Legal document
Privacy Policy & Legal Notice
Last updated: May 16, 2026
1. Identifying information of the data controller
| Company name | Buy & Click, SL |
| Legal form | Limited Liability Company (S.L.) |
| Tax ID (CIF) | B-95612958 |
| Registered office | Avda. Ribera de Axpe 11, 2D - 202. 48950 Erandio (Bizkaia) |
| Commercial Register | R.M. de Vizcaya, Tomo 5138, Folio 19, Inscripción 1.ª, Hoja BI-56789 |
| Registered trademark | Buy & Click (Spanish Patent and Trademark Office) |
| info@resenasya.com | |
| privacy.s1_phoneK | 613 640 396 |
| Website | https://resenasya.com |
| Business activity | SaaS services for online reputation management |
In compliance with current applicable legislation regarding information society services, the identifying information of the platform's owner is made available to users.
2. Purpose and scope
This legal notice governs access to and use of the ResenasYa platform (https://resenasya.com), owned by Buy & Click, SL. Accessing the platform implies full acceptance of this legal notice. If you do not agree with its terms, you must refrain from using the service.
3. Intellectual and industrial property
All content on the platform — including, without limitation, texts, photographs, graphics, images, icons, technology, software, source code, logos, trademarks, trade names, graphic design and structure — is owned by Buy & Click, SL or its content providers, and is protected by Spanish and international intellectual and industrial property regulations.
The reproduction, distribution, public communication, transformation or any other form of exploitation of such content without the express written authorisation of Buy & Click, SL is expressly prohibited.
4. Liability
Buy & Click, SL does not guarantee the continuous availability or error-free operation of the platform. Nor is it liable for damages that may arise from incorrect use of the platform, service interruptions, technical failures or unauthorised access not attributable to Buy & Click, SL.
The user is responsible for their use of the platform, compliance with applicable data protection regulations with respect to their own customers, and the content of messages sent through the service.
5. Applicable law
This legal notice is governed by Spanish law. For the resolution of any dispute arising from its interpretation or fulfilment, the parties submit to the jurisdiction of the Courts and Tribunals of Spain.
6. Data controller
| Data Controller | Buy & Click, SL |
| Main purpose | Provision of the ResenasYa service and management of the contractual relationship |
| DPO / Privacy contact | info@resenasya.com |
| Supervisory authority | Agencia Española de Protección de Datos (AEPD) — www.aepd.es |
7. Personal data we process
Depending on the type of user and the relationship with the platform, we process the following categories of data:
7.1 Registered users (businesses)
- Registration data: email address and encrypted password.
- Business profile data: business name, description, website URL, Google Maps link and selected communication tone.
- Usage data: activity logs, number of requests sent, customer satisfaction metrics.
- Billing data: for paid plans, data required for invoicing (name, tax ID, billing address). Payment data is managed directly by the payment processor and is not stored by Buy & Click, SL.
7.2 End customers of businesses
Businesses using ResenasYa enter their own customers' data (name and phone number) for sending review requests. Regarding this data:
- Buy & Click, SL acts as a data processor on behalf of the business user, who is the data controller.
- The business is responsible for having obtained the necessary consent from its customers before entering their data into the platform.
- Customer responses (free text) are processed by Anthropic's AI (Claude) for sentiment analysis and stored in association with each request.
- When the user connects their Google Business Profile account, OAuth access tokens are stored encrypted in the database to maintain the active connection.
8. Purposes and legal bases of processing
| Purpose | Legal basis |
|---|---|
| Management of registration and platform access | Performance of a contract (Art. 6.1.b GDPR) |
| Provision of the WhatsApp messaging and sentiment analysis service | Performance of a contract (Art. 6.1.b GDPR) |
| Billing and compliance with tax obligations | Compliance with a legal obligation (Art. 6.1.c GDPR) |
| Sending service communications (updates, changes to terms) | Legitimate interest of the controller (Art. 6.1.f GDPR) |
| Sending commercial communications and newsletter (if accepted by the user) | Consent (Art. 6.1.a GDPR) |
| Usage analysis and service improvement | Legitimate interest of the controller (Art. 6.1.f GDPR) |
9. Recipients and international transfers
For the provision of the service, Buy & Click, SL shares data with the following providers acting as data processors:
| Provider | Service | Country / Safeguards |
|---|---|---|
| Supabase, Inc. | Database and authentication | USA — EU Standard Contractual Clauses |
| Twilio Inc. | WhatsApp messaging | USA — EU Standard Contractual Clauses |
| Anthropic, PBC | Sentiment analysis (AI) | USA — EU Standard Contractual Clauses |
| Vercel Inc. | Web hosting (serverless) | USA — EU Standard Contractual Clauses |
| Stripe, Inc. | Payment processing and subscriptions | USA — EU Standard Contractual Clauses |
| Google LLC | Google Business Profile API (review management) | USA — EU Standard Contractual Clauses |
We do not share personal data with third parties outside the provision of the service, unless legally required.
10. Retention periods
- Account and business profile data: for the duration of the service contract and, once terminated, for the applicable legal limitation periods (minimum 5 years for commercial and tax obligations).
- End customer data (review requests): for the duration of the business account and up to 3 years after cancellation, unless an earlier deletion request is made.
- Activity and security logs: 12 months.
- Billing data: 5 years in accordance with applicable tax regulations.
11. Rights of data subjects
Under the GDPR, data subjects may exercise the following rights by sending a request to info@resenasya.com indicating the right they wish to exercise and attaching a copy of their identity document:
Access
Find out what personal data we process about you.
Rectification
Correct inaccurate or incomplete data.
Erasure
Request the deletion of your data where applicable.
Restriction
Request a temporary suspension of processing.
Objection
Object to processing based on legitimate interest.
Data portability
Receive your data in a structured, machine-readable format.
Withdrawal of consent
Withdraw consent given at any time without retroactive effect.
Complaint to the AEPD
Lodge a complaint with the Spanish Data Protection Authority (www.aepd.es).
We will respond to your request within a maximum of one month, extendable by two additional months in complex cases, informing you of the extension within one month of receipt.
12. Data security
Buy & Click, SL applies appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration or destruction. These measures include:
- Encryption of data in transit via TLS/HTTPS in all communications.
- Password encryption using secure hash algorithms (bcrypt).
- Access control based on Row Level Security (RLS) in the database.
- Separation of access credentials by environment (development/production).
- Periodic rotation of API keys and access tokens.
- Access monitoring and anomaly alerts.
In the event of a security breach affecting personal data, Buy & Click, SL will notify the AEPD within a maximum of 72 hours and, where appropriate, the affected data subjects.
13. Changes to this policy
Buy & Click, SL reserves the right to update this Privacy Policy to adapt it to regulatory, case-law or service changes. Substantial modifications will be communicated to registered users at least 15 days in advance by email or prominent notice on the platform.
For any privacy queries, contact us at: info@resenasya.com.