Skip to content
Marbella · 11:37GMT+1Live

§L1Privacy

Privacy policy

What data we process, on which legal basis, for how long, and how to exercise your rights.

Last updated: 15 May 2026

At Vibrako we process your personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Data Protection and the Guarantee of Digital Rights (LOPDGDD). This policy explains what data we collect, why, with whom we share it, and how you can control it.

1. Data controller

  • Company: ElephantPink Creative SL
  • CIF: B93314664
  • Registered office: Marbella, Spain
  • Privacy contact email: privacy@elephantpink.com

2. What data we collect

We process only the minimum data needed for the portal and community to work:

  • Spotify identity: Spotify user ID, display name and avatar URL when you sign in.
  • Email: the email associated with your Spotify account, used for identification and service notices.
  • Country: the country declared in your Spotify account, used to personalize content.
  • Year of birth: to verify minimum age (14 years) and personalize content.
  • Bio: optional free text that you choose to write.
  • Interactions: bookmarks, reactions and comments you post.
  • Technical data: hash of your IP address, hash of your browser user agent and session cookies. Hashes are not reversible.

3. Purposes of processing

  • Authenticate you via Spotify OAuth and keep your session.
  • Show editorial content personalized by country and language.
  • Let you take part in the community: bookmarks, reactions, comments and bio.
  • Prevent abuse, spam and fraud through technical hashes.
  • Send you service notices when you sign in or change data.

4. Legal basis

We process your data under the following legal bases of GDPR article 6:

  • Consent (art. 6.1.a): by signing in with Spotify and accepting this policy, you authorize the described processing. You can withdraw it at any time from your account.
  • Contract performance (art. 6.1.b): to deliver the service once you create an account.
  • Legitimate interest (art. 6.1.f): abuse, fraud and spam prevention through irreversible hashes. We have run a prior balancing test.

5. Retention periods

  • Sessions: 30 days.
  • Account and published content: until you request account deletion.
  • Anti-abuse technical hashes: 90 days rotating.
  • Accounting and tax data: 6 years by legal duty (Spanish Commercial Code art. 30) when applicable.

6. Data recipients

We share data only with the processors needed to deliver the service:

  • Spotify Ireland Ltd (Dublin, Ireland, EU), for OAuth and your account public data.
  • Resend Germany GmbH (Berlin, Germany, EU), for transactional email delivery.
  • OVHcloud (Roubaix, France, EU), for application hosting.

We do not sell your data and we do not share it with third parties for advertising. We do not run behavioral advertising.

7. International transfers

None of our providers processes your data outside the European Economic Area. Spotify Ireland, Resend (EU servers) and OVHcloud operate within the EU/EEA, with adequate safeguards under GDPR.

8. Your rights

As a data subject you have the right to:

  • Access your data.
  • Rectify inaccurate data.
  • Delete them (right to be forgotten).
  • Object to a specific processing.
  • Request restriction of processing.
  • Portability of your data in a readable format.
  • Withdraw consent at any time.
  • Lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

9. How to exercise your rights

Write to privacy@elephantpink.com stating which right you want to exercise. We will reply within one month at most. You can delete your account and all related data from /mi-cuenta.

10. Cookies

More detail in our cookie policy.

11. Changes to this policy

If we change this policy we will inform you through the site banner for 30 days and, if changes are substantial, by email.