Astrópalo
Sign in Pricing Compliance Partner login Become a partner Find a partner

Privacy Policy

Last updated: April 2026

1. Data controller

The controller responsible for the processing of your personal data is:

  • Company: Alice & Bob S.L.
  • Tax ID (CIF): B67932186
  • Registered address: Calle Marie Curie, 7, Edif. Beta, Pl. 7 Ático, Parque Empresarial Rivas Futura, 28521 Rivas-Vaciamadrid, Madrid
  • Email: hello@astropalo.com

2. Data we collect

  • Account data: your name, email address and password (stored encrypted) when you sign up.
  • Usage data: the websites you add for monitoring, the scan history and the security findings associated with those sites.
  • Technical data: IP address, browser type, operating system and browsing behaviour on our platform, collected through cookies (see Cookie Policy).
  • Billing data: payment information processed by Stripe. We do not store card numbers directly.
  • Communications: emails you send us and support enquiries.

3. Purpose and legal basis

  • Provision of the service (performance of the contract): creating and managing your account, running security scans, generating reports and sending alerts about critical vulnerabilities.
  • Billing (performance of the contract): handling subscription payments through Stripe.
  • Communications (legitimate interest): to send you product updates, security notifications and the weekly summary.
  • Analytics (consent): to measure platform usage with Google Analytics and Meta Pixel, only if you have given your consent through the cookie notice.
  • Legal obligations: to comply with applicable tax and accounting regulations.

4. Third parties with whom we share data

  • Stripe: payment processing. Privacy policy: stripe.com/privacy
  • Google Analytics: usage analytics (only with your consent). Policy: policies.google.com/privacy
  • Meta Pixel: advertising and conversion tracking (only with your consent). Policy: facebook.com/privacy/policy
  • EmailIt: sending of transactional emails (account notifications, alerts, reports).
  • Hetzner Cloud: cloud infrastructure where the service runs. Servers located in Germany (EU).

5. International transfers

Google and Meta are headquartered in the United States. Data transfers are protected by the Standard Contractual Clauses (SCCs) adopted by the European Commission, which guarantee safeguards equivalent to the GDPR. All other providers process data within the European Union.

6. Data retention

  • Account data: retained for the duration of your subscription, plus 3 years after cancellation due to legal obligations.
  • Scan and findings history: retained for the duration of your subscription. Deleted within 30 days of account cancellation.
  • Billing records: retained for 5 years in accordance with Spanish tax legislation.
  • Analytics data: retained according to each provider's retention policy (e.g., 26 months in Google Analytics).

7. Your rights

Under the GDPR (Regulation (EU) 2016/679) and the LOPDGDD, you have the right to:

  • Access: obtain a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Supresión ("derecho al olvido"): request the deletion of your personal data where legally applicable.
  • Restriction: request that we restrict the processing of your data.
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interest.
  • Withdrawal of consent: at any time, for processing based on consent (e.g., analytics cookies).

To exercise any of these rights, write to us at hello@astropalo.com. We will respond within 30 days.

8. Right to lodge a complaint with the AEPD

If you believe your rights have been violated, you may file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through a prominent notice on the platform at least 15 days before they take effect. Continued use of the service after that date constitutes acceptance of the revised policy.