Privacy Policy

The data controller for verifAInow.es is:

• verifAInow.es — Operated by Fernando Rueda Oliva as an independent project
• Based in Spain (EU/EEA)
• Privacy contact: fernandoruedaoliva@gmail.com

We try to minimise what we collect. The categories below are the only personal data the service handles in normal operation.

• Account data: Email address used to sign in (via Supabase Auth — magic link or Google OAuth), plus a Supabase-issued user ID. We do not store passwords.
• Submitted URLs and derived content: The reel, TikTok, or article URLs you submit, and the derived transcripts, on-screen text, and claim list extracted from them. Video and audio files are NOT retained — they live in a per-job temporary directory that is wiped when the job finishes.
• Verdict history: The list of verdicts produced for each of your fact-checks (rating, explanation, source URLs), associated with your account ID so you can return to /history.
• Billing data (paid plans only): If you subscribe to a paid plan, Stripe handles your payment information. We never see your card number — we only store the Stripe customer ID and subscription status returned by Stripe webhooks.
• Product analytics: Anonymised usage events (page views, feature interactions, error occurrences) via PostHog. When you are signed in, events are associated with your user ID so we can debug account-specific issues; when signed out they are tied to an anonymous cookie identifier only.
• Technical data: Standard server logs (IP address, user agent, request path, timestamp, response code) kept for security and abuse-prevention purposes.

Performance of contract for account data, submitted URLs, history, and billing (without these we cannot provide the service). Legitimate interests for technical logs and anonymised product analytics (running and improving the service securely). Consent for any non-essential cookies that require it under the EU ePrivacy framework — the cookie banner records the choice you make.

We rely on the following third-party processors to operate the service. Each is named with its legal entity so you can find their own policy.

• Supabase (Supabase Inc., US/EU) — authentication and Postgres database hosting for your account and verdict history
• Fly.io (US) — application hosting and edge networking
• Stripe (Stripe Payments Europe Ltd., IE) — payment processing and subscription management for paid plans
• PostHog (PostHog Inc., US) — product analytics and error monitoring
• Google AdSense (Google Ireland Ltd., IE) — display advertising on editorial pages (blog, about). Ads are NOT shown on the home, billing, history, login, or admin routes
• Google Fact Check Tools API — lookup of existing third-party fact-checks for each claim we process
• Groq (Groq Inc., US) — inference for Whisper-large-v3-turbo (transcription), Llama-4 Scout (vision), and GPT-OSS-120B (claim extraction and verdict synthesis)
• OpenAI (OpenAI OpCo LLC, US) — alternative transcription provider when configured by the operator
• Tavily (US) — live web search to retrieve source candidates for each claim
• Apify (Apify Technologies s.r.o., CZ) — extraction of public Instagram and TikTok metadata + media so we can run the pipeline

Some of these processors are based in the United States. Transfers outside the EU rely on the EU Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework adequacy decision.

We use cookies that are strictly necessary to keep you signed in (Supabase session), to remember your theme and language choice, and to recognise return visits for analytics. Third parties may also place and read cookies on your browser as part of delivering and measuring ads (Google AdSense) and analytics (PostHog).

For details on how Google uses data when you visit sites that use its services, see policies.google.com/technologies/partner-sites.

• Submitted media (video/audio files): deleted immediately when the job finishes (worst case: 60 minutes if a pipeline crashes — orphan cleanup runs every hour)
• Verdict history (text + source URLs): kept for as long as your account is active; deleted within 30 days of account deletion
• Account data (email, user ID): kept for as long as your account is active; deleted within 30 days of account deletion
• Billing records: retained for 6 years after the last invoice as required by Spanish/EU tax law
• Product analytics: retained in raw form for 12 months, aggregated indefinitely

Under the GDPR (and the Spanish Organic Law 3/2018 on Data Protection and Digital Rights) you have the following rights:

• Right of access — a copy of the data we hold about you
• Right of rectification — correct inaccurate data
• Right of erasure (right to be forgotten) — delete your account and associated data
• Right to restrict processing in specific circumstances
• Right to data portability — receive your history in a machine-readable format
• Right to object to processing based on legitimate interests (analytics)
• Right to withdraw consent at any time, where processing is based on consent
• Right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — www.aepd.es)

To exercise any of these rights, email us at fernandoruedaoliva@gmail.com.

The service is not directed at children under 16 (the age of digital consent in Spain). We do not knowingly collect personal data from children under 16. If you believe a minor has created an account, please contact us so we can remove it.

We use industry-standard transport encryption (TLS), database-level row-security via Supabase Postgres RLS, and access controls on all administrative interfaces. No system is perfectly secure; if you discover a vulnerability, please contact us before disclosing it publicly.

We will post material changes here and update the 'Last updated' date above. For privacy-impacting changes affecting existing users, we will notify by email where reasonable.

For any privacy question or to exercise your rights, email us using the contact page at /contact.