Privacy Policy
Effective date: 22 April 2026
1. Data Controller
The data controller responsible for your personal data is:
- Name: Javier Vidal Peña
- NIF: 75724471F
- Address: Calle Argentinita 28, Bloque 1 7D, 04007 Almería, Spain
- Contact email: info@estela.co
2. Data We Collect
Organisation administrator accounts
When you register as an organisation administrator, we collect:
- Full name and organisation name.
- Email address.
- Phone number (optional).
- Payment information (processed securely by Stripe; we do not store card numbers).
Sailor and tracking data
When tracking is activated during a regatta, we collect:
- Boat name or identifier.
- Real-time GPS location data (latitude, longitude, heading, speed).
- Device information (battery level, device type) for technical and diagnostic purposes.
GPS and device data collected during tracking sessions is associated with a boat, not with an identified individual. eStela does not know which specific person carries each tracker. This data is treated as anonymous or pseudonymous within the meaning of the GDPR.
3. Purposes of Data Processing
We process your data for the following purposes:
- Providing real-time GPS tracking and live broadcasting of regattas.
- Generating performance statistics, race results, and analytics.
- Managing subscriptions, billing, and payment processing.
- Providing technical support and customer service.
- Improving the platform through anonymised and aggregated usage analysis.
- Complying with legal obligations.
We do not use your personal data for marketing purposes, and we do not send commercial communications.
4. Legal Basis for Processing
We process your personal data on the following legal bases under the GDPR (Regulation (EU) 2016/679):
- Performance of a contract (Art. 6.1.b): Processing necessary for the provision of the Service to organisation administrators who have subscribed to eStela.
- Consent (Art. 6.1.a): GPS location data is collected only with the explicit consent of the user, given through activation of the tracking feature in the mobile application. Users can withdraw consent at any time by deactivating tracking.
- Legitimate interest (Art. 6.1.f): For platform improvement through anonymised analytics and error monitoring to ensure service stability.
- Legal obligation (Art. 6.1.c): Where required for compliance with tax, accounting, or other regulatory requirements.
5. Third-Party Service Providers
To provide the Service, we share data with the following third-party processors. Each provider processes data solely for the purposes described and under appropriate contractual safeguards:
| Provider | Purpose | Data shared | Server location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment method, billing details | USA |
| Google Analytics (Google LLC) | Web analytics | Anonymised IP, browsing behaviour, cookies | USA |
| Sentry (Functional Software, Inc.) | Error monitoring and debugging | Error logs, stack traces | USA |
| Pusher Ltd. | Real-time data delivery (WebSockets) | Race tracking events | USA / EU |
| Twilio, Inc. | SMS messaging (access codes) | Phone number, message content | USA |
| Google Maps (Google LLC) | Map visualisation | GPS coordinates, map interactions | USA |
| Google OAuth (Google LLC) | Social login (optional) | Email, name (from Google account) | USA |
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | All service data (encrypted) | EU (Ireland / Germany) |
| Anthropic (Claude AI) | Document analysis (sailing instructions) | Sailing instruction documents (no personal data) | USA |
| OpenWeather (OpenWeather Ltd.) | Weather and wind data | GPS coordinates (no personal data) | United Kingdom |
6. International Data Transfers
Some of our third-party providers are located outside the European Economic Area (EEA), primarily in the United States and the United Kingdom.
These transfers are carried out under appropriate safeguards as required by the GDPR, including:
- European Commission adequacy decisions (United Kingdom).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The EU-U.S. Data Privacy Framework (DPF) for certified US providers.
Core platform data (databases, file storage) is hosted within the European Union (AWS eu-west-1 and eu-central-1 regions).
7. Data Retention
We retain your personal data only as long as necessary for the purposes described:
- GPS tracking data: Retained until the organisation administrator deletes the tracking session.
- User accounts: Active for the duration of the contractual relationship. Accounts inactive for five (5) years are permanently deleted.
- Billing and payment records: Retained for the period required by Spanish tax and accounting regulations (minimum 5 years).
- Organisation data after subscription cancellation: Retained in a read-only state. Permanently deleted after five (5) years of inactivity.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: You can request a copy of your personal data held by eStela.
- Right to rectification: You can request correction of inaccurate or incomplete data.
- Right to erasure: You can request deletion of your personal data. Organisation administrators can delete tracking sessions through the administration portal.
- Right to restriction of processing: You can request that we limit the processing of your data in certain circumstances.
- Right to data portability: Organisation administrators can export their data in CSV format through the tracking portal.
- Right to object: You can object to data processing based on legitimate interest.
- Right to withdraw consent: You can withdraw your consent for GPS tracking at any time by deactivating the tracking feature in the mobile application.
To exercise any of these rights, contact us at info@estela.co. We will respond within one month, as required by the GDPR.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD) at www.aepd.es.
9. Cookies
eStela uses cookies and similar technologies on its website. A cookie is a small text file stored on your device when you visit a website.
Essential cookies (strictly necessary)
These cookies are required for the website to function properly and cannot be disabled:
- Session cookie: Maintains your authenticated session while you browse the platform.
- CSRF token: Protects against cross-site request forgery attacks.
Analytics cookies (require consent)
These cookies help us understand how visitors use the website. They are only placed with your consent:
- Google Analytics: Collects anonymised usage statistics (pages visited, session duration, traffic sources). IP anonymisation is enabled.
Functional cookies
- Sentry: Used for error monitoring and improving service stability. Activated only when a technical error occurs.
You can manage your cookie preferences at any time through the cookie consent banner or through your browser settings. Disabling analytics cookies will not affect the functionality of the Service.
10. Mobile Applications
Our mobile applications for iOS and Android collect GPS location data only when the tracking feature is explicitly activated by the user and location permissions have been granted to the app.
The app may use background location access to continue tracking even when the app is not in the foreground. This only occurs when a tracking session is active and the user has granted background location permission.
The mobile app does not collect personal information, does not access contacts, photos, or camera, and does not use advertising identifiers.
11. Security Measures
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of data in transit (HTTPS/TLS) and at rest (disk encryption).
- Restricted access to personal data on a need-to-know basis.
- Secure cloud infrastructure hosted within the European Union.
- PCI-DSS compliant payment processing through Stripe.
12. Minors
The eStela administration portal is intended for adults who manage nautical organisations. We do not knowingly collect personal data from minors.
GPS tracking data collected during regattas is anonymous and not linked to any identified individual. In cases where a tracking device may be carried by a minor, the data cannot be attributed to that person.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Changes will be published on this page with an updated effective date.
For material changes that affect how we process your personal data, we will make reasonable efforts to notify you through the platform.
14. Contact
For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact us:
- Email: info@estela.co
- Address: Calle Argentinita 28, Bloque 1 7D, 04007 Almería, Spain