Privacy Policy

This Privacy Policy explains how Apsia collects, uses, stores, and protects your personal data when you visit our website, use the Apsia copilot, or contact us. We are committed to handling your data lawfully, transparently, and in line with the EU General Data Protection Regulation (GDPR).

1. Who we are (Data Controller)

The data controller responsible for your personal data is Apsia, an early-stage project based in Spain.

For any privacy-related question, or to exercise your rights, contact us through our contact page.

2. What data we collect and why

We only collect data that is necessary for the purposes described below. We do not sell your data, and we do not build advertising or marketing profiles.

Identity and contact data

Email address and name — submitted voluntarily by you in the Apsia copilot or the contact form. We use this data to respond to your enquiry and to deliver the analysis or information you requested.

Legal basis: your consent.

Orbital element data you upload

Orbital data (e.g. TLE, OMM, or other orbital parameters) — when you submit this data to run a mission analysis, it is processed transiently for the sole purpose of producing your result. This data is used only to generate the output you requested. It is never sold, and it is not shared with third parties for their own purposes.

Legal basis: your consent and the performance of the service you requested.

Technical data

IP address and basic request metadata — collected automatically when you interact with our services. We use this data to protect our service: abuse prevention, rate-limiting, and security.

Legal basis: our legitimate interest in keeping the service secure and available.

Bot protection

Our forms use Cloudflare Turnstile, a privacy-friendly alternative to traditional CAPTCHAs, to distinguish humans from automated abuse. To provide this protection, Cloudflare acts as a processor and may receive technical signals from your browser. We do not use Turnstile to track you across sites.

3. Service providers (processors)

We rely on a small number of trusted, industry-standard providers to operate our service. Where possible, your data is processed within the European Union.

• Google Cloud Platform — hosting and compute, in an EU region (europe-west1).
• Firebase / Firestore (Google) — storage of contact and enquiry data.
• Cloudflare — content delivery and bot protection (Turnstile).

Each provider acts under a data processing agreement and may only process your data on our instructions.

4. How long we keep your data

Contact and enquiry data is kept only for as long as needed to respond to you and to maintain the resulting business relationship. When it is no longer needed, it is deleted or anonymised.

Uploaded orbital data is processed transiently to produce your result and is not retained long-term.

Technical and security logs are kept only for the limited period needed for abuse prevention and security.

5. International transfers

We aim to process your data within the EU. Where a provider may process data outside the European Economic Area, that transfer is protected by appropriate safeguards recognised under the GDPR, such as the European Commission's Standard Contractual Clauses.

6. Your rights under the GDPR

You have the following rights over your personal data:

• Access — obtain a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten").
• Restriction — limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on our legitimate interest.
• Withdraw consent — at any time, without affecting prior lawful processing.

To exercise any of these rights, contact us through our contact page. You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.

7. Cookies and local storage

We do not use tracking or advertising cookies. The site stores only a single preference — your chosen language (EN/ES) — in your browser's local storage, so the site remembers it on your next visit. This preference stays on your device and is not used to identify or track you.

Our providers may set strictly necessary technical cookies required to deliver the service and to protect it from abuse.

8. Automated decision-making

We do not carry out automated decision-making that produces legal effects on you, or that similarly significantly affects you. Our analysis tools are decision-support: the conclusions and actions remain yours.

9. Children

Our services are intended for professional and organisational use and are not directed at minors. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be published on this page with an updated "last updated" date.