ConducIA Logo

Privacy Policy

Last updated: December 2025 | Version: 1.2

Important Information

This Privacy Policy describes how ConducIA ("we", "our" or "the company") collects, uses and protects your personal information in accordance with the General Data Protection Regulation (GDPR)of the EU and the Organic Law on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) of Spain.

Your data is protected: We implement best security practices and strictly comply with European and Spanish data protection regulations.

1. Company Information

Data Controller:

  • Name: TURNWISE S.L.
  • CIF/NIF: B24747297
  • Contact Email: soporte@conducia.com
  • Phone: +34 615 561 863
  • Website: www.conducia.com
  • Main activity: Digital platform for driving license training and educational services for driving schools

2. Legal Basis for Processing

We process your personal data based on the following legal bases established in the GDPR:

2.1 Contract Performance (Art. 6.1.b GDPR)

  • Provision of driving education service
  • Management of subscriptions and payments
  • Service-related communication
  • Commission program for driving schools

2.2 Consent (Art. 6.1.a GDPR)

  • Direct marketing and promotional communications
  • Non-essential cookies
  • Service analysis and improvement
  • Newsletters and educational content

2.3 Legitimate Interest (Art. 6.1.f GDPR)

  • Fraud prevention and security
  • Service improvement and features
  • Platform usage analysis
  • Technical support and customer service

2.4 Legal Obligation (Art. 6.1.c GDPR)

  • Retention of tax records (7 years)
  • Compliance with tax obligations
  • Invoicing and accounting
  • Driving school verification

3. Data We Collect

3.1 Student Data

Identification Data:

  • • First and last name
  • • Email address
  • • Phone number (optional)
  • • Preferred language

Usage Data:

  • • Progress in tests and courses
  • • Mock exam results
  • • Study time dedicated
  • • Answer history
  • • Learning statistics

3.2 Driving School Data

Company Data:

  • • Driving school name
  • • DGT license number
  • • Business address
  • • Contact details
  • • Website (optional)
  • • Verification status
  • • Commission data

Representative Data:

  • • Representative name
  • • Contact email
  • • Contact phone

3.3 Technical Data (Only When Necessary)

We collect minimal technical data only when necessary for service functionality and security:

  • IP address (anonymous hash for security)
  • User-Agent (for specific activity auditing)
  • Essential cookies for authentication and session
  • User preferred language

4. How We Use Your Data

4.1 Main Services

  • Provide access to educational content
  • Maintain and manage user accounts
  • Process payments and subscriptions
  • Manage commission program

4.2 Support and Improvement

  • Resolve technical issues and queries
  • Analyze usage to improve the platform
  • Send important service notifications
  • Verify driving schools and prevent fraud
  • Comply with legal and tax obligations

4.3 Marketing and Communications (Only with Consent)

  • Educational newsletters
  • Information about new features
  • Promotional offers and discounts
  • Study tips and preparation
  • DGT regulatory updates

5. Sharing Data with Third Parties

ConducIA only shares personal data with third parties when strictly necessary to provide our services, comply with legal obligations or with your explicit consent.

5.1 Service Providers

Infrastructure and Data:

  • Supabase: Database (USA, SOC 2 Type II, AES-256 encryption)
  • Vercel: Hosting and deployment (USA/Global CDN, SSL/TLS 1.3)

Payments and Communications:

  • Stripe: Payment processing (USA, PCI DSS Level 1)
  • Resend: Email delivery (USA, TLS encryption, GDPR compliance)

Artificial Intelligence Services:

  • OpenAI (GPT-5.1): Only educational question generation, no personal data
  • Anthropic (Claude Sonnet 4.0, 4.5, Opus): Only educational question generation, no personal data
  • Supervision: Human review of all AI-generated content

5.2 International Transfers

For transfers outside the European Economic Area (EEA), we implement:

  • Standard contractual clauses approved by the European Commission
  • Compliance certifications (SOC 2, PCI DSS) from providers
  • Additional technical measures such as end-to-end encryption
  • Continuous assessment of protection safeguards

6. Data Retention

6.1 Retention Periods

  • Active account: During contractual relationship
  • Billing data: 7 years (legal obligation)
  • Marketing: Until consent withdrawal
  • Security logs: 12 months
  • Inactive account: 1 year from last access

6.2 Automatic Deletion

We implement automated processes to delete data when:

  • User has not accessed for more than 1 year
  • Marketing consent is withdrawn
  • The right to erasure is exercised (after verification)
  • Legal retention period expires

Important note: Users cannot directly delete their accounts. To request data deletion, contact soporte@conducia.com.

7. Your Rights

Under the GDPR and LOPDGDD, you have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): Request information about what data we process and obtain a copy
  • Rectification (Art. 16 GDPR): Correct inaccurate or incomplete data
  • Erasure (Art. 17 GDPR): Request deletion of your data (right to be forgotten)
  • Restriction (Art. 18 GDPR): Restrict processing under certain circumstances
  • Portability (Art. 20 GDPR): Receive your data in structured format
  • Objection (Art. 21 GDPR): Object to processing and direct marketing
  • Automated Decisions (Art. 22 GDPR): Not be subject to automated decisions
  • Withdrawal of Consent: Withdraw consent at any time

8. How to Exercise Your Rights

To exercise any of your rights:

  • Email: soporte@conducia.com
  • Phone: +34 615 561 863

Response time: Maximum 30 calendar days

Required documentation: Copy of ID, NIE or valid identification document

9. Complaints

If you believe we have violated your data protection rights, you can file a complaint with:

Spanish Data Protection Agency (AEPD)

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

10.1 Technical Measures Implemented

  • Automatic SSL/TLS encryption via Vercel
  • Row Level Security (RLS) in Supabase database
  • Secure authentication system with JWT
  • Role-based user access controls
  • Automatic backups (managed by Supabase)
  • Data input validation and sanitization

10.2 Organizational Measures (Appropriate for Single-Employee Startup)

  • Privacy by design and by default in development
  • Data processing agreements with service providers
  • Manual incident response procedures appropriate for company size
  • Simplified record of processing activities
  • Impact assessments only when legally required

10.3 Security Breach Notification

In case of a data breach that may pose a risk, we will follow mandatory legal procedures:

  • Notify AEPD within 72 hours (per GDPR Art. 33)
  • Inform users directly if high risk to their rights exists
  • Implement immediate containment measures per established protocols
  • Document the incident and all measures taken

11. Cookies

11.1 Types of Cookies

Essential (always active):

  • • User session and authentication
  • • Language preferences
  • • CSRF security

Analytics (with consent):

  • • Usage statistics
  • • Performance analysis
  • Future: Not implemented yet

Marketing (with consent):

  • • Remarketing and segmentation
  • Future: Not implemented yet

11.2 Cookie Management

You can manage your preferences through:

  • Cookie consent banner
  • Your browser settings
  • Contact: soporte@conducia.com

12. Minors

Minimum age: Our service is aimed at users over 16 years old, in accordance with the minimum age for digital consent in Spain (Art. 8 GDPR and Art. 7 LOPDGDD).

Under 16: If we detect data from minors under 16 without adequate parental consent, we will proceed to delete it immediately.

Verification: We request age declaration during registration through a confirmation checkbox.

13. Changes to this Policy

We reserve the right to update this Privacy Policy. When we make material changes:

  • Significant changes: Email notification, prominent notice on platform, 30 days before taking effect
  • Minor changes: Publication on platform, updated modification date
  • History: Access to previous versions upon request

14. Contact

All Inquiries

For all privacy, technical, and legal inquiries, please contact us at: