SPC Circles Privacy Policy

SPC Circles Privacy Policy

 

Last updated: 05/12/2026

This Privacy Policy describes how SMART PRODUCTS CONNECTION (SPC) collects, uses, and shares information in relation to the SPC Circles application. 

1. Data controller

Smart Products Connection, S.A., hereinafter SPC, is the entity responsible for processing the personal data handled through the SPC Circles application.

  • Company name: Smart Products Connection, S.A.
  • Registered office: Euskadi Technology Park, Leonardo da Vinci 14,
    01510 Vitoria-Gasteiz (Álava), Spain
  • Contact email: privacy@onspc.com

SPC is committed to protecting the privacy and personal data of its users and applies the necessary measures to ensure lawful, fair, and transparent processing.

2. Scope of application

This Privacy Policy describes how SPC handles the personal data of users who use SPC Circles (“SPC Circles,” “the App”), an application that allows messaging communication between registered and validated users, as well as parental management and supervision of minor accounts by an administrator user (father, mother, or legal guardian).

The application offers chat and account management features, with encrypted communication, and is designed to be used by adult users and by minors under supervision and authorization of the administrator.

Note on encryption: SPC Circles does not implement end-to-end encryption (E2E). Communication is encrypted in transit (e.g., TLS) and data may be encrypted at rest, but SPC or its providers could access the content under the described circumstances (e.g., support, legal compliance, security/abuse), always under controls and minimization.

This policy applies exclusively to SPC Circles. Other SPC products, applications, or services will be governed by their own privacy policies when expressly indicated.

3. User roles

3.1. Administrator (Admin)

The Administrator is the main user of the circle, usually the father, mother, or legal guardian.

The Administrator can:

  • Create, link, or delete supervised user accounts
  • Configure and manage parental control settings
  • Check the location of supervised users
  • Manage circle members
  • Manage permissions and restrictions available in the application
  • Access the information necessary for the supervision and management of the accounts under their responsibility

The Administrator declares that they have the necessary legal authority to manage the accounts of supervised users and that they have informed them, appropriately for their age, about the use of SPC Circles.

 

3.2. Member

The Member is a user who is part of a circle created by an Administrator and can use the communication features of the application.

The Member can:

  • Participate in individual conversations outside a circle with their contacts
  • Participate in group conversations within the circle they have been given access to
  • Send and receive messages and files
  • View basic information of other circle members (for example, name or nickname and profile picture, if any)

The Member does not have parental control administration permissions but can view, when shared by an administrator, the location of a supervised user.

3.3. Observer

The Observer is a user added to the circle with limited access, whose main function is to view information and communications, without active intervention capability.

The Observer can:

  • Participate in individual conversations outside a circle with their contacts
  • Participate in group conversations within the circle they have been given access to
  • Send and receive messages and files

Observer access is always subject to the configuration defined by the Administrator, who is responsible for determining the scope of access granted.

3.4 Supervised User (Managed)

The supervised User uses the App under the supervision of the Administrator. Some actions/settings may be limited by parental control.

4. Personal data we process (categories)

Below, we describe what data we process and why. SPC applies the principle of minimization: we only process the data necessary to operate the App and its functions.

4.1 Account and profile data

  • Email account and/or account identifier
  • Name/nickname
  • Profile picture (optional)
  • Language, country/region

Purpose: create/manage the account, identify participants in chats and circles.

4.2. Communication data (content)

SPC Circles processes the following communication data:

  • Sent and received messages (text)
  • Shared files (images, audio, video or other content available in the App)
  • Voice notes

Content storage:
Messages and files are stored on SPC servers indefinitely while the user account remains active, in order to ensure the proper provision of the messaging service, synchronization between devices, and recovery of conversation history.

Access to content:
SPC Circles does not use message content for advertising purposes.
Since communication is not end-to-end encrypted (E2E), the content may be accessible by SPC or authorized technology providers only when necessary, for example, to:

  • Ensure the delivery and storage of messages
  • Provide technical support to the user
  • Prevent, detect or investigate misuse, fraud or abuse
  • Comply with legal obligations or requirements from competent authorities
  • Manage reports of inappropriate content, if the feature exists

4.3 Communication metadata

  • Date/time of sending/delivery
  • Message status (sent, delivered, read) if applicable
  • Technical conversation/chat identifiers
  • Participants and groups (e.g., who belongs to which circle)

Purpose: basic chat operation, synchronization, reliability, abuse prevention.

4.4 Device and technical data

  • Model, manufacturer, operating system version
  • Device identifiers (e.g., installation ID; not for advertising)
  • IP address, system logs
  • Diagnostics, crashes (crash logs), performance
  • Push notification tokens

Purpose: security, fraud prevention, compatibility, notifications, diagnosis, and improvement.

4.5 Parental control data (Administrator)

Depending on active features, the App may process:

  • Permission settings, limits, schedules
  • Management of minor's contacts/circles
  • Minor's requests to the Administrator (e.g., "ask for permission," "request to add contact")
  • Activity indicators within the App (e.g., last connection, if any)

Purpose: enable parental control and management of the minor's environment.

4.6 Payment data (in-app purchase)

  • Subscription status (active/inactive), plan type
  • Transaction identifiers (managed by Google/Apple)

Purpose: subscription and billing management.
SPC does not receive full card data; it is processed by the store (Google/Apple).

5. Purposes of processing (in detail)

We process data for:

  1. Providing the service (accounts, chat, message/file delivery, groups)
  2. Parental control (configuration and management of the supervised user)
  3. Security (fraud, abuse, spam, impersonation, incident prevention)
  4. Support (handling incidents and requests)
  5. Improvement (diagnosis, performance, stability, non-advertising analytics)
  6. Legal compliance (legal requirements, mandatory retention, etc.)

6.  Legal bases (GDPR)

Depending on the case:

  • Contract execution (art. 6.1.b): providing the App and its functions
  • Consent (art. 6.1.a): device permissions (contacts, microphone, etc.) and, when applicable, processing of minor's data according to regulations
  • Legitimate interest (art. 6.1.f): security, abuse prevention, technical improvement, service integrity
  • Legal obligation (art. 6.1.c): compliance with applicable laws
  • Vital interests (art. 6.1.d) exceptionally (e.g., minor safety in serious risk, according to law)

7.       Minors and parental consent (LOPDGDD / GDPR)

  • SPC Circles is designed for the Supervised User to use the App under Administration.
  • The Administrator declares to have the necessary parental authority/legal representation.
  • SPC applies measures to avoid unnecessary collection of data from minors and limits its use to what is strictly necessary for the service and security.

Age: in Spain, consent for information society services is commonly set at 14 years (LOPDGDD). In any case, the App is offered in supervised mode: the main basis is administration/guardianship and use according to family settings.

8.      Information security and encryption

SPC applies appropriate technical and organizational measures to protect personal data, including:

  • Encryption of communications in transit using secure protocols (e.g., TLS/HTTPS)
  • Security measures for content storage on servers
  • Internal access controls and the principle of least privilege
  • Activity logs and security monitoring
  • Incident management procedures

Important:
SPC Circles does not implement end-to-end encryption (E2E).
This means that, although communications are encrypted during transmission, the content is processed and stored on servers, under the security measures described in this Policy.

9.     Data sharing (third parties)

SPC does not sell personal data.

We may share data with:

  1. Data processors (providers): hosting, databases, notification sending, technical analytics, support. They act under contract and GDPR measures.
  2. Authorities: when there is a legal obligation, court order, or need to protect rights/health/security, according to the law.
  3. Corporate operations: in mergers/acquisitions, with confidentiality guarantees.

Advertising/Tracking: SPC Circles does not share data with third parties for behavioral advertising or cross-app/site tracking.

 

10.   International transfers

If any provider processes data outside the EEA, SPC will apply legal mechanisms (e.g., Standard Contractual Clauses, transfer assessments, and additional measures when appropriate).

11.   Data retention

Personal data is retained according to the following criteria:

11.1. Account data

They are kept while the user's account is active.

11.2. Messages and files

  • The content of communications (messages and files) is stored indefinitely on SPC servers while the account exists.
  • The user can delete conversations or content from the App, which may imply their logical deletion from the service, without prejudice to temporary technical backups.

11.3. Backups

  • Backups may exist for technical and security reasons.
  • These copies are kept for a limited period and are periodically deleted according to SPC’s internal procedures.

11.4. Legal obligations

Certain data may be retained for additional periods when there is a legal obligation or it is necessary for the formulation, exercise, or defense of claims.

 

12.   Account deletion

The user or Administrator can request account deletion at any time:

  • When deleting the account, SPC will proceed to delete or anonymize the associated personal data, including stored messages and files, except those that must be retained by legal obligation.
  • The deletion process may not be immediate in backup systems, but data will no longer be accessible and will be deleted according to security deletion cycles.

 

13.    User and Administrator controls

The app offers:

  • Profile access and editing
  • Deletion of conversations and content
  • Account deletion
  • Administrator tools to manage the supervised user

 

14. Notifications, permissions, and decisions

14.1 Push notifications

We use notification tokens for alerts (messages, notifications). You can disable them from the system.

14.2 Device permissions

  • Microphone: for recording voice notes
  • Camera/files: to send content
  • Other permissions necessary for operation

The app requests “just-in-time” permissions and you can revoke them.

 

15. Cookies and similar technologies

In mobile apps, we do not use traditional web “cookies,” but we may use technical identifiers and SDKs to:

Analytics

The services included in this section allow SPC Circles to analyze app usage and user behavior in order to improve its operation, stability, and user experience.

Google Analytics for Firebase (Google LLC)

Google Analytics for Firebase (also called Firebase Analytics) is an analytics service provided by Google LLC.

This service allows collecting information about app usage, such as events, interactions, and technical data, with the goal of understanding how SPC Circles is used and improving its features.

Firebase Analytics may share certain data with other Firebase services used by SPC Circles, such as Crashlytics, Authentication, Remote Config, or Notifications, always for technical, security, or service improvement purposes.

SPC Circles uses mobile device identifiers and similar technologies for the operation of Firebase Analytics.

Personal data processed:

  • Unique device identifiers
  • App usage data
  • Technical identifiers, such as installed app package names
  • Tracking technologies equivalent to cookies in mobile environments

Data controller:
Google LLC (United States)

Legal basis for processing:
Legitimate interest of the controller in improving and securing the service and, when applicable, the user's consent according to current regulations.

International transfers:
Data may be processed outside the European Economic Area. In such cases, SPC guarantees that adequate legal mechanisms are applied, such as the Standard Contractual Clauses approved by the European Commission, in accordance with the GDPR.

 

Infrastructure monitoring

This type of service allows SPC Circles to monitor the use, performance, and technical behavior of the app, in order to improve its stability, maintenance, and issue resolution.

The type of data processed depends on the features and configuration of each monitoring service.

 

Crashlytics (Google LLC)

Crashlytics is an error monitoring service provided by Google LLC, which allows detecting failures, crashes, and technical problems in the app.

Personal data processed:

  • Approximate location information (at city level)
  • Unique device identifiers
  • Technical data related to app errors and failures

Data controller:
Google LLC (United States)

Purpose:
Error diagnosis, stability improvement, and resolution of technical issues.

 

Firebase Performance Monitoring (Google LLC)

Firebase Performance Monitoring is a performance monitoring service provided by Google LLC, which allows analyzing the technical behavior of the app, such as response times and network performance.

Personal data processed:
Technical and performance data, according to Google's privacy policy.

Data controller:
Google LLC (United States)

International transfers:
Processing may involve international data transfers, carried out with adequate legal guarantees in accordance with the GDPR.

 

16.  User rights

Users can exercise their rights of access, rectification, deletion, opposition, restriction of processing, and portability by sending a request to privacy@onspc.com.

They may also file a complaint with the Spanish Data Protection Agency (www.aepd.es).

17. Parental responsibility

SPC Kite is a tool to support parental control. The legal guardian is responsible for:

  • Properly configure the monitoring functions.
  • Inform the minor about the use of the app, according to their age and level of maturity.

18. Changes to the privacy policy

SPC may update this Privacy Policy to adapt it to legal or functional changes. Updates will be communicated through the app or by other reasonable means.

19. Applicable law

This Privacy Policy is governed by Spanish and European data protection legislation.