Privacy Policy
We collect the minimum we need to work with you, we never sell it, and you can have it back or have it deleted whenever you ask. This policy explains the detail, as required by the GDPR.
1. Who is responsible for your data
The data controller is:
| Controller | Rob & The Young Holdings SL |
|---|---|
| Tax ID (CIF/NIF) | B27652924 |
| Registered office | C/ Jesús del Valle 12, 1º izq., 28004 Madrid, Spain |
| Privacy contact | robain@robandtheyoung.com |
We are a small company and are not required to appoint a Data Protection Officer. Privacy questions go directly to Robain de Jong at the address above.
We process personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on data protection and the guarantee of digital rights (LOPDGDD).
2. What we collect, why, and on what legal basis
| Data | Why we have it | Legal basis (GDPR Art. 6) |
|---|---|---|
| Application details Name, email, company, stage, what you're building, the decision you face |
To assess whether we can genuinely help and whether there is a conflict | Legitimate interests (6.1.f) — responding to someone who contacted us; steps prior to a contract (6.1.b) |
| Client & engagement data Name, role, email, phone, company details, everything you tell us in sessions and messages |
To deliver the Founder Session or Founder Office | Performance of a contract (6.1.b) |
| Billing data Billing name, address, VAT number, invoice history, last 4 digits and card brand |
To take payment, issue invoices and meet Spanish accounting and tax obligations | Contract (6.1.b) and legal obligation (6.1.c) |
| Session recordings Video and audio of Founder Sessions |
So you receive the recording you paid for | Consent (6.1.a) — see section 3 |
| Correspondence Emails, WhatsApp messages, call notes |
To run the relationship and keep a record of what was discussed | Contract (6.1.b); legitimate interests (6.1.f) |
| Server logs IP address, browser, pages requested, timestamp |
Security, abuse prevention and keeping the site running — generated automatically by our host | Legitimate interests (6.1.f) |
We do not sell, rent or trade your personal data. We do not use it for advertising and we do not build profiles of you.
Full card details never reach us. They go directly to Stripe. We can see the card brand and last four digits, and nothing else.
Please do not send us special-category data. Information about health, religion, political opinions, trade union membership, sexual orientation or biometrics is not needed for this work and we do not want to hold it. If you send it anyway, we will delete it.
3. Session recordings
A recording is part of the Founder Session you pay for. But we will only record with your explicit consent, asked for at the start of every session. You can say no. The session goes ahead exactly the same way, minus the recording.
- You may withdraw consent at any time, including after the session — email us and we will delete the recording.
- We keep recordings for 12 months and then delete them, unless you ask us to delete them sooner.
- Recordings are shared with no one outside our company. They are never used as marketing, testimonials, training material or examples.
- If someone else from your team joins the call, you are responsible for telling them the session is being recorded.
4. WhatsApp — what you should know
The Founder Office runs partly on WhatsApp, because that is what actually works when a founder needs an answer at 22:00. You should understand what that means for your data.
- Message content is end-to-end encrypted. We can read it; WhatsApp cannot.
- Metadata is not. WhatsApp Ireland Ltd. (part of Meta) processes your phone number, and the timing and frequency of messages, under its own privacy policy. We have no control over that.
- Messages are stored on Robain's device and in his device backup.
- Do not send anything through WhatsApp that would be catastrophic if that device were lost — cap tables, term sheets and board material are better sent by email or a shared drive.
If you would rather not use WhatsApp at all, say so and we will use Signal or email instead. The service does not depend on it.
5. Cookies and analytics
This website sets no cookies and runs no analytics or tracking of any kind. There is no Google Analytics, no advertising pixel, no third-party script, no fingerprinting. That is why you are not being asked to accept a cookie banner.
The only data generated by your visit is the standard server log described in section 2, which our hosting provider produces automatically and which we use only to keep the site secure and online.
If we ever add analytics or any non-essential cookie, we will ask for your consent first through a proper consent banner, as required by Article 22 of Spanish Law 34/2002 (LSSI-CE), and we will update this page before doing so.
6. Who we share data with
We share personal data only with the service providers we need to run the business. Each is bound by a data processing agreement under Article 28 GDPR.
| Provider | What they handle | Where |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing, card data, subscriptions, invoices | Ireland (EU), with group transfers to the US |
| Microsoft Ireland Operations Ltd. Microsoft 365 |
Email correspondence | EU / US |
| Netlify, Inc. | Website hosting, server logs | United States / EU edge network |
| GoDaddy Operating Company, LLC | Domain registration and DNS for robandtheyoung.com. Holds our company registrant details, not visitor data | United States |
| Microsoft Teams and Google Meet | Live sessions, recordings | EU / US |
| WhatsApp Ireland Ltd. (Meta) | Messaging metadata (see section 4) | Ireland (EU) / US |
| Finutive SL | Invoices and accounting records | Spain |
We may also disclose data where we are legally required to — to a court, a regulator, or the Spanish tax authority. We will tell you if that happens, unless we are prohibited from doing so.
Introductions: we will never pass your details to an investor, customer or candidate without asking you first. Every introduction is made with your explicit go-ahead.
7. International transfers
Some of the providers above are US-headquartered and may process data outside the European Economic Area. Where that happens, the transfer is protected by one or both of:
- The EU–US Data Privacy Framework, where the provider is certified under it; and/or
- The European Commission's Standard Contractual Clauses (Decision 2021/914), together with supplementary measures where needed.
You can ask us for a copy of the safeguards that apply to any specific transfer.
8. How long we keep your data
| Data | Retention period |
|---|---|
| Applications that do not become clients | 12 months, then deleted |
| Invoices, billing and accounting records | 6 years — required by the Spanish Commercial Code and tax law. We cannot delete these earlier, even on request |
| Session recordings | 12 months, or sooner if you ask |
| Client correspondence and notes | 3 years after the engagement ends, to handle any dispute or follow-up |
| WhatsApp messages | Deleted from the device within 12 months of the engagement ending |
| Server logs | Typically 30 days, per our hosting provider |
9. Your rights
Under the GDPR you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — have inaccurate data corrected.
- Erasure — have your data deleted ("right to be forgotten"), except where we are legally required to keep it, such as invoices.
- Restriction — have us pause processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format, or have it sent to another controller.
- Object — object to processing based on our legitimate interests.
- Withdraw consent — at any time, where processing is based on consent (for example, session recordings). This does not affect processing carried out before you withdrew.
- Not be subject to automated decision-making — see section 13.
Spanish law (LOPDGDD, Arts. 93–94) also gives you digital rights including the right to request deletion of content and search results relating to you.
10. How to exercise your rights
Email robain@robandtheyoung.com with the subject "GDPR request" and tell us what you want. There is no form to fill in.
- We respond within one month, as required by Article 12 GDPR. In complex cases we may extend this by two months and will tell you if we do.
- It is free. We only charge for manifestly unfounded or excessive repeat requests.
- We may ask you to confirm your identity before releasing data, so that we do not hand your information to someone else.
11. Right to complain
Please raise any concern with us first — we would rather fix it than have you go to a regulator. But you have the right to go straight to the supervisory authority at any time:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es · Tel. +34 901 100 099
If you live in another EU member state, you may instead complain to your own national data protection authority.
12. Security
We take appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS) across the website and all provider connections;
- Full-disk encryption and strong authentication on every device used for client work;
- Multi-factor authentication on email, Stripe and all business systems;
- Access limited strictly to those who need it — in practice, Robain de Jong;
- Reputable providers with their own recognised security certifications.
No system is perfectly secure. If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the AEPD within 72 hours and tell you directly without undue delay, as required by Articles 33 and 34 GDPR.
13. No automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects for you. Every decision about an application is made by a human — Robain — reading it.
14. Children
Our services are for founders and executives and are not directed at anyone under 18. We do not knowingly collect data from children. If you believe we have, tell us and we will delete it.
15. Changes to this policy
We may update this policy. The current version and its date are always shown at the top of this page. If we make a material change — a new processor, a new purpose, a new legal basis — we will email active clients before it takes effect.
16. Contact
Rob & The Young Holdings SL
C/ Jesús del Valle 12, 1º izq., 28004 Madrid, Spain
robain@robandtheyoung.com
Any privacy question gets a reply within two working days, and a formal GDPR request within one month.