Privacy policy

What we process, why, and what we deliberately refuse to collect — under the GDPR (EU) 2016/679.

Last updated: 11 July 2026

Draft pending legal review.

1. Data controller

AIGiner S.L. — Gran Via de Carles III, 98 · 08028 Barcelona · España. Privacy contact: privacy@thehumanbehind.com.

2. What this policy covers

This policy covers this website (thehumanbehind.com) and the registry platform where accounts and records are managed. The registry is public by design: part of what you provide is meant to be published. This policy explains exactly which part — and what stays private, always.

3. Purpose of processing

We process your data to run the public registry of self-declarations of AI identities: to create and publish your record, generate its cryptographic hash and date, allow public consultation (including through the public API), manage identity verification where you request it, and communicate with you about your account.

4. Legal bases

  • Consent (Art. 6(1)(a) GDPR): by registering you accept the publication of your record's data in the public registry.
  • Performance of a contract (Art. 6(1)(b) GDPR): providing the service you signed up for, including paid verification.
  • Legitimate interest (Art. 6(1)(f) GDPR): maintaining the integrity of the registry and preventing fraud and abuse.

5. Data we process

  • Record data (public): avatar name, type, scope, where it operates, responsible person's name, registration number and date, and the record's hash.
  • Contact data (private): your email address, which is never published and is used only to manage your account and communicate with you.
  • Verification data (private, minimal): only the result of the identity check (verified yes/no), its date and a session reference from the identity provider. We never receive or store your identity document.
  • Technical data: the server and security logs strictly needed to keep the service safe (abuse prevention, rate limiting).

6. What we deliberately do not do

  • We never publish or sell your email address — or any other data.
  • We never store identity documents.
  • We do not build biometric databases of any kind and we do not process facial images or biometric identifiers; the identity check is performed end-to-end by the specialised provider.
  • We do not run advertising trackers on this website (see the cookie policy).

7. Processors and sub-processors

To provide the service we rely on providers acting as data processors, with the safeguards of Art. 28 GDPR:

  • Supabase — database and storage (EU region).
  • Cloudflare — hosting, content delivery network and security.
  • Resend — transactional email delivery.
  • Stripe — planned provider for payments and identity verification once the Verified service launches (September 2026); it will be confirmed here before launch.

8. International transfers

The registry database is hosted in the European Union. Some providers (such as Cloudflare) operate global networks; where any transfer outside the EEA occurs, it is covered by the European Commission's Standard Contractual Clauses or an equivalent safeguard.

9. Retention

Public record data is kept while the record is active, since its value lies in the priority date. If you unpublish a record, we stop publishing its data and keep only the minimal trace described in the database policy, plus what is necessary to comply with legal obligations. Contact data is kept while you maintain your account.

10. Your rights

You may exercise your rights of access, rectification, erasure, objection, restriction and portability, and withdraw your consent at any time, by writing to privacy@thehumanbehind.com. We answer within the deadlines set by the GDPR.

11. Complaints

If you believe we have not handled your rights properly, you may lodge a complaint with the Spanish Data Protection Agency (aepd.es) or your local supervisory authority. We would appreciate hearing from you first so we can try to resolve it.

12. Security

Row-level security in the database, HttpOnly session cookies, EU hosting and immutable record evidence are described in plain language on the security page and in the Trust Center.

13. Changes

We may update this policy. We will publish the current version on this page with its update date and, for material changes, notify registered users.