Privacy Policy

Last updated: March 12, 2026

1. Data controller

Netvista Media S.L. CIF: B54981352 Av. Sant Rafel 23, 03580 l'Alfàs del Pi, Alicante, Spain Email: hello@voila.cash Tel: +34 628 662 912

Netvista Media S.L. (“Voila”, “we”, “us”) is responsible for the processing of your personal data through the platform voila.cash (“the Platform”). This Privacy Policy has been drawn up in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Spanish Ley Orgánica 3/2018 (LOPD-GDD) and the Ley 34/2002 (LSSI-CE).

Given the nature and scale of our data processing activities, we have not appointed a Data Protection Officer (DPO). For all privacy-related inquiries, you can contact us directly at hello@voila.cash.

2. What personal data we collect

2.1 Data you provide yourself

Account data: name, email address, username, password, profile photo
Profile information: display name, subtitle, bio, links, contact details (phone, WhatsApp, email)
Payment data: Voila does not store bank account, credit card or payment card data. Payments are processed directly through your linked Stripe account.
Communications: messages you send us via email or the contact form

2.2 Data from social media platforms

When you connect a social media account, we receive data from the respective platform depending on the permissions you have granted:

| Platform | Data | | --- | --- | | Instagram | Profile data, media, bio, follower/following count | | TikTok | Profile data, avatar, display name, videos, follower count | | LinkedIn | Profile data, name, title, employer, profile photo | | YouTube | Channel information, video metadata, subscribers, view statistics | | X | Profile data, posts, follower/following count |

2.3 Automatically collected data

Device data: browser type, operating system, screen resolution
Usage data: pages visited, click behavior, session duration
IP address: for fraud prevention and security

2.4 Mandatory and optional data

To use the Platform, you must provide your account data (name, email, password). All other data (profile information, social media connections, payment data) is optional. If you do not provide the mandatory account data, we cannot create an account for you. Refusing to provide optional data does not affect your ability to use the Platform's basic features.

3. Purposes and legal bases

| Purpose | Legal basis (GDPR Art. 6) | | --- | --- | | Creating and managing your account | Performance of a contract (Art. 6.1.b) | | Processing payments via Stripe | Performance of a contract (Art. 6.1.b) | | Displaying social media content on your profile | Consent (Art. 6.1.a) | | Customer service and communication | Legitimate interest (Art. 6.1.f) | | Invoicing and tax administration | Legal obligation (Art. 6.1.c) | | Fraud prevention and security | Legitimate interest (Art. 6.1.f) | | Marketing communications | Consent (Art. 6.1.a) |

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You can request a copy of these assessments by contacting hello@voila.cash.

Automated decision-making: We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

4. Recipients and third parties

We only share your personal data with third parties to the extent necessary for the Service:

4.1 Stripe (payment processing)

When you provide personal data in connection with Voila's payment features, Stripe receives this personal data and processes it in accordance with the Stripe Privacy Policy.

Data shared with Stripe includes: name, email address, phone number, address, payment method, identity verification documents, tax identification numbers, IP address and transaction history. Bank details are managed exclusively through your own Stripe account.

Stripe acts as an independent data controller for the data it processes. Stripe's use of your personal data is governed solely by their own Privacy Policy.

As part of account verification, Stripe may request information from credit bureaus and identity verification services.

4.2 Social media platforms

When connecting social media accounts, we share data with and receive data from the respective platforms in accordance with their privacy policies:

4.3 Hosting and infrastructure

The Platform is hosted on Vercel Inc. infrastructure within the EU/EEA. Vercel processes data as a processor on our behalf under a data processing agreement (Art. 28 GDPR).

4.4 Other recipients

We share data with the following parties only when legally required or necessary to protect our rights:

Tax authorities (when required by law)
Law enforcement agencies (only in response to valid legal requests)
Legal advisors (to protect our rights in legal proceedings)

We do not sell personal data to third parties.

5. International transfer of data

Some of our processors (including Stripe and Vercel) are located outside the EU/EEA, notably in the United States. In such cases, appropriate safeguards are implemented in accordance with the GDPR:

Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46.2.c GDPR)
Adequacy decisions by the European Commission (Art. 45 GDPR), such as the EU-U.S. Data Privacy Framework, where applicable

These safeguards ensure that your personal data receives a level of protection equivalent to that within the EU/EEA.

6. Retention periods

| Data category | Retention period | | --- | --- | | Account data | Duration of the agreement + 3 years | | Transaction data | At least 5 years (tax obligation) | | Invoices and accounting records | 6 years (Spanish commercial law) | | YouTube data | Maximum 30 days, unless actively renewed by the user | | X/Twitter content | Deleted within 24 hours of a deletion request from X or the account holder | | LinkedIn data | Deleted immediately upon revocation or account closure | | Other social media data | No longer than necessary; deleted upon revocation of the connection | | Consent records | Duration of consent + evidence period | | Fraud prevention data | Up to 5 years (principle of proportionality) |

7. Your rights

Under the GDPR and the LOPD-GDD you have the following rights:

Right of access (Art. 15 GDPR) - you can request a copy of your personal data. The first copy is provided free of charge (Art. 12.5 GDPR).
Right to rectification (Art. 16 GDPR) - you can have incorrect data corrected.
Right to erasure (Art. 17 GDPR) - you can request the deletion of your data, subject to statutory retention periods.
Right to restriction (Art. 18 GDPR) - you can request that processing be restricted.
Right to data portability (Art. 20 GDPR) - you can receive your data in a structured format.
Right to object (Art. 21 GDPR) - you can object to processing based on legitimate interest. You have an absolute right to object to the processing of your data for direct marketing purposes at any time (Art. 21.2 GDPR).
Right against automated decision-making (Art. 22 GDPR) - you have the right not to be subject to decisions based solely on automated processing. We do not use automated decision-making.

You can exercise your rights by sending a request to hello@voila.cash. We will respond to your request within 30 days (extendable to 3 months for complex requests).

Withdrawal of consent

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to the withdrawal.

Revoking social media connections

You can revoke your social media connections at any time through your Voila dashboard or through the respective platform's settings:

YouTube: via Google Security Settings. After revocation, we delete your YouTube data within 30 calendar days.
Instagram: via Meta Apps and Websites settings. After revocation, we delete your Instagram data without delay.
TikTok: via TikTok Security Settings. After revocation, we delete your TikTok data without delay.
LinkedIn: via LinkedIn Permitted Services. After revocation, we delete your LinkedIn data without delay.
X: via X Connected Apps. After revocation, we delete your X data without delay.

Complaint to the supervisory authority

You have the right to file a complaint with the competent supervisory authority:

Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan 6, 28001 Madrid, Spain www.aepd.es

EU citizens can also file a complaint with the supervisory authority in their own member state.

8. Cookies

The Platform only uses essential cookies necessary for the service to function, such as authentication and secure payment processing via Stripe. We do not use tracking, analytics or advertising cookies.

For more information, see our Cookie Policy.

9. Minors

The Platform is not directed at persons under 14 years of age (minimum age for digital consent in Spain under Art. 7 LOPD-GDD). If we discover that we have collected data from a person under 14 without verifiable parental consent, we will delete this data without delay.

The minimum age for using payment features is 18 years.

10. Security

We implement appropriate technical and organizational measures to protect your personal data (Art. 32 GDPR), including:

Encrypted connections (HTTPS/TLS) for all data transfers
Secure password storage (hashing)
Access controls and audit logs
Regular security assessments
Incident response procedures with notification to the AEPD within 72 hours in the event of a data breach

Credit card and payment card data are processed exclusively by Stripe and are never stored on our servers.

11. Changes to this Privacy Policy

We will notify you of any material changes to this Privacy Policy at least 14 days before they take effect, by email or through a notice on the Platform. The “Last updated” date at the top of this document indicates the most recent version.

12. Contact

For questions about this Privacy Policy or to exercise your rights:

Netvista Media S.L. Av. Sant Rafel 23, 03580 l'Alfàs del Pi, Spain Email: hello@voila.cash Tel: +34 628 662 912