1. Data controller
Sergi Cañas Galindo, NIF 46971884L, registered at Rambla de Fabra i Puig, 39, 08030 Barcelona, Spain. Contact: info@thecitymesh.com. (No Data Protection Officer is appointed: none of the conditions in Article 37 GDPR apply.)
2. Data we process
- Account data: email, display name, hashed password, preferred language, social-auth provider (if applicable).
- City/project data (Creators): city name, website, description, logo, brand colours, Stripe Connect ID, onboarding status.
- Sponsorship data (Sponsors): public name or pseudonym, optional message, optional social links (X, LinkedIn, GitHub, Instagram), hex colour and position, amount, Stripe payment ID, billing address (collected by Stripe for VAT calculation).
- Technical data: truncated IP (consent audit), user-agent, cookies (see Cookie Policy), product-usage events if you have given analytics consent.
We do not process special-category data (Art. 9 GDPR), data from minors, or full card data (cards are handled exclusively by Stripe, PCI-DSS Level 1 certified).
3. Purposes and legal bases
| Purpose | Data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Create and manage your account | Account | Contract performance (b) |
| Process sponsorships and issue invoices | Sponsorship + billing address | Contract performance (b) and legal obligation (c), Spanish VAT Law 37/1992 |
| Display your hex and public data in the city | Name, message, links, colour | Contract performance (b) |
| Prevent fraud and abuse | Technical | Legitimate interest (f) |
| Product analytics | Usage events | Consent (a) |
| First-party marketing communications | Consent (a) | |
| Comply with accounting and tax obligations | Invoices, records | Legal obligation (c) |
4. Retention periods
- Account data: while your account is active, and up to 6 years after closure to meet accounting obligations (Spanish Commercial Code Art. 30).
- Sponsorship + invoice data: 6 years (Spanish General Tax Law Art. 29, Commercial Code Art. 30).
- Cookie consent records: up to 12 months or until withdrawn.
- Technical logs: up to 12 months.
After these periods data is deleted or anonymised.
5. Processors and international transfers
- Stripe Payments Europe, Ltd. (Ireland), payment processing and Stripe Tax. Stripe may transfer data to Stripe, Inc. (US) under EU Standard Contractual Clauses and the EU-US Data Privacy Framework.
- Scaleway (Online S.A.S.) (France, EU), hosting provider for the server on which The City Mesh self-hosts the web application, database, authentication and storage (self-hosted Supabase), as well as transactional email delivery (Scaleway TEM). Data is hosted in the European Union.
- Google Ireland Ltd. and Microsoft Ireland Operations Ltd. (web analytics: Google Analytics and Microsoft Clarity), only if you accept analytics cookies; they may transfer data to the US under Standard Contractual Clauses and the EU-US Data Privacy Framework.
All transfers outside the EEA are made under appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
6. Your rights
You have the right to:
- Access your data and obtain a copy.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten"), except for data retained under a legal obligation.
- Restrict processing.
- Object to processing based on legitimate interest.
- Portability of the data you have provided to us.
- Withdraw consent where consent is the basis, without affecting prior processing.
- Not be subject to solely automated decisions with legal effects (we do not perform any).
Exercise your rights by emailing info@thecitymesh.com from your registered email, or by post to the address above.
7. Complaints
If you believe your rights are not being respected, you may lodge a complaint with the Spanish Data Protection Agency (AEPD): aepd.es, C/ Jorge Juan, 6, 28001 Madrid.
8. Security
We apply reasonable technical and organisational measures: TLS 1.2+ in transit and at-rest encryption, role-based access control, hardened authentication for administrators, audit logs, and encrypted backups. Stripe handles full payment information under PCI-DSS.
9. Changes to this policy
We will publish material changes on this page and notify registered users by email. If changes affect a consent basis, fresh consent will be requested.