Privacy Policy

Data controller

The controller responsible for processing your personal data is:

• Samarluan SL
• Tax ID (NIF): ESB67684753
• Registered office: Avenida de los Apóstoles nº3, 1ºB, 28011 Madrid, Spain

For any question relating to data protection, you can write to us at privacy@meembly.com.

1. Information we collect

We collect the following information when you use Meembly:

• Registration data: name, email, password (encrypted).
• Profile data: photo, phone, and other optional data you provide.
• Usage data: platform activity, points earned, rewards redeemed.
• Technical data: IP address, browser type, device, cookies.

2. How we use your information

We use your data to:

• Provide and maintain the loyalty service.
• Manage your account and points programs.
• Send you relevant notifications (rewards, challenges, updates).
• Improve the platform and develop new features.
• Prevent fraud and ensure security.

3. Data sharing and data processors

We share your data only with:

• The club you belong to: your name, activity, and points within their program.
• Associated businesses: only the information necessary to validate benefits.

To deliver the service we rely on the following providers, which act as data processors and process your data on behalf of Samarluan SL under the corresponding data processing agreements:

• Vercel: hosting and platform infrastructure.
• Supabase: database and user authentication.
• Resend: sending of transactional emails.
• Sentry: error monitoring and diagnostics.
• OpenAI: artificial intelligence assistance for user support.
• Playtomic: synchronization of bookings and sports profile.
• WhatsApp / Meta: communications via WhatsApp.
• Stripe: payment processing.
• Apple and Google: generation of loyalty cards in their respective digital wallets (Wallet).

International transfers: some of these providers (such as OpenAI) may process data in the United States. Such transfers are covered by the standard contractual clauses approved by the European Commission and/or by the EU-US Data Privacy Framework adequacy decision.

We do not sell or share your personal data with third parties for advertising purposes.

4. Legal basis for processing

We process your data based on:

• Contract performance: to provide you with the service you request.
• Consent: for optional communications and non-essential cookies.
• Legitimate interest: to improve the service and prevent fraud.

5. Your rights (GDPR)

As a user, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request the deletion of your data.
• Portability: receive your data in a structured format.
• Objection: object to the processing of your data.
• Restriction: request the restriction of processing.

To exercise these rights, contact us at privacy@meembly.com.

We will respond to your request within a maximum of one month from its receipt. This period may be extended by up to two additional months when the request is particularly complex or when several requests are received simultaneously, in which case we will inform you of the extension.

6. Data retention

We retain your data as long as your account remains active. If you delete your account, we will delete your personal data within a maximum of 30 days, unless the law requires longer retention.

7. Security

We implement technical and organizational measures to protect your data, including encryption in transit (HTTPS/TLS), password encryption (bcrypt), secure authentication, and role-based access control.

8. Cookies

We use essential cookies for platform operation (session, authentication). We do not use third-party tracking or advertising cookies.

9. Contact

For any privacy inquiries, you can contact us at privacy@meembly.com.

10. Use of artificial intelligence

Meembly uses third-party artificial intelligence models (OpenAI) to assist with user care and support. The messages you send through the support channels may be processed by these models for the sole purpose of generating responses and helping you resolve your inquiry. This data is not used to train third-party models or to make automated decisions that produce legal effects on you or similarly significantly affect you.

11. Supervisory authority

If you believe that the processing of your data does not comply with applicable regulations, you have the right to lodge a complaint with the competent supervisory authority. In Spain, this authority is the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, and available at www.aepd.es.