Privacy Policy
Last updated: Mar 27, 2026
At Onion Podcasts (hereinafter, "the Platform"), accessible at onionpodcasts.com, we are committed to protecting the privacy of our users. This Privacy Policy describes what personal data we collect, for what purpose, for how long, and what your rights are in relation to such processing.
This policy is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR"), Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD"), and Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce ("LSSI-CE").
1. Data controller
- Identity: Mateu Llull
- NIF (Tax ID): 41517924A
- Address: Mallorca, Mallorca, Illes Balears, Spain
- Email: contact@onionpodcasts.com
As a natural person acting as data controller within the meaning of Article 4(7) of the GDPR, any communication regarding the protection of your personal data may be addressed to the email address indicated above.
2. Personal data we collect and its purpose
2.1. Data provided directly by the user
| Data category | Specific data | Purpose |
|---|---|---|
| Registration data | Email address, password (stored with secure hashing) | User account creation and management; authentication |
| Third-party authentication | Identifier and email address provided by Google OAuth or GitHub OAuth | Sign-in via external providers |
| Profile data (optional) | Name, avatar, profile background image | Customisation of the user's public profile |
| User-generated content | Comments, poll votes, podcast metadata, audio files, episode extras (PDFs, audio, images) | Provision of the podcast hosting and distribution service; community participation |
2.2. Data collected automatically
| Data category | Specific data | Purpose |
|---|---|---|
| Playback data | Listening progress, playback position | Playback synchronisation across devices; service continuity |
| Subscription data | Subscription status, access level, start and end dates | Premium content access management; billing |
| Session data | Authentication session cookie (essential technical cookie) | Maintenance of the authenticated user session |
2.3. Data we do NOT collect
Onion Podcasts does not collect:
- Credit card details, bank account information, or any other payment data. All financial information is managed exclusively by Stripe and is never stored on our servers.
- Precise geolocation data.
- Biometric data.
- Health data.
3. Legal basis for processing
The processing of your personal data is based on the following legal grounds, pursuant to Article 6 of the GDPR:
| Processing activity | Legal basis | Reference |
|---|---|---|
| Account creation and management | Performance of a contract | Art. 6(1)(b) GDPR |
| Subscription and payment management | Performance of a contract | Art. 6(1)(b) GDPR |
| Content hosting and distribution | Performance of a contract | Art. 6(1)(b) GDPR |
| Playback synchronisation | Performance of a contract | Art. 6(1)(b) GDPR |
| Transactional emails | Performance of a contract | Art. 6(1)(b) GDPR |
| Anonymous usage analytics (Umami, only after consent) | Consent (Art. 6(1)(a) GDPR) — analytics loaded only after you accept in the cookie banner | Art. 6(1)(a) GDPR |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) GDPR |
| Legal and tax obligations | Legal obligation | Art. 6(1)(c) GDPR |
4. Duration of processing and retention periods
- Account data: for as long as the account remains active. Upon request for deletion, data shall be erased within a maximum of 30 days, except for data that must be retained due to legal obligations.
- User-generated content: for as long as the account remains active or until the user deletes it.
- Subscription and billing data: a minimum of 5 years pursuant to Article 30 of the Código de Comercio (Spanish Commercial Code).
- Playback data: for as long as the account remains active. Deleted when the account is deleted.
- Session data: for the duration of the user's active session.
5. Data recipients
| Recipient | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment and subscription processing | Email address, subscription data | EU/US |
| Resend, Inc. | Transactional emails | Email address | US |
| Hetzner Online GmbH | Infrastructure hosting | All stored data (encrypted at rest) | Germany (EU) |
| Cloudflare, Inc. | DNS and infrastructure protection | IP addresses in transit | US / Global |
We do not sell, rent, or disclose your personal data to third parties for commercial or advertising purposes.
6. International data transfers
The majority of your personal data is stored and processed within the European Union (Hetzner servers in Germany). Some providers are based in the United States, with the following safeguards pursuant to Chapter V of the GDPR:
- Stripe, Inc.: Participates in the EU-US Data Privacy Framework and applies Standard Contractual Clauses (Art. 46(2)(c) GDPR).
- Resend, Inc.: Standard Contractual Clauses (SCCs). Only processes email addresses.
- Cloudflare, Inc.: EU-US Data Privacy Framework and Standard Contractual Clauses. Processing limited to IP addresses in transit.
7. User rights
In accordance with the GDPR (Articles 15 to 22) and the LOPDGDD, you have the following rights:
- Right of access (Art. 15 GDPR): to obtain confirmation of whether your data is being processed and to access it.
- Right to rectification (Art. 16 GDPR): to request the correction of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): to request the deletion of your personal data.
- Right to restriction of processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR): to receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): to object to processing based on legitimate interest.
- Right to withdraw consent at any time.
7.1. How to exercise your rights
Send an email to contact@onionpodcasts.com with the subject line "Exercise of GDPR rights". Additionally, from your account settings you can:
- Export your personal data.
- Delete your account and associated data.
- Rectify your profile data at any time.
We shall respond within a maximum of 30 days (Art. 12(3) GDPR).
7.2. Right to lodge a complaint
You may lodge a complaint with the Agencia Española de Protección de Datos (AEPD — Spanish Data Protection Agency):www.aepd.es — C/ Jorge Juan, 6, 28001 Madrid.
8. Cookies and similar technologies
8.1. Cookies used
Onion Podcasts uses only essential technical cookies (authentication session cookie). This cookie is strictly necessary and does not require consent pursuant to Article 22(2) of the LSSI-CE.
8.2. Cookies we do NOT use
- Tracking cookies
- Advertising or third-party cookies
- Social media cookies
- Google Analytics, Facebook Pixel, or any cookie-based analytics system
We display a consent banner on first visit so you can accept or decline analytics before any tracking occurs.
8.3. Web analytics: Umami
With your consent, we use Umami, a web analytics tool with the following characteristics:
- Self-hosted on our infrastructure at Hetzner (Germany, EU). Data never leaves our servers.
- No cookies: it does not install, read, or use cookies of any kind.
- No personal data: it does not collect IP addresses, browser fingerprints, or data that could identify an individual user.
- No cross-site tracking.
- Anonymous and aggregated data: page views, referrers, browser/OS, screen size, and country.
Umami is only activated after you explicitly accept analytics in the cookie consent banner. You can withdraw consent at any time via the "Cookie settings" link in the footer.
9. Minors
The Platform is intended for persons aged 16 years or older. We do not knowingly collect data from minors under 16 years of age. If you become aware that a minor has provided data without the consent of their legal guardian, please contact us at contact@onionpodcasts.com.
10. Security measures
- Encryption of sensitive data at rest.
- Passwords stored using secure hashing functions.
- Communications encrypted via HTTPS/TLS.
- Role-based access control.
- Hosting in certified data centres within the EU (Hetzner, Germany).
- Payment data managed by Stripe (PCI-DSS Level 1).
- Regular database backups.
11. Changes to this policy
We reserve the right to update this Privacy Policy. In the event of material changes, we will notify you by email or by notice on the Platform prior to the changes taking effect.
12. Contact and complaints
- Email: contact@onionpodcasts.com
- Postal address: Mallorca, Mallorca, Illes Balears, Spain
You may lodge a complaint with the AEPD if you believe your rights have not been adequately addressed.