Privacy Policy

CANDELA is operated by Candela, based in Barcelona, Spain. We provide professional equipment list building tools for lighting directors and production professionals. For privacy inquiries, contact us at privacy@candelaeq.com.

Account data: name, email address, and password (hashed) when you create an account.

Project data: equipment lists, project details (client name, photographer, location, dates, notes), version history, and templates you create.

Waitlist data: name, email, and role when you request beta access.

Usage data: pages visited, features used, and performance metrics collected by Vercel Speed Insights. No personally identifiable information is included in usage analytics.

Technical data: IP address (for rate limiting only, not stored), browser type, and device information transmitted in standard HTTP headers.

Contract performance: processing your account and project data is necessary to provide the Service you signed up for.

Legitimate interest: usage analytics to improve the Service, rate limiting to prevent abuse, and security monitoring.

Consent: marketing communications, if any, are sent only with your explicit consent. You may withdraw consent at any time.

We use your data to: provide and maintain the Service; authenticate your identity and secure your account; store and display your equipment lists and project data; process AI-assisted list reviews when you explicitly request them; send transactional emails (account verification, password reset); improve the Service through aggregated, anonymized usage analytics; and comply with legal obligations.

Your data is stored on servers located in the European Union:

• Database: Supabase (PostgreSQL), hosted in eu-central-1 (Frankfurt, Germany).
• Application: Vercel, pinned to fra1 (Frankfurt, Germany).

Data does not leave the EU for storage. Where third-party processors outside the EU are involved (see section 6), appropriate safeguards are in place including Standard Contractual Clauses.

We share your data with the following processors, only to the extent necessary to provide the Service:

• Supabase (database, authentication, file storage) — EU hosted. Processes account data and project data.
• Vercel (application hosting, edge network) — EU hosted. Processes HTTP requests and serves the application.
• Stripe (payment processing) — processes billing data when paid plans are active. Your payment details are handled directly by Stripe and never stored on our servers.
• Anthropic (AI list review) — receives equipment list data only when you explicitly request an AI review. Data is not used for AI training and is not persisted by Anthropic.
• Resend or Postmark (transactional email) — processes your email address for account-related notifications only.

We do not sell, rent, or share your personal data with any other third parties.

Active accounts: your data is retained for as long as your account is active.

Closed accounts: upon account deletion, your personal data and project data are permanently deleted within 30 days. Anonymized, aggregated data may be retained for analytics purposes.

Waitlist data: retained until you are granted access or request removal, whichever comes first.

Server logs: IP addresses in rate-limiting caches are held in memory only and are never persisted to disk.

Under the General Data Protection Regulation, you have the right to:

• Access: request a copy of all personal data we hold about you.
• Rectification: correct inaccurate or incomplete personal data.
• Erasure: request deletion of your personal data ("right to be forgotten").
• Restriction: request that we limit how we process your data.
• Portability: receive your data in a structured, machine-readable format.
• Object: object to processing based on legitimate interest.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@candelaeq.com. We will respond within 30 days as required by law. You also have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Espanola de Proteccion de Datos (AEPD).

We use essential cookies only. These are strictly necessary for the Service to function:

• Authentication cookies: to keep you logged in.
• Preference cookies: to remember your cookie consent choice.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. For more details, see our Cookie Notice.

We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS/HTTPS) and at rest; row-level security in the database ensuring complete tenant isolation; hashed passwords (never stored in plain text); rate limiting on sensitive endpoints; regular security audits of our infrastructure.

While we take reasonable precautions, no method of transmission or storage is 100% secure.

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions or to exercise your rights, contact us at privacy@candelaeq.com.