Consent Hub
|
Sign InGet Started

Privacy Policy

Last updated: February 2026

1. Data Controller

Consent Hub, operated by OBERON AI TECH S.A. ("we", "us", or "our"), is the data controller responsible for your personal data. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation.

Registered address: Consent Hub c/o OBERON AI TECH S.A., C/ Hermosilla 48, 1º Dcha., 28001 Madrid, España.

Data Protection Officer: dpo@oberon.center

2. Types of Data Collected

2.1 Account Data

When you create a Consent Hub account we collect your name, email address, company name, and hashed password. If you sign up via a magic link we collect only your email address.

2.2 Usage Data

We automatically collect technical information about your use of the platform, including IP address, browser type, operating system, pages visited, timestamps, and API call metadata (method, endpoint, status code, latency).

2.3 Consent Records

When you use Consent Hub to manage end-user consents on behalf of your organization, we store consent records that include end-user identifiers, consent template references, granted scopes, timestamps, and audit events. These records are processed on your behalf as a data processor.

2.4 Billing Data

If you subscribe to a paid plan, our payment processor (Stripe) collects billing details such as credit card number and billing address. We do not store full payment card numbers on our servers.

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) -- to provide and maintain the Consent Hub service as described in our Terms of Service.
  • Legitimate interest (Art. 6(1)(f) GDPR) -- to improve the platform, prevent fraud, and ensure security.
  • Legal obligation (Art. 6(1)(c) GDPR) -- to comply with applicable laws, such as tax and accounting requirements.
  • Consent (Art. 6(1)(a) GDPR) -- where you have explicitly consented, for example to receive marketing communications.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will erase your personal data within 30 days, except where retention is required by law (e.g., invoices retained for 7 years under Spanish tax law).

Consent records processed on behalf of your organization are retained in accordance with the retention policies you configure in your consent templates, and in any case for a minimum of 5 years to support regulatory audits.

Usage logs and analytics data are retained for 24 months in identifiable form, after which they are anonymized and aggregated.

5. Data Subject Rights

Under the GDPR and CCPA, you have the following rights regarding your personal data:

  • Right of access -- request a copy of the personal data we hold about you.
  • Right to rectification -- request correction of inaccurate or incomplete data.
  • Right to erasure -- request deletion of your personal data ("right to be forgotten").
  • Right to restriction -- request that we limit processing of your data in certain circumstances.
  • Right to data portability -- receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object -- object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent -- where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@oberon.center or use the My Data Portal. We will respond within 30 days as required by law. privacy@oberon.center

6. Cookie Policy

Consent Hub uses cookies and similar technologies for the following purposes:

  • Essential cookies -- required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies -- store your language preference and UI settings (e.g., the locale cookie for EN/ES language selection).
  • Analytics cookies -- help us understand how the platform is used so we can improve the experience. These are only set with your consent.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent the platform from functioning correctly.

7. Third-Party Services

We use the following third-party services that may process your data:

  • Stripe -- payment processing (PCI DSS Level 1 certified).
  • Supabase -- database hosting (data stored in EU region).
  • Vercel -- frontend hosting and edge functions.
  • DigitalOcean -- backend infrastructure (Kubernetes cluster in EU region).

All sub-processors are contractually bound to process data only on our instructions and to maintain appropriate security measures. A complete list of sub-processors is available upon request.

8. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Security Measures

We implement industry-standard security measures to protect your data, including encryption at rest and in transit (TLS 1.3), API key authentication, rate limiting, role-based access control, regular security audits, and automated vulnerability scanning.

10. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

You also have the right to lodge a complaint with your local data protection supervisory authority. In Spain, the relevant authority is the Agencia Española de Protección de Datos (AEPD).