Privacy Policy
Privacy
Your data, your lines
Read the policy.
Then read the face.
Facecast is a tool for riders. We collect the minimum we need to run the service, we never sell your data, and we keep this page in plain language so you can actually read it. This policy explains what we collect, why, how long we keep it and the rights the GDPR gives you over it.
Effective date: 1 May 2026.
1 · Who we are
The data controller.
The data controller for facecast.online is Jose Moro Melón, a sole operator based in Spain. Facecast is run independently — there is no parent company, no investor data pipeline, no third-party analytics broker behind the scenes.
Postal address: Calle Jose las Clotas 7, 2 B, 33205 Gijón, Asturias, Spain.
Contact for any matter — including privacy requests: hello@facecast.online.
2 · What we collect
Only what the tool needs.
We group the data we hold into six categories. Nothing else is collected, profiled or inferred.
Account data
Username, email, hashed password, role (rider / coach), preferred language and registration date. Required to give you an account and let you log back in.
Profile data (coaches)
Public profile fields you fill in yourself: bio, photo, disciplines, languages, certifications, contact link, home venues. These are public by design — that’s the directory.
Inspections you create
The drawings, annotations and notes you save on a venue. Private to your account unless you explicitly share them. Stored so you can come back to them between training days and on contest morning.
Subscription data
If you go Pro or activate the coach plan: PayPal subscription ID, plan tier, status (active / cancelled / expired) and renewal date. We do not store card numbers — those live with PayPal.
Technical logs
Server access logs (IP address, user agent, request URL, timestamp, response code). Standard hosting logs used for security, debugging and abuse prevention. Rotated and deleted on a short cycle.
Messages you send us
If you write to hello@facecast.online we keep the email and any attachments so we can answer you and follow up. That’s it.
3 · Why we process it
Lawful bases under Art. 6 GDPR.
Every data point above maps to one of four legal bases. We don’t process anything “just in case”.
Contract — Art. 6(1)(b)
Running the account, storing your inspections, processing your Pro or coach subscription. Without this data we can’t give you the service you signed up for.
Legitimate interest — Art. 6(1)(f)
Server security logs, abuse prevention, and answering messages you send us. Balanced against your rights — minimal, short-lived and never used for profiling.
Legal obligation — Art. 6(1)(c)
Keeping invoices and tax records for the period Spanish and EU law require. Applies only to subscription billing data.
Consent — Art. 6(1)(a)
Anything that isn’t strictly needed to run the service — for example, publishing your coach profile in the public directory. You can withdraw consent at any time.
4 · Who we share it with
Three processors. No buyers.
We do not sell, rent or trade personal data. We use a small number of processors to run the service — each under a written GDPR Art. 28 agreement.
PayPal
Processes Pro and coach subscriptions. Receives the payment data; we receive only the subscription ID and status. Their privacy policy applies to the payment leg.
Hosting provider
EU-based managed WordPress host that runs the servers, the database and the backups. Bound by a data processing agreement.
Transactional email
Provider used to send account emails (registration, password reset, subscription receipts). No marketing lists, no newsletters by default.
Authorities only get data on a binding legal request. We log every such request and tell you about it whenever the law lets us.
5 · How long we keep it
As short as the job allows.
Account & inspections
For as long as your account is active. Deleted within 30 days of you closing the account.
Billing records
Six years from the date of the invoice — the period required by Spanish tax law.
Server logs
Rotated on a short cycle, typically 30 days, then permanently discarded.
Support emails
Up to 24 months after the last reply, then archived or deleted depending on the topic. Tax-relevant threads follow the billing rule.
6 · International transfers
EU first.
The servers, the database and the backups live inside the European Union. Two of our processors — PayPal and the transactional email provider — may process data outside the EEA. When that happens, we rely on the safeguards listed in Articles 44–49 GDPR: adequacy decisions where they exist, otherwise the European Commission’s Standard Contractual Clauses plus the additional measures Schrems II requires.
7 · Your rights
Eight rights, one inbox.
Articles 13 to 22 of the GDPR give you the rights below. Exercise any of them by writing to hello@facecast.online from the email on your account. We answer within one month — usually much sooner.
Access
Get a copy of the personal data we hold on you and information about how we process it.
Rectification
Correct anything inaccurate or incomplete in your profile, account or inspections.
Erasure
Delete your account and the personal data attached to it, except records we must keep by law (e.g. invoices).
Restriction
Ask us to pause processing while a dispute about your data is sorted out.
Portability
Receive your inspections and account data in a machine-readable format you can take elsewhere.
Objection
Object to processing based on legitimate interest. We stop unless we can show overriding grounds.
Withdraw consent
For anything we do based on consent — including a public coach profile — you can withdraw it at any time.
Complain to the AEPD
File a complaint with the Spanish Data Protection Agency at aepd.es. We’d rather you wrote to us first — but the right is yours.
8 · Cookies
Functional only.
Facecast uses a minimal set of WordPress cookies — none of them for advertising, none of them for cross-site tracking. No Google Analytics, no Facebook Pixel, no third-party tag manager.
wordpress_logged_in_*
Keeps you logged in between page loads. Strictly necessary, no consent needed.
wp-settings-*
Stores preferences for the WordPress dashboard (only set if you log in to wp-admin).
wordpress_test_cookie
Used once at login to check your browser accepts cookies. Discarded right after.
Session token
Identifies your session while you draw inspections. Expires when you log out.
9 · Children
14 and up.
Facecast is not aimed at children. Under Spanish law (LOPDGDD Art. 7) the minimum age to consent to information-society services is 14. Riders below that age can use Facecast only with their parent or legal guardian’s consent. If you believe a younger child has registered, write to us and we will delete the account.
10 · Security
Reasonable, layered, audited.
Encryption in transit (HTTPS everywhere), hashed passwords, role-based access, off-site encrypted backups, regular software updates, and least-privilege access to the admin panel. No system is perfectly secure — but if a breach affects your data, we will notify you and the AEPD within 72 hours, as Article 33–34 GDPR requires.
11 · Changes to this policy
We tell you when it changes.
If we update this page in a way that materially affects you, we’ll post the new version with a fresh effective date and email registered users before the change takes effect. Minor wording fixes go in silently — but the effective date at the top of the page always tells you when the current text was published.
12 · Contact
One inbox for everything.
Questions about this policy, data requests, security reports, anything privacy-related — write to hello@facecast.online from the email on your account and we’ll take it from there.