← Back to ercel.ai

Privacy Policy

Last updated: March 2026

1. Data controller

Trade name: Ercel Security
Owner: Emilio Molina Román
Email: [email protected]

2. Data we collect

  • Contact email: voluntarily provided when requesting an audit. Used to send the results report and service-related communications.
  • AI System URL: the endpoint the user specifies for the security scan.
  • Scan results: detected vulnerabilities, system responses during tests, and compliance metrics.
  • Payment data: processed entirely by Stripe. Ercel does not store card data.

3. Purpose of processing

  • Perform the requested security audit
  • Send the results report by email
  • Service-related follow-up communications (maximum 2 reminder emails)
  • Manage subscription and billing

4. Legal basis

Processing is based on user consent (Art. 6.1.a GDPR) when requesting the audit, and on contract performance (Art. 6.1.b GDPR) for users with paid subscriptions.

5. Data retention

Audit data is retained for a maximum of 90 days from report generation. After that period, it is automatically deleted. Users can request immediate deletion at any time via [email protected] or through the "Data deletion" link available on the website.

6. Data processors

  • Supabase (Supabase Inc.): database storage
  • Anthropic (Anthropic PBC): language processing for findings enrichment
  • Stripe (Stripe Inc.): payment processing
  • Resend (Resend Inc.): transactional email delivery
  • Hetzner (Hetzner Online GmbH): server hosting (Germany)
  • Cloudflare (Cloudflare Inc.): CDN and DDoS protection

7. Data subject rights

Under the GDPR, users have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure of their data
  • Object to processing
  • Request data portability
  • Restrict processing

To exercise these rights, contact [email protected]. You may also file a complaint with the Spanish Data Protection Agency (aepd.es).

8. International transfers

Some data processors are located outside the European Economic Area (Anthropic, Stripe, Resend, Cloudflare — USA). Transfers are carried out under the EU-US Data Privacy Framework or standard contractual clauses approved by the European Commission.

9. Cookies

Ercel does not use analytics or tracking cookies. We do not use Google Analytics, Meta Pixel, or any third-party tracking service.

The only cookie that may exist is:

  • ercel_session — Session cookie for the admin panel. HttpOnly, Secure, SameSite=Lax. Duration: 7 days with automatic renewal. Only set when logging into the dashboard and does not apply to website visitors or users requesting an audit.

Since we do not use tracking cookies, there is no need to display a cookie consent banner under the ePrivacy Directive.