Privacy Policy

Operational provider/processor: certain technical and administrative services tied to structures (LLC/FIP) may be provided by DEVIL CLUB LLC.

• Browsing data ("Device information"): IP address, time zone, cookie identifiers, browser type/version, pages visited, referrers and basic interaction events. Used for aggregated statistics and Website security. Technically, cookie identifiers are pseudonymous (not anonymous in the strict GDPR sense), so processing them for analytics requires the user's prior consent.
• Data you provide voluntarily: first name, last name, email, phone, billing data and, where applicable, postal address, when you complete forms, subscribe to communications or contract services.
• Financial and banking data (Manager Plan clients): for clients who contract the Manager ecosystem, and subject to express authorization in the Operating Agreement, we obtain read-only access to data from bank accounts voluntarily connected by the client (Mercury Bank, Wise or other entities designated by the client). This data includes: account movements and balances, amounts, dates, counterparty descriptions and transaction categories. Access is performed via secure APIs and the data is stored encrypted with AES-256. Under no circumstances is it used to initiate payments, transfers or any active operations.
• Derived data generated by automated systems (Manager Plan): from the client's financial and operational data, our systems generate analyses, entity health scores, projections and operational recommendations using artificial intelligence tools. This derived data is internal, associated with the client's entity, and used exclusively to provide the contracted services.
• Cryptographic fingerprints of signed documents: documents processed through the cryptographic signature system generate a SHA-256 hash that is anchored to an RFC 3161 timestamping authority and to the Bitcoin network via OpenTimestamps. The hash itself does not contain identifiable personal data, but the process involves transmitting data to those external services.

• Operate and secure the Website (bases: legitimate interest / pre-contractual measures).
• Handle inquiries and communications (bases: pre-contractual measures / legitimate interest).
• Administrative management of contracted services (basis: contract performance).
• Basic analytics and aggregated metrics using pseudonymous identifiers managed by external providers (basis: user consent given through the cookie banner, revocable at any time).
• Provision of bookkeeping and financial monitoring services (Manager Plan): access to and processing of the client's banking data for transaction categorization, report generation and tax return preparation (basis: contract performance and explicit consent given in the Operating Agreement).
• Automated entity intelligence and analysis (Manager Plan): processing of financial and operational data with AI systems to generate entity health analyses, recommendations and proactive reports. These outputs are informational and do not constitute automated decisions producing legal effects (basis: contract performance / legitimate interest in service improvement).
• Informational communications if you subscribe (basis: consent; you can unsubscribe at any time).

We retain data only for as long as strictly necessary for each purpose and to comply with legal obligations. The specific timeframes are:

• Reservations and bookings: two timeframes applied by the gdpr_retention_sweep procedure (run manually and on demand by the DEVIL CLUB LLC team, with no automatic schedule programmed in production at the time of publication of this Policy): (a) bookings deleted at the data subject's request or by the administrator (soft-delete) — direct identifiers (name, email, phone, notes) are purged 30 days after the deletion; during those 30 days, email and name are retained as an audit window for follow-up inquiries. (b) bookings that are confirmed, completed, cancelled or no-show and have not been explicitly deleted — direct identifiers are purged 1 year after the event end date (field event_end). In both cases, non-identifying metadata (id, event dates, service, status) is retained for accounting and capacity planning.
• Active clients and contractual data: while the contractual relationship is in force and for 6 additional years after closure, in line with applicable commercial statute-of-limitations periods.
• Access and authentication logs: 12 months from generation, after which they are deleted or irreversibly aggregated.
• Financial and banking data: for the duration of the contracted service and, afterwards, for the time required to comply with tax and legal obligations (typically 5-7 years under applicable rules). Read-only access to bank APIs is disabled the moment the client revokes the authorization or terminates the contract.
• AI-derived data (analyses and reports): for the duration of the service. Reports generated remain available to the client through their panel during the contractual relationship.
• Document fingerprints signed with OpenTimestamps: permanent retention due to their cryptographic nature. Once stamped, the hash is anchored on the Bitcoin network and is technically impossible to remove from the anchor. When the relationship with the client ends, we delete the local copies on our systems, but the anchored hash remains as an independent temporal proof (it contains no personal data, only a cryptographic digest).
• Analytics data: retained by the provider per their configuration (see provider section) and aggregated internally after that period.

We share data with the following processors (GDPR art. 28). All of them process the data on behalf of DEVIL CLUB LLC, under contract and with appropriate security measures:

• Infrastructure and hosting: primary server and databases on a dedicated VPS located in the United States (US-East region). Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Cloudflare (CDN + Web Analytics): content delivery network and cookieless performance metrics. Data processed: anonymous browsing metrics (pages visited, country aggregates, performance metrics). Infrastructure: global network with edge nodes in the EU for EU users. Basis: legitimate interest (Website security and availability).
• OpenRouter (AI gateway): we route Lucy assistant messages through OpenRouter, which forwards them to the anthropic/claude-sonnet model from Anthropic. Defensive sanitization: before transmitting to OpenRouter, our backend applies regex-based automatic substitution for common PII patterns (emails → [EMAIL], EINs → [EIN], ITINs/SSN → [TAX_ID], cards → [CARD]). This sanitization is not exhaustive — proper names, full addresses, pasted documents or financial data in prose may not be detected. We strongly recommend not including sensitive data in chat anyway; for inquiries that require sharing private information, use the direct channel at [email protected]. Infrastructure: United States. Basis: contract performance and legitimate interest in providing the AI service.
• Anthropic (AI model provider): provider of the Claude Sonnet model running Lucy's analyses. Anthropic is accessed exclusively through OpenRouter (no direct integration). Infrastructure: United States. Adheres to the EU-US Data Privacy Framework.
• Groq (AI inference for summaries and narratives): generation of booking summaries (booking/summarize), tax narratives for dossiers, and Lucy-generated insights summaries. Data processed: client name and meeting transcript (for booking summaries), as well as entity, transaction, and tax-narrative summaries. Infrastructure: United States. Basis: contract performance and legitimate interest in automated summaries.
• Google Calendar: management of client appointments (bookings and scheduled meetings). Data processed: email, name and reservation date/time. Infrastructure: Google Cloud (EU/US). Google adheres to the EU-US Data Privacy Framework.
• Google Drive: off-site storage exclusively for database backups (PostgreSQL dumps generated by pg_dump in compressed custom format). Client documents (signed PDFs, contracts, deliverables) are NOT stored on Google Drive: they reside on the local filesystem of the VPS (see "Infrastructure and hosting"). Dumps are deposited in a private folder ("DevilClub DB Backups") accessible only via a service account authenticated with OAuth. At-rest protection relies on the disk-level encryption Google applies by default to all content in Drive and on the service account's access controls; we do not apply an additional file-level encryption layer on top of the dump. Data processed: database backups (which may contain personal data of clients in encrypted/compressed form). Infrastructure: Google data centers; we do not force a specific region, so storage is subject to Google's default location policy. Adheres to the EU-US Data Privacy Framework.
• Telegram (private operations channels): private Devil Club team channels for operational alerts and for the human-in-the-loop review step prior to sending certain deliverables to the client. Messages may include references to client events (new booking, GDPR request received, incidents) and, in the review flow, automatically generated PDF documents — in particular tax return drafts and annual LLC summaries — which the administrator approves before they are sent to the client or the tax authority. These channels are private and restricted to authorized DEVIL CLUB LLC personnel; passwords, banking credentials and documents are never sent to public channels. Basis: legitimate interest (operations, quality control and compliance) and contract performance.
• Corporate Tools (Registered Agent): renewal of the registered agent for each LLC before the State of New Mexico and others. Data processed: LLC legal name, EIN and registered address. Infrastructure: United States. Basis: contract performance and the client's legal obligation (maintaining an active RA).
• Support and communication: transactional email tools and direct messaging with the Devil Club team for operational follow-up.
• Bank APIs (Manager Plan): Mercury Bank and Wise, as data sources under client authorization. DEVIL CLUB LLC accesses their APIs only with the read credentials authorized by the client. These platforms have their own privacy policies.
• Support and communication: ticketing tools and transactional email (sending notifications and documents to the client from [email protected]).
• RFC 3161 timestamping authority: receives the SHA-256 hash of signed documents to issue the cryptographic timestamp. It does not receive the document content or personal data.
• Bitcoin network / OpenTimestamps: anchors the hash of signed documents to the Bitcoin blockchain for permanent verification. No personal data is transmitted.

Physical infrastructure location:

• Primary server and databases: dedicated VPS in the United States (US-East region).
• Backups: database dumps replicated to Google Drive in a private folder accessible only by service account, protected by the at-rest encryption Google applies by default in Drive. We do not force a specific region: the physical location of these backups is determined by Google's default policy for the service account.
• Cache and CDN: Cloudflare (global network with EU edge nodes for users in the EU, so static content is served from European infrastructure).

For users in the European Union, where the GDPR applies, we use the appropriate safeguards provided in Chapter V of the Regulation: Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms.

Additionally, since July 2023, transfers to the US made through providers certified under the EU-US Data Privacy Framework (DPF) rely on that adequacy mechanism, approved by a European Commission decision. Google, Microsoft, Anthropic and Cloudflare, among other providers we use, adhere to the DPF.

We use technical cookies and, where appropriate, third-party cookies for functionality and aggregated analytics. You can manage or disable cookies from your browser.

More detail in our Cookie Policy.

For Manager Plan clients, DEVIL CLUB LLC operates AI-assisted automated analysis systems (the "Intelligence System") that process the client's entity financial and operational data to generate:

• Entity financial-health and compliance assessments.
• Transaction-pattern analyses and automatic categorizations.
• Operational recommendations and proactive alerts.
• Unified monthly reports.

The client has the right to request information on how the Intelligence System works and to opt out of automated analyses without affecting compliance services, basic bookkeeping or tax filing. To exercise this right, contact [email protected].

We apply reasonable technical and organizational measures to protect data (access controls, AES-256 at-rest encryption, TLS in-transit encryption, audit logs). Banking data is stored with an additional encryption layer, and bank API access tokens are managed securely. No system is 100% invulnerable, but we work to minimize risks.

If you are located in the EU/EEA, you may exercise the following rights recognized in GDPR articles 15 to 22 at any time:

You also have the right not to be subject to automated decisions with legal effects (GDPR art. 22) and to lodge a complaint with the Spanish Data Protection Agency (aepd.es) or with your national supervisory authority.

How to exercise your rights

1. 1 Send an email to [email protected] with subject GDPR — [right you want to exercise] (e.g., "GDPR — erasure").
2. 2 Include full name, email used to operate with Devil Club, and a brief description of your request. If you consider it necessary, attach a copy of an ID document (DNI/NIE/passport) to verify your identity.
3. 3 We respond within a maximum of 30 calendar days from receipt of your request, extendable by another 60 days in complex cases (we would notify you before the initial deadline expires). Exercising the right is free except for manifestly unfounded or excessive requests.
4. 4 If you are not satisfied with the response, you may file a complaint with the AEPD (aepd.es) without need for a prior claim.

Erasure request

Limited self-service erasure (authenticated members only): there is an authenticated endpoint (POST /api/member/gdpr-erase) that allows a logged-in member to mark as deleted (soft-delete) all bookings associated with their email address. The scope of this endpoint is limited to the user's reservations/bookings; the definitive purge of those bookings' direct identifiers takes place afterwards within the timeframes described in section IV (30-day audit window).

Full erasure (account, contracts, billing, documents): the rest of the erasure — beyond bookings — is processed manually by the DEVIL CLUB LLC team; there is no single button that automatically deletes all client data. From your panel at /miembros/ you can open a request: the form generates a pre-filled email to [email protected] with your confirmation email, and the team reviews and executes the erasure manually. If you prefer, you can write directly to that address without going through the panel.

We process the request within a maximum of 30 calendar days in accordance with GDPR art. 17, respecting limits arising from legal retention obligations (e.g., tax and accounting obligations, or contractual documentation we must preserve while the relationship with the client's LLC remains open vis-à-vis third parties such as the IRS or the registration state).

We process data to:

• (i) Perform contracts or address requests.
• (ii) Pursue legitimate interests (operations, security, Website improvement).
• (iii) Obtain your consent where required (e.g., non-essential commercial communications).

You may withdraw consent at any time without retroactive effect.

The Website may link to external sites not controlled by us. We recommend reviewing their privacy policies. We are not responsible for their practices.

DEVIL CLUB LLC is an entity incorporated in the United States (New Mexico) that offers services to residents of the European Union. In accordance with article 27 of Regulation (EU) 2016/679 (GDPR), we are in the process of formally designating an EU representative who will act as a point of contact for supervisory authorities and data subjects.

While that designation is being formalized, all GDPR rights may be exercised directly by writing to [email protected], with the same response timeframe (30 calendar days, extendable by another 60 in complex cases) and the same guarantees described in section X of this Policy. The transitional absence of the representative does not in any way limit the data subject's rights or DEVIL CLUB LLC's obligation to address them.

This Policy will be updated with the representative's contact details once the designation is formalized.

We may update this Policy to reflect legal or technical changes. We will publish the current version on this page and indicate the last update date.

For questions about this Policy or about your personal information: