Last updated: 2026-03-25 12:00:00 UTC
This document was originally drafted in Spanish, which is the legally binding version. Versions in other languages that may be available in the Application are courtesy translations provided for informational purposes only. In the event of any discrepancy between the Spanish version and any translation, the Spanish version shall always prevail.
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data (hereinafter, "GDPR"), and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (hereinafter, "LOPDGDD"), the User is hereby informed that the controller of their personal data is:
Controller: Miguel Angel Pacheco Villanego (hereinafter, "MPApps")
Address: Calle Drago 7, 11130 Chiclana de la Frontera (Cádiz), Spain
Email: contact@mpapps.club
Phone: +1 585-282-6739
This Privacy Policy applies to the processing of personal data carried out through the résumé creation mobile application (hereinafter, the "Application" or "App"), available on Google Play Store and Apple App Store, and operated by MPApps.
This Policy does not apply to information collected by third parties through other websites, applications, or services linked from the Application, even if they are accessible through it. We recommend that the User review the privacy policies of such third parties before providing them with personal information.
MPApps collects the following categories of personal data depending on the User's interaction with the Application:
For the proper functioning of the Application, device legitimacy verification, and service provision, the following technical data is automatically collected when registering the device on our servers. Without this information, the Application cannot function:
a) Unique device identifier (UUID): a UUID v4 identifier automatically generated by the Application exclusively for internal use. It does not correspond to the IMEI, serial number, or any other hardware identifier of the device.
b) Platform: the device's operating system (Android or iOS).
c) Language (locale): the regional settings and language of the User's device, necessary to serve content in the correct language.
d) Integrity Token: a token generated by Google Play Integrity API (Android) that verifies the Application is running on a legitimate and unmodified device. It is used exclusively during the initial device registration.
e) Push Token: a Firebase Cloud Messaging (FCM) identifier required for sending push notifications, if the User has enabled them. It is registered during the device registration process but is only actively used if the User authorises notifications.
f) Device Identifier (Fingerprint): on Android devices, the Application collects the Android ID (SSAID), a 16-character alphanumeric identifier assigned by the operating system. It does not correspond to the IMEI or any permanent hardware identifier and resets upon factory reset. It is used exclusively for fraud prevention as described in section 4.8.
When the User voluntarily activates the analytics feature through the toggle available in the Application, the following data is collected via Firebase Analytics:
a) Usage data: information about the User's interaction with the Application (screens visited, frequency of use, interaction events) in order to improve the service.
b) Technical error data (Firebase Crashlytics): technical information about Application errors and crashes (error logs, device state at the time of the crash) to identify and fix technical issues.
If the User does not activate this option, Firebase Analytics operates in a restricted mode that only sends anonymous and aggregated signals, without personal identifiers, in accordance with Google's Consent Mode v2.
The Application displays advertisements through Google AdMob. Before showing personalised ads, User consent is requested through Google's UMP (User Messaging Platform) consent management platform, in accordance with Google's EU User Consent Policy.
If the User grants consent, advertising identifiers from the device are collected for the personalisation and measurement of advertisements shown in the Application. If the User declines consent or grants it only partially, non-personalised ads will be shown. The User may modify their consent preferences at any time from the Application settings.
When the User installs the Application through a Google Ads advertisement, Google generates a click identifier called GCLID (Google Click Identifier) that is associated with the installation. Once the User has accepted this Privacy Policy, this identifier is sent to MPApps servers with the sole purpose of reporting to Google Ads that a conversion has occurred (installation of the Application and, where applicable, in-app purchases).
This data is used exclusively to measure the effectiveness of MPApps advertising campaigns and is not used to identify, profile, or track the User. The GCLID is not collected before the User has accepted this Privacy Policy.
When the User voluntarily chooses to use the Google Drive backup feature, authentication via Google Sign-In is required. It is important for the User to know that:
a) MPApps does not store any data from Google Sign-In on its servers. Neither the access credentials, nor the name, email address, nor the authorisation token of the User are sent to or stored on MPApps servers at any time.
b) Authentication and the Google Drive access token are managed entirely locally on the User's device, through Google's own services.
c) The Application uses this local token exclusively to read and write backup files in the designated folder within the User's own Google Drive. Once authenticated, the backup process may run automatically as long as the User remains signed in.
The User may revoke the Application's access to their Google account at any time by signing out of the Application or from the security settings of their Google account (https://myaccount.google.com/permissions).
As a general rule, the content of résumés created by the User is stored exclusively on the User's device and, if the User so chooses, in their own Google Drive account. MPApps does not access such content except in the cases described in section 3.7, where the User voluntarily uses the Artificial Intelligence features.
When the User uses the Artificial Intelligence features available in the Application, certain data is transmitted to MPApps servers for processing. Depending on the feature used, the data processed is as follows:
a) Automatic résumé creation: The User may provide a description of their professional background via written text or audio recording. This content is sent to MPApps servers, where it is transmitted to the AI service provider for processing. The generated result is returned to the User's device.
b) Résumé review: The complete content of the User's résumé is sent to MPApps servers, where it is transmitted to the AI service provider for analysis and generation of improvement suggestions. The result is returned to the User's device.
In relation to the processing of this data, the User should be aware that:
(i) The data sent to MPApps servers (text, audio, or résumé content) is stored in a transitory, encrypted manner and exclusively for the time technically necessary to complete the processing of the AI request. Once the result is obtained and returned to the User's device, the data is automatically and permanently deleted from MPApps servers.
(ii) MPApps does not retain, index, or use the content sent by the User for any purpose other than providing the requested AI service.
(iii) In the case of the audio creation feature, the voice recording is sent directly to the AI service provider for processing. The recording is used exclusively as a means of information input and is not used to identify the User through their voice or for any other biometric purpose.
(iv) The AI service provider receives the content for processing in accordance with its own terms of service and privacy policy, as detailed in sections 6 and 11 of this Policy. In accordance with those terms, the provider does not use the data sent to train or improve its artificial intelligence models, and processes it as a data processor pursuant to its Data Processing Addendum. However, the provider may retain the data for a limited period solely for the purpose of detecting misuse of its services and complying with its legal or regulatory obligations.
(v) Exceptionally, in the event of a technical error during the processing of an AI request, MPApps may retain the data associated with that request for the time strictly necessary to diagnose and resolve the technical issue. Once the issue is resolved, the data will be deleted immediately. During this period, the data will remain encrypted and access will be limited exclusively to authorised technical personnel responsible for resolving the error.
(vi) The User is advised to avoid including special categories of personal data (such as health data, ethnic origin, sexual orientation, trade union membership, or religious beliefs) in the texts or audio recordings submitted to the AI features, as such data will be transmitted to the external provider for processing.
The purposes for which MPApps processes the User's personal data, together with the legal basis legitimising each processing activity under Article 6 of the GDPR, are set out below:
Legal basis: Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).
The processing of technical device data (UUID, platform, language, Integrity Token, and Push Token) is strictly necessary to register the device on our servers, verify that it is a legitimate device, manage subscriptions and AI credits, serve content in the appropriate language, and generally provide the contracted service. Without this data, the Application cannot function.
Legal basis: User consent (Art. 6(1)(a) GDPR).
Data collected through Firebase Analytics and Firebase Crashlytics is used to analyse the use of the Application, detect and fix technical errors, and improve the User experience. This processing is only activated when the User expressly authorises it through the toggle available in the Application. The User may enable or disable this option at any time from the Application settings.
While the User does not activate this option, Firebase operates in restricted mode in accordance with Google's Consent Mode v2, sending only anonymous and aggregated signals without personal identifiers. This restricted mode is based on the legitimate interest of MPApps (Art. 6(1)(f) GDPR), as no identifiable personal data is processed.
Legal basis: User consent (Art. 6(1)(a) GDPR).
The personalisation of advertisements through Google AdMob requires the User's prior consent, which is requested through Google's UMP (User Messaging Platform) consent management platform, in accordance with Google's EU User Consent Policy and Consent Mode v2.
The User may grant or deny consent on a granular basis (choosing which advertising purposes to accept) and may modify their preferences at any time from the Application settings. If the User does not grant consent for ad personalisation, non-personalised ads will be shown.
Legal basis: Legitimate interest of the controller (Art. 6(1)(f) GDPR).
MPApps has a legitimate interest in measuring the effectiveness of its advertising campaigns on Google Ads to ensure the economic sustainability of the service. The GCLID is used exclusively to report to Google Ads that a conversion has occurred (installation or purchase), without this data being used to identify, profile, or individually track the User.
MPApps has carried out the appropriate balancing test between its legitimate interest and the User's rights and freedoms, concluding that this processing does not represent a disproportionate impact, given that: (i) the GCLID is collected only after the User has accepted this Privacy Policy; (ii) the data is not used to profile or identify the User; and (iii) its sole purpose is the aggregated measurement of advertising results.
The User may exercise their right to object to this processing at any time, in accordance with section 8 of this Policy.
Legal basis: Explicit User consent (Art. 6(1)(a) GDPR).
Only when the User voluntarily decides to activate the backup feature and signs in with Google Sign-In does the Application access their Google Drive account to store and retrieve backups. All authentication data (credentials, access token) is managed locally on the User's device and is never sent to MPApps servers. This processing requires an affirmative action by the User and may be revoked at any time by signing out of the Application or revoking permissions from the security settings of their Google account.
Legal basis: User consent (Art. 6(1)(a) GDPR).
If the User agrees to receive push notifications through the operating system's permission dialogue, the Push Token registered during setup is used to send relevant information about the service, updates, and, where applicable, commercial communications. The User may disable notifications at any time from their device settings.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
When the User voluntarily uses the AI features of the Application (automatic résumé creation or résumé review), the sending of the provided data (text, audio, or résumé content) to MPApps servers and its subsequent transmission to the AI service provider is strictly necessary for the provision of the contracted service. The data is stored on MPApps servers on a transitory and encrypted basis and is automatically deleted after processing is completed.
Legal basis: Legitimate interest of the controller (Art. 6(1)(f) GDPR).
MPApps processes the device identifier (Fingerprint) to detect and prevent fraudulent usage patterns of Artificial Intelligence credits. This data is retained following the same retention period applicable to other technical device data (section 5).
Personal data will be retained for the time necessary to fulfil the purpose for which it was collected and to address any liabilities arising from the processing and use of the service. The retention periods are as follows:
Technical device data (UUID, platform, language, Integrity Token, Push Token): retained for as long as the User maintains an active subscription or uses the Application. If there is no active subscription or any interaction with the Application for a continuous period of five (5) years, the data may be deleted. This period is justified by the need to address potential legal claims, given that the general limitation period for personal actions in Spain is five years pursuant to Article 1964 of the Spanish Civil Code.
Analytics data (Firebase Analytics): retained in accordance with the data retention policy configured in Firebase Analytics (maximum 14 months from the User's last interaction). MPApps does not directly manage the deletion of this data, as it is administered by Google in accordance with its own retention policy.
Conversion tracking data (GCLID): retained for a maximum period of ninety (90) days from collection, the period necessary to complete the conversion attribution process in Google Ads. After this period, the GCLID will be permanently deleted from MPApps servers.
Google Sign-In authentication data: this data is not stored on MPApps servers. It is managed locally on the User's device through Google's services. The User has full control over this data and may delete it by signing out of the Application or revoking permissions from their Google account.
Data processed through AI features (text, audio, and résumé content): this data is stored on MPApps servers in an encrypted form and exclusively for the time strictly necessary to complete processing. Once the User retrieves the result, or after a brief period without retrieval, the data is automatically and permanently deleted from MPApps servers. In no case does retention exceed a few minutes. Exceptionally, in the event of a technical error during processing, the data may be retained for the time strictly necessary to diagnose and resolve the issue, after which it will be immediately deleted. Data retention by the AI service provider is governed by its own retention policies, as detailed in section 6.4.
Once the stated retention periods have ended, the data will be deleted or irreversibly anonymised. If the User exercises their right to erasure, the data will be deleted as soon as possible, unless a legal obligation requires its retention.
MPApps does not sell, transfer, or share the User's personal data with third parties for their own purposes. However, for the provision of the service, MPApps relies on the following providers who act as data processors or independent controllers, as applicable:
Services: Firebase Analytics, Firebase Crashlytics, Google Ads/AdMob, Google Sign-In, Google Drive API, Google Play Integrity API.
Role: Data processor (for Firebase Analytics, Crashlytics, and Play Integrity) and independent controller (for Google Ads/AdMob).
Google Privacy Policy: https://policies.google.com/privacy
Tax ID (CIF): B85049435
Address: Avenida de la Vega, 1, Edificio Veganova, Floor 3, Door 5C, 28108 Alcobendas (Madrid), Spain.
Role: Data processor — Web hosting and infrastructure services provider where MPApps servers are hosted.
Privacy Policy: https://www.ionos.es/terms-gtc/terms-privacy/
In relation to the management of payments, subscriptions, and downloads made through the App Store (Apple) or Google Play Store (Google), these platforms act as independent controllers of the User's payment data, in accordance with their own privacy policies.
Service: Google Artificial Intelligence API (natural language and audio processing for the AI features of the Application).
Role: Data processor — Artificial Intelligence service provider that processes texts and audio files sent by the User when using the AI features. Data is processed in accordance with the Data Processing Addendum for products where Google acts as a data processor.
Data processed: Exclusively the text, audio, or résumé content that the User submits to the AI features.
Provider retention: In accordance with the provider's terms of service, the data sent (prompts and responses) may be retained by the provider for a limited period solely for the purpose of detecting misuse of its services and complying with legal or regulatory obligations. During this period, the data is not used to train or improve artificial intelligence models.
Terms of service: https://ai.google.dev/gemini-api/terms
In the event that MPApps adds or replaces the AI service provider with a different one, this Privacy Policy will be updated in accordance with the procedure set out in section 13.
Some of the providers mentioned in the previous section, in particular Google LLC (including Google's Artificial Intelligence services), are headquartered in the United States and may process personal data on servers located outside the European Economic Area (EEA).
Such transfers are carried out under the appropriate safeguards provided for in the GDPR, including:
a) The EU-US Data Privacy Framework, to which Google LLC is certified.
b) Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914).
The User may obtain further information about these safeguards by contacting MPApps at the email address provided.
In accordance with the GDPR and the LOPDGDD, the User may exercise the following rights at any time in relation to their personal data:
a) Right of access: To obtain confirmation as to whether MPApps is processing personal data concerning them and, if so, to access such data.
b) Right to rectification: To request the correction of inaccurate or incomplete personal data.
c) Right to erasure ("right to be forgotten"): To request the deletion of personal data when, among other reasons, it is no longer necessary for the purposes for which it was collected.
d) Right to restriction of processing: To request that the processing of their data be restricted in certain circumstances.
e) Right to data portability: To receive personal data concerning them in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
f) Right to object: To object to the processing of their personal data, including profiling. In particular, the User has the right to object to processing based on legitimate interest (such as conversion tracking via GCLID), in which case MPApps will cease processing such data unless it demonstrates compelling legitimate grounds.
g) Right not to be subject to automated decisions: Not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects them.
h) Right to withdraw consent: To withdraw at any time consent given for processing based on this legal basis (analytics, personalised advertising, backups, push notifications), without affecting the lawfulness of processing prior to withdrawal.
To exercise any of these rights, the User may contact MPApps by sending an email to contact@mpapps.club, indicating "Data Protection" in the subject line and attaching a copy of their identity document.
MPApps will respond to the request within a maximum period of one month, which may be extended by two additional months in the case of particularly complex requests, in accordance with Article 12 of the GDPR.
Furthermore, if the User considers that the processing of their personal data infringes current regulations, they have the right to file a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, website www.aepd.es.
In accordance with Article 7 of the LOPDGDD, the Application is intended for users aged 14 and over. Users under the age of 14 may not use the Application without the prior and verifiable consent of their parents, guardians, or legal representatives.
However, the Artificial Intelligence features of the Application are available exclusively to users aged 18 and over, in accordance with the terms of service of the AI provider. By accepting this Privacy Policy and the Terms and Conditions of Use, the User declares and warrants that they meet the age requirement applicable to the features they use. Users under the age of 18 may use the basic features of the Application that do not involve the use of Artificial Intelligence.
MPApps does not intentionally collect personal data from children under the age of 14. If MPApps becomes aware that data has been collected from a child under 14 without appropriate consent, it will proceed to delete such data as soon as possible.
For users in other countries, the minimum age for digital consent established by the applicable national legislation will apply (for example, 16 years in Germany or the Netherlands, 13 years in the United States under COPPA).
MPApps has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, in accordance with Article 32 of the GDPR. These measures include, among others:
a) Encryption of communications using secure protocols (HTTPS/TLS).
b) Device integrity verification through Google Play Integrity API to prevent fraudulent or tampered access.
c) Restricted access control to personal data.
d) Local storage of résumé data on the User's device, without transmission to MPApps servers, except in the cases of AI feature usage described in section 3.7.
e) Use of pseudonymised identifiers (auto-generated UUID v4) instead of personal device identifiers.
f) Regular review and updating of security measures.
g) Encryption at rest of data processed through the Artificial Intelligence features during their transitory storage on MPApps servers. Data is only decrypted at the time of transmission to the AI service provider and at the time of delivery to the User's device. Once the result is delivered to the User, or after a brief period without the User retrieving it, the data is automatically and permanently deleted.
h) Restricted access exclusively by authorised technical personnel to data exceptionally retained for the resolution of technical incidents in the Artificial Intelligence service, with encryption of such data maintained at all times.
The Application uses the following third-party services, each of which operates under its own privacy policies:
Google Play Services: Core Android platform services.
https://policies.google.com/privacy
Google Play Integrity API: Device integrity verification.
https://developer.android.com/google/play/integrity
Firebase Analytics (Google): Application usage analytics (requires User consent).
https://firebase.google.com/support/privacy
Firebase Crashlytics (Google): Technical error detection and reporting.
https://firebase.google.com/support/privacy
Google Ads / AdMob (Google): Advertising and conversion measurement (requires User consent via UMP).
https://policies.google.com/technologies/ads
Google UMP (User Messaging Platform): Advertising consent management platform.
https://developers.google.com/admob/ump
Google Sign-In and Google Drive API: Authentication and backups (optional, requires User action).
https://policies.google.com/privacy
Google Artificial Intelligence API: Natural language and audio processing for the Artificial Intelligence features of the Application (available exclusively to users aged 18 and over).
https://ai.google.dev/gemini-api/terms
Apple Services (for iOS): iOS platform services and subscription management.
https://www.apple.com/legal/privacy/
The Application may contain links to third-party websites or services that are not operated by MPApps. MPApps is not responsible for the privacy practices or content of such sites. The User is advised to review the privacy policies of any third-party website or service they access.
MPApps reserves the right to modify this Privacy Policy at any time to adapt it to legislative or case-law developments or to changes in its data processing practices.
Any substantial modification will be notified to the User through a mandatory notice within the Application, which will require reading and acceptance of the new Privacy Policy before the User can continue using the service. If the User does not accept the new Privacy Policy, they must stop using the Application.
This Privacy Policy is governed by Spanish and European data protection legislation, in particular:
a) Regulation (EU) 2016/679 (GDPR).
b) Organic Law 3/2018, of 5 December (LOPDGDD).
c) Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE).
For any enquiry related to this Privacy Policy or the processing of personal data, the User may contact MPApps at the following email address: contact@mpapps.club.