Privacy Policy

Last updated: March 20, 2026

1. Who We Are

GoGufi, S.L. (CIF: B24836421) ("Gufi", "we", "us") operates the Gufi platform at gufi.dev. Gufi is an AI-powered platform that helps you build business software. This Policy explains how we handle your data, in compliance with the GDPR, Spanish Organic Law 3/2018 (LOPDGDD), and Law 34/2002 on Information Society Services (LSSI-CE).

Contact: hello@gufi.es · GoGufi, S.L., CIF: B24836421, Madrid, Spain.

2. What We Collect

Account info: Name, email, and password when you register.

Business data: Everything you create in your workspace — modules, tables, records, views, dashboards, automations, and websites. Each company's data is fully isolated; no other company can access it.

AI conversations: Your prompts and chat history with Gufi AI, used to provide the service and maintain context.

Payment info: Processed by Stripe. We never store card details.

Technical data: IP address, browser, device type, and usage metrics collected automatically.

Google User Data

When you connect your Google account (e.g. Gmail) to Gufi, our platform requests access to specific Google services through the OAuth 2.0 protocol. We follow the Google API Services User Data Policy, including the Limited Use requirements.

What we access

Gmail (scope gmail.send): only the ability to send emails on your behalf, used exclusively to deliver transactional messages (order confirmations, password recovery, account notifications). We do NOT read, modify, list, or delete any emails in your inbox.
Basic profile: email address and Google account ID, used only to identify your connected account inside your Gufi workspace.

How we use it

The send permission is used only by automation scripts that you (or templates you install) explicitly invoke from your Gufi workspace.
Each email sent is logged in your workspace __automation_executions__ table so you can audit what was sent and when.
We never use your Google data for advertising, analytics, profiling, training AI models, or any purpose outside the explicit feature you connected it for.

How we store it

The OAuth refresh token is stored encrypted in your dedicated Postgres branch (one branch per customer — strict tenant isolation).
Access tokens are short-lived (1 hour) and refreshed on demand; we never persist them.
Only the merchant who connected the account (and Gufi support staff with explicit authorization) can read these tokens.

Sharing

We do NOT sell, share, or transfer your Google user data to any third party.
We do NOT use it for any purpose other than the email-sending features described above.
We comply with the Limited Use requirements of the Google API Services User Data Policy.

How to revoke access

You can revoke Gufi's access to your Google account at any time:

Visit myaccount.google.com/permissions
Find "Gufi" in the list of connected apps
Click "Remove Access"

Alternatively, inside Gufi: go to your workspace → Automatizaciones → Integrations → click "Disconnect" next to Gmail.

Data retention

If you disconnect your Google account, the refresh token is deleted from our database within 24 hours. Emails already sent before disconnection remain in the recipient's inbox (we cannot recall them).

Contact

For questions about how we handle Google user data: juan@gufi.es

3. How We Use It

Provide and operate the platform
Process your AI requests to build software
Process payments
Improve the service
Prevent fraud and ensure security
Comply with legal obligations

We do not use your data for advertising. We do not use your business data or prompts to train AI models that benefit other customers.

4. Legal Basis (GDPR)

Contract: To provide the services you requested
Legitimate interest: Security, analytics, and service improvement
Consent: Marketing emails (you can opt out anytime)
Legal obligation: Tax, accounting, and regulatory requirements

5. Who We Share With

We do not sell your data. We share data only with:

Anthropic — AI processing (they do not train on your data)
Stripe — payment processing
Infrastructure providers — hosting within the EU
Authorities — only when required by law

All providers are bound by data processing agreements.

Lead Generation — B2B Data

The "Search leads with AI" feature produces B2B lists from professional data published on corporate websites, industry directories, and associations. The data processed is professional B2B (company name, contact email such as info@, switchboard phone, public LinkedIn profile).

Roles

When a Gufi subscriber uses this feature, the subscriber is the Data Controller. Gufi is the Data Processor for the tool.

Legal basis

Legitimate interest (Art. 6(1)(f) GDPR) for initial B2B outreach. The recipient may object at any time via gufi.es/baja-datos; suppression requests are processed in a global suppression list and applied automatically to future queries.

Audit & retention

Every query is logged (company, user, scope, date, result count) in core.lead_gen_search_log for 24 months to meet GDPR accountability requirements.

Contact

Opt-out requests, data subject rights, or questions: privacy@gufi.es or the public form at /baja-datos.

6. Data Location & Transfers

Your data is stored in the European Union. When data is processed outside the EU (e.g., AI processing), we use EU Standard Contractual Clauses to ensure adequate protection.

7. Security

We use encryption in transit and at rest, strict access controls, and isolated storage per company. We will notify affected users within 72 hours of any confirmed data breach.

8. Your Rights

You can access, correct, delete, restrict, port, or object to the processing of your data. Contact hello@gufi.es and we'll respond within 30 days. You can also complain to the Spanish Data Protection Agency (AEPD).

9. Retention

We keep your data while your account is active. After deletion: personal and business data are removed within 30 days, backups within 90 days, and billing records as required by law.

10. Cookies

In accordance with Art. 22.2 of the LSSI-CE, we use strictly necessary cookies for authentication and session management, which do not require consent. We do not use advertising, analytics, or third-party tracking cookies. If we introduce non-essential cookies in the future, we will request your informed consent before activating them.

11. Commercial Communications

In accordance with Art. 21 of the LSSI-CE, we will not send you commercial emails unless you have given your prior consent or there is a pre-existing contractual relationship. In either case, every email includes an easy and free unsubscribe mechanism. You can revoke your consent at any time by contacting hello@gufi.es or using the unsubscribe link.

12. Children

Gufi is not intended for anyone under 16. If we learn we have collected data from a minor, we will delete it promptly.

13. Changes

We may update this Policy. Material changes will be notified 30 days in advance by email or in-app. Current version always at gufi.dev/privacy.