email address
- Authentication data (via email magic link or Google OAuth)
- Professional profile information and preferences
- Language and communication preferences
- Country, locale, and timezone (derived from your IP address at registration)
- Information provided through contact or support forms (name, email address, and message content)
Technical and Usage Data
- IP address and basic connection data required to provide the Service and protect the platform against abuse
- Device type and browser information
- Service usage data for aggregated internal analytics
- Technical data required to establish the video call
Payment Data
- Stripe customer identifier linked to your account. We do not store credit card numbers, CVVs, or full payment details — these are handled entirely by Stripe under their own privacy policy
Feedback and Survey Data
- Post-session satisfaction ratings (1–5 scale)
- Ease-of-use ratings (1–5 scale)
- Optional free-text feedback and testimonials (only when you choose to provide them)
Patient Session Data
- Patient names that may be displayed during sessions are not permanently stored
- Video and audio streams of the sessions are never recorded or stored by MiniaturZ
Information From Third Parties
- Google OAuth: when you sign in with Google, we receive your name, email address, and profile picture from Google
Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal grounds:
- Contract performance (Art. 6(1)(b)): to provide the Service, manage your account, process payments, and deliver the features included in your subscription plan
- Legitimate interest (Art. 6(1)(f)): to improve the Service, prevent fraud and abuse, ensure platform security, and conduct aggregated internal analytics
- Legal obligation (Art. 6(1)(c)): to comply with applicable tax, accounting, and regulatory requirements
- Consent (Art. 6(1)(a)): for optional communications, post-session surveys, and publication of testimonials — you may withdraw consent at any time without affecting the lawfulness of prior processing
How We Use Your Information
- To create, manage, and authenticate your account
- To provide real-time video communication and interactive 3D therapy sessions
- To process payments and manage subscriptions through Stripe
- To send transactional communications (account verification, magic login links, session notifications, trial status updates, subscription changes)
- To analyze aggregated usage patterns and improve platform quality and reliability
- To detect and prevent fraud, abuse, and unauthorized access
- To comply with legal obligations and respond to lawful requests from authorities
Cookies and Similar Technologies
We use only strictly necessary cookies (authentication and security) and one functional cookie to remember your language preference. We do not use third-party analytics cookies, advertising cookies or cross-site tracking.
For full details about each cookie (purpose, duration and provider), please see our Cookies Policy
Because we only use cookies that are exempt from consent under Art. 5(3) of the ePrivacy Directive (2002/58/EC) and the Spanish Data Protection Authority (AEPD) cookies guidance, no cookie consent banner is displayed.
Data Security
We apply appropriate technical and organisational measures to protect your information, including:
- Encryption of data in transit
- Video and audio sessions are not stored on our servers
- Access controls on systems and databases
- Infrastructure hosted in data centres within the European Union
Data Sharing and Third-Party Processors
We share your personal data only when necessary to provide the Service or when legally required. The categories of providers that may process your data on our behalf are:
- Stripe, Inc. (United States): payment processing. Stripe acts as an independent controller under its own privacy policy
- Transactional email provider (European Union)
- Security and connectivity provider used to protect the site and to deliver video calls
- Infrastructure hosting provider (European Union)
- Google LLC (United States): only if you choose to sign in with your Google account
- Public or judicial authorities: only when required by a binding legal obligation
We do not sell, rent, or trade your personal data to third parties. We do not share data with advertisers or with any party for marketing purposes.
International Data Transfers
Your data is primarily stored and processed within the European Union. Some providers may process data in the United States.
Where personal data is transferred outside the EEA, we ensure the safeguards required by Chapter V of the GDPR (Art. 44–49), including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses adopted by the European Commission, or other applicable adequacy decisions.
Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
- Account data: for the duration of your active account. Upon a deletion request, data is erased except where legal retention obligations apply
- Usage data: for the reasonable time required to operate and improve the Service
- Payment and billing records: for the period required by Spanish tax and accounting law
- Real-time session data, including video and audio: not stored
- Unused accounts may be automatically removed after a reasonable period of inactivity
Your Privacy Rights
Rights Under GDPR (EU/EEA Users)
Under the General Data Protection Regulation, you have the right to:
- Access: obtain confirmation of whether we process your data and request a copy (Art. 15)
- Rectification: request correction of inaccurate or incomplete personal data (Art. 16)
- Erasure: request deletion of your personal data when it is no longer necessary for the purposes collected (Art. 17)
- Restriction: request temporary restriction of processing in certain circumstances (Art. 18)
- Portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20)
- Objection: object to processing based on legitimate interest at any time (Art. 21)
- Withdraw consent: withdraw consent at any time where processing is based on your consent, without affecting the lawfulness of prior processing (Art. 7(3))
You also have the right to lodge a complaint with a supervisory authority. For users in Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD) — www.aepd.es. For other EU/EEA member states, contact your local Data Protection Authority.
Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you additionally have the right to:
- Know what personal information we collect, use, disclose, and sell (we do not sell personal data)
- Request deletion of your personal information
- Opt out of the sale or sharing of personal information (not applicable — we do not sell or share data for cross-context behavioral advertising)
- Non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at [email protected]. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA), as required by applicable law. Requests are free of charge unless manifestly unfounded or excessive.
Children's Privacy
MiniaturZ is designed for use by licensed therapists. Therapists may conduct sessions with minor patients, subject to these requirements:
- In Spain: for patients under 14 years of age, the therapist must obtain verifiable parental or guardian consent, in accordance with LOPDGDD Art. 7 and GDPR Art. 8
- In other EU/EEA countries: the applicable age of digital consent varies by member state (13–16 years) — the therapist must comply with their local implementation of GDPR Art. 8
- In the United States: for patients under 13 years of age, the therapist must ensure compliance with COPPA (Children's Online Privacy Protection Act)
- The therapist, as data controller for their patients, is solely responsible for obtaining, documenting, and retaining evidence of appropriate parental consent
- MiniaturZ does not knowingly collect personal data directly from children. If we become aware that personal data from a minor has been collected without appropriate consent, we will take steps to delete it promptly
Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects concerning you (GDPR Art. 22). Usage analytics are processed only in aggregate form for service improvement and do not result in individual decisions affecting your access to or terms of the Service.
Contact Us
For questions about this Privacy Policy, to exercise your privacy rights, or to report a data protection concern, contact us at:
Email: [email protected]
Jesús Izquierdo Cubas — Av. de los Antiguos Baños de la Isabela 5, Villalbilla, Madrid, Spain (28810) — Tax ID (NIF): 09066343L
Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our data practices or applicable law. If we make material changes, we will notify you by email or through a prominent notice on the platform at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you disagree with the changes, you may delete your account before the effective date.