Privacy Policy

1. Information We Collect

2. How We Use Your Information

We use your personal information solely to:

• Facilitate booking and appointment management
• Verify your identity and age for service use (when date of birth is provided)
• Contact you about your bookings and services (when phone number is provided)
• Authenticate your access to the application via Firebase Authentication and Google Sign-In
• Improve user experience in the application
• Send notifications about your bookings
• Provide technical support when necessary
• Improve our services based on actual usage

3. Legal Basis for Processing

The legitimacy for data processing is based on the following legal grounds:

4. Storage and Security

Your data is stored on secure Google Firebase servers and protected through:

• Complete encryption: Data encrypted in transit (HTTPS) and at rest
• Protected passwords: Passwords are fully encrypted. Citali cannot access them; only Firebase allows users to change them upon request
• Secure Google Authentication: Google Sign-In uses OAuth 2.0 and OpenID Connect for secure authentication without sharing passwords
• International certifications: ISO 27001, SOC 1, SOC 2, and SOC 3
• Restricted access: Only authorized employees with two-factor authentication
• Regulatory compliance: Compatible with GDPR, CCPA, and international privacy frameworks
• Data isolation: Your data is logically separated and protected

5. Information Sharing

We do not sell, rent, or share your personal information with third parties, except:

• With establishments where you make bookings (only your name, email address, and phone number)
• With Google, when you use Google Sign-In, according to Google's terms of service and privacy policy
• With Firebase (Google Cloud Platform) for secure processing and storage of authentication data

6. Data Retention Periods

Personal data will be retained according to the following criteria:

In case of specific legal obligations, some data may be retained for legally established periods.

7. Recipients

During the processing of your data, Citali may only transfer data to:

• Companies affiliated with Citali for the provision of booking services
• Technical service providers (Firebase, notification services)
• Competent authorities when legally required

8. Your Rights

Data subjects may exercise the following rights at any time and free of charge:

• Access your personal information and view your complete booking history
• Modify your profile data
• Delete your account and associated data
• Control the notifications you receive and your integration with the device calendar

To exercise these rights, you can send a written request to the email address indicated in the contact section. You may be asked for your ID to verify your identity.

In case of violation of your rights, you can file a complaint with the Spanish Data Protection Agency through www.aepd.es.

9. International Transfers

Citali does not perform international data transfers. If necessary, the level of protection of the destination country will be verified and the guarantees required by applicable regulations will be adopted.

10. Data Accuracy

The user guarantees that the data provided is true, accurate, complete, and up-to-date, committing to inform of any changes. They will be responsible for any damage that may be caused by non-compliance with this obligation.

Optional fields: Date of birth and phone number are optional fields that enhance your experience when provided. The accuracy of this data is important for proper service delivery when you choose to share it.

If you provide third-party data, you declare that you have the consent of the interested parties.

11. Data Retention

We retain your personal information while your account is active or as necessary to provide you with services. You may request deletion of your data at any time.

12. Changes to this Policy

We may update this Privacy Policy occasionally. We will notify you of significant changes through the application or by email.