Legal
Privacy Policy
Last updated: April 4, 2026
1. Data Controller
Gilito AI SL ("Gilito AI", "Gilito", "we", "us", or "our") is the data controller responsible for your personal data.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at gilito.ai and its subdomains (collectively, the "Service"), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on Data Protection and Digital Rights ("LOPD-GDD"), and Law 34/2002 on Information Society Services ("LSSI").
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our Service.
2. Personal Data We Collect
2.1 Data You Provide Directly
- Account information: Name, email address, and password when you create an account
- Payment information: Billing details and payment card information, processed securely by our payment processor Stripe (we do not store your full card number)
- Portfolio and watchlist data: Assets you track, portfolio holdings, and alert configurations you create within the Service
- Communications: Messages you send us via email, contact forms, or in-app support
- Preferences: Notification settings, display preferences, and language selection
2.2 Data Collected Automatically
- Usage data: Pages visited, features used, session duration, actions taken within the Service
- Device and technical data: IP address (anonymized for analytics), browser type and version, operating system, device type, screen resolution
- Referral data: How you arrived at our Service (referring URL, search terms, campaign parameters)
- Cookies and similar technologies: As described in Section 7 of this policy
2.3 Data from Third Parties
- Social login providers: If you sign in via Google or other OAuth providers, we receive your name and email address as authorized by you
- Payment processor: Stripe provides us with transaction confirmation, subscription status, and billing country (but not your full card details)
3. Purposes and Legal Bases for Processing
Under the GDPR (Article 6), we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service (signals, backtesting, alerts) | Contractual necessity (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Contractual necessity (Art. 6(1)(b)) |
| Sending transactional emails (welcome, alerts, receipts) | Contractual necessity (Art. 6(1)(b)) |
| Sending marketing communications and newsletters | Consent (Art. 6(1)(a)) |
| Analyzing usage patterns to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Detecting fraud, abuse, and security threats | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (tax, regulatory) | Legal obligation (Art. 6(1)(c)) |
| Responding to your inquiries and support requests | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us.
4. Data Recipients and Sub-Processors
We do not sell, rent, or trade your personal data. We share your data only with the following categories of recipients, bound by data processing agreements where required:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe | Payment processing | US/EU | EU-US Data Privacy Framework |
| DigitalOcean | Cloud hosting, databases | EU (Amsterdam/Frankfurt) | Data within EEA |
| Hetzner | Backtester compute | EU (Germany/Finland) | Data within EEA |
| SendGrid (Twilio) | Email delivery | US | EU-US DPF + SCCs |
| Google Analytics (GA4) | Website analytics | US | EU-US DPF, IP anonymization |
| Cloudflare | CDN, DDoS protection | Global | SCCs + DPA |
We may also disclose personal data where required by law, court order, or governmental authority, or in connection with a merger, acquisition, or sale of assets (with prior notice to you).
5. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure adequate safeguards are in place, including:
- EU-US Data Privacy Framework: For US-based processors certified under the framework (Stripe, Google, Twilio/SendGrid)
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual protections for transfers to countries without adequacy decisions
You may request copies of the relevant safeguards by contacting us at [email protected].
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law:
- Account data: Duration of your account plus 30 days after deletion
- Payment records: 7 years (Spanish tax law obligation)
- Portfolio/watchlist data: Duration of your account plus 30 days after deletion
- Analytics data: 14 months (anonymized)
- Support communications: 2 years from last interaction
- Marketing consent records: Duration of consent plus 3 years (for accountability)
- API usage logs: Duration of API subscription plus 90 days
After the retention period, data is securely deleted or irreversibly anonymized.
7. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve our Service. In compliance with Article 22.2 of the LSSI and the ePrivacy Directive:
Strictly Necessary Cookies (No Consent Required)
- Session and authentication cookies
- CSRF protection tokens
- Load balancing and security cookies
- Cookie consent preference storage
Analytics Cookies (Consent Required)
- Google Analytics (GA4): Used to understand how visitors interact with our website. We use IP anonymization. Data retained for 14 months. You can opt out at tools.google.com/dlpage/gaoptout
We do not use marketing, advertising, or third-party tracking cookies. You can manage your cookie preferences at any time through our cookie consent banner or your browser settings.
8. Your Rights Under GDPR
Under Articles 15-22 of the GDPR and the LOPD-GDD, you have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18): Request that we limit the processing of your data
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time for consent-based processing (e.g., marketing emails). Withdrawal does not affect the lawfulness of processing before withdrawal
- Right regarding automated decision-making (Art. 22): Our AI-generated signals are generic research tools available equally to all users — they do not constitute automated individual decision-making under Article 22. You may request information about the logic involved in our AI systems
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If we need more time, we will inform you within the initial 30-day period.
You also have the right to lodge a complaint with the Spanish Data Protection Authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan 6, 28001 Madrid, Spain
Website: www.aepd.es
9. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Secure password hashing (bcrypt/argon2)
- Role-based access controls for internal systems
- Regular security monitoring and vulnerability assessments
- Data processing within EU-based infrastructure (DigitalOcean Amsterdam/Frankfurt, Hetzner Germany/Finland)
No method of electronic transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the AEPD within 72 hours and inform you without undue delay, as required by Articles 33-34 of the GDPR.
10. AI-Generated Content and Transparency
In compliance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we inform you that:
- Trading signals, strategy rankings, and backtesting results are generated by automated AI and quantitative models
- These outputs are labeled as "AI-generated" within the Service
- Our AI systems process historical market data to generate generic, non-personalized research outputs
- These outputs are provided for informational and educational purposes only and do not constitute personalized investment advice
11. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with your personal data.
12. Children's Privacy
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete such data promptly. If you believe a minor has provided us with personal data, please contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by:
- Updating the "Last updated" date at the top of this page
- Sending an email notification for significant changes (if you have an account)
- Displaying a notice within the Service
Continued use of our Service after changes constitutes acceptance of the revised policy. We encourage you to review this page periodically.
14. Contact
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us: