Skip to content
R&Y Rob & The Young
Thesis Work with me About Apply
← Back to site

Privacy Policy

GDPR & Spanish data protection · Last updated: 13 July 2026 · Version 1.0

Contents

  1. 1. Who is responsible
  2. 2. What we collect and why
  3. 3. Session recordings
  4. 4. WhatsApp
  5. 5. Cookies and analytics
  6. 6. Who we share data with
  7. 7. International transfers
  8. 8. How long we keep it
  9. 9. Your rights
  10. 10. How to exercise them
  11. 11. Right to complain
  12. 12. Security
  13. 13. No automated decisions
  14. 14. Children
  15. 15. Changes
  16. 16. Contact

We collect the minimum we need to work with you, we never sell it, and you can have it back or have it deleted whenever you ask. This policy explains the detail, as required by the GDPR.

1. Who is responsible for your data

The data controller is:

ControllerRob & The Young Holdings SL
Tax ID (CIF/NIF)B27652924
Registered officeC/ Jesús del Valle 12, 1º izq., 28004 Madrid, Spain
Privacy contactrobain@robandtheyoung.com

We are a small company and are not required to appoint a Data Protection Officer. Privacy questions go directly to Robain de Jong at the address above.

We process personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on data protection and the guarantee of digital rights (LOPDGDD).

2. What we collect, why, and on what legal basis

DataWhy we have itLegal basis (GDPR Art. 6)
Application details
Name, email, company, stage, what you're building, the decision you face
To assess whether we can genuinely help and whether there is a conflict Legitimate interests (6.1.f) — responding to someone who contacted us; steps prior to a contract (6.1.b)
Client & engagement data
Name, role, email, phone, company details, everything you tell us in sessions and messages
To deliver the Founder Session or Founder Office Performance of a contract (6.1.b)
Billing data
Billing name, address, VAT number, invoice history, last 4 digits and card brand
To take payment, issue invoices and meet Spanish accounting and tax obligations Contract (6.1.b) and legal obligation (6.1.c)
Session recordings
Video and audio of Founder Sessions
So you receive the recording you paid for Consent (6.1.a) — see section 3
Correspondence
Emails, WhatsApp messages, call notes
To run the relationship and keep a record of what was discussed Contract (6.1.b); legitimate interests (6.1.f)
Server logs
IP address, browser, pages requested, timestamp
Security, abuse prevention and keeping the site running — generated automatically by our host Legitimate interests (6.1.f)

We do not sell, rent or trade your personal data. We do not use it for advertising and we do not build profiles of you.

Full card details never reach us. They go directly to Stripe. We can see the card brand and last four digits, and nothing else.

Please do not send us special-category data. Information about health, religion, political opinions, trade union membership, sexual orientation or biometrics is not needed for this work and we do not want to hold it. If you send it anyway, we will delete it.

3. Session recordings

A recording is part of the Founder Session you pay for. But we will only record with your explicit consent, asked for at the start of every session. You can say no. The session goes ahead exactly the same way, minus the recording.

  • You may withdraw consent at any time, including after the session — email us and we will delete the recording.
  • We keep recordings for 12 months and then delete them, unless you ask us to delete them sooner.
  • Recordings are shared with no one outside our company. They are never used as marketing, testimonials, training material or examples.
  • If someone else from your team joins the call, you are responsible for telling them the session is being recorded.

4. WhatsApp — what you should know

The Founder Office runs partly on WhatsApp, because that is what actually works when a founder needs an answer at 22:00. You should understand what that means for your data.

  • Message content is end-to-end encrypted. We can read it; WhatsApp cannot.
  • Metadata is not. WhatsApp Ireland Ltd. (part of Meta) processes your phone number, and the timing and frequency of messages, under its own privacy policy. We have no control over that.
  • Messages are stored on Robain's device and in his device backup.
  • Do not send anything through WhatsApp that would be catastrophic if that device were lost — cap tables, term sheets and board material are better sent by email or a shared drive.

If you would rather not use WhatsApp at all, say so and we will use Signal or email instead. The service does not depend on it.

5. Cookies and analytics

This website sets no cookies and runs no analytics or tracking of any kind. There is no Google Analytics, no advertising pixel, no third-party script, no fingerprinting. That is why you are not being asked to accept a cookie banner.

The only data generated by your visit is the standard server log described in section 2, which our hosting provider produces automatically and which we use only to keep the site secure and online.

If we ever add analytics or any non-essential cookie, we will ask for your consent first through a proper consent banner, as required by Article 22 of Spanish Law 34/2002 (LSSI-CE), and we will update this page before doing so.

6. Who we share data with

We share personal data only with the service providers we need to run the business. Each is bound by a data processing agreement under Article 28 GDPR.

ProviderWhat they handleWhere
Stripe Payments Europe, Ltd. Payment processing, card data, subscriptions, invoices Ireland (EU), with group transfers to the US
Microsoft Ireland Operations Ltd.
Microsoft 365
Email correspondence EU / US
Netlify, Inc. Website hosting, server logs United States / EU edge network
GoDaddy Operating Company, LLC Domain registration and DNS for robandtheyoung.com. Holds our company registrant details, not visitor data United States
Microsoft Teams and Google Meet Live sessions, recordings EU / US
WhatsApp Ireland Ltd. (Meta) Messaging metadata (see section 4) Ireland (EU) / US
Finutive SL Invoices and accounting records Spain

We may also disclose data where we are legally required to — to a court, a regulator, or the Spanish tax authority. We will tell you if that happens, unless we are prohibited from doing so.

Introductions: we will never pass your details to an investor, customer or candidate without asking you first. Every introduction is made with your explicit go-ahead.

7. International transfers

Some of the providers above are US-headquartered and may process data outside the European Economic Area. Where that happens, the transfer is protected by one or both of:

  • The EU–US Data Privacy Framework, where the provider is certified under it; and/or
  • The European Commission's Standard Contractual Clauses (Decision 2021/914), together with supplementary measures where needed.

You can ask us for a copy of the safeguards that apply to any specific transfer.

8. How long we keep your data

DataRetention period
Applications that do not become clients 12 months, then deleted
Invoices, billing and accounting records 6 years — required by the Spanish Commercial Code and tax law. We cannot delete these earlier, even on request
Session recordings 12 months, or sooner if you ask
Client correspondence and notes 3 years after the engagement ends, to handle any dispute or follow-up
WhatsApp messages Deleted from the device within 12 months of the engagement ending
Server logs Typically 30 days, per our hosting provider

9. Your rights

Under the GDPR you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — have inaccurate data corrected.
  • Erasure — have your data deleted ("right to be forgotten"), except where we are legally required to keep it, such as invoices.
  • Restriction — have us pause processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format, or have it sent to another controller.
  • Object — object to processing based on our legitimate interests.
  • Withdraw consent — at any time, where processing is based on consent (for example, session recordings). This does not affect processing carried out before you withdrew.
  • Not be subject to automated decision-making — see section 13.

Spanish law (LOPDGDD, Arts. 93–94) also gives you digital rights including the right to request deletion of content and search results relating to you.

10. How to exercise your rights

Email robain@robandtheyoung.com with the subject "GDPR request" and tell us what you want. There is no form to fill in.

  • We respond within one month, as required by Article 12 GDPR. In complex cases we may extend this by two months and will tell you if we do.
  • It is free. We only charge for manifestly unfounded or excessive repeat requests.
  • We may ask you to confirm your identity before releasing data, so that we do not hand your information to someone else.

11. Right to complain

Please raise any concern with us first — we would rather fix it than have you go to a regulator. But you have the right to go straight to the supervisory authority at any time:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es · Tel. +34 901 100 099

If you live in another EU member state, you may instead complain to your own national data protection authority.

12. Security

We take appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) across the website and all provider connections;
  • Full-disk encryption and strong authentication on every device used for client work;
  • Multi-factor authentication on email, Stripe and all business systems;
  • Access limited strictly to those who need it — in practice, Robain de Jong;
  • Reputable providers with their own recognised security certifications.

No system is perfectly secure. If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the AEPD within 72 hours and tell you directly without undue delay, as required by Articles 33 and 34 GDPR.

13. No automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects for you. Every decision about an application is made by a human — Robain — reading it.

14. Children

Our services are for founders and executives and are not directed at anyone under 18. We do not knowingly collect data from children. If you believe we have, tell us and we will delete it.

15. Changes to this policy

We may update this policy. The current version and its date are always shown at the top of this page. If we make a material change — a new processor, a new purpose, a new legal basis — we will email active clients before it takes effect.

16. Contact

Rob & The Young Holdings SL
C/ Jesús del Valle 12, 1º izq., 28004 Madrid, Spain
robain@robandtheyoung.com

Any privacy question gets a reply within two working days, and a formal GDPR request within one month.

Rob & The Young

Experience should compound into the next generation of builders.

Terms of Service Refunds & Cancellation Privacy & GDPR Contact

Rob & The Young Holdings SL

CIF B27652924

C/ Jesús del Valle 12, 1º izq., 28004 Madrid, Spain

robain@robandtheyoung.com

© All rights reserved.