What is The Finch Club?

A digital membership card that lives in your Apple or Google Wallet. It provides emergency contacts, real-time alerts, local tips, and 24/7 WhatsApp assistance for tourists visiting Spain.

How much does it cost?

The Basic card costs EUR 1.99 per trip. The Gold card costs EUR 4.99 per trip and includes an AI-generated city guide, real-time alerts, daily tips, and premium features like menu translation and price checking.

What cities are covered?

We cover 15+ cities in Spain including Madrid, Barcelona, Sevilla, Valencia, Malaga, Granada, Bilbao, San Sebastian, Palma de Mallorca, Ibiza, Alicante, Tenerife, Las Palmas, Cordoba, and Toledo.

What do I get with the Gold card?

Everything in Basic plus a personalized AI city guide, real-time alerts for strikes/weather/closures, daily local tips, What am I eating? photo menu translator, Is this price fair? haggle checker, and priority WhatsApp support.

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller responsible for your personal data is:

Hekima Labs SL
Registered in Spain
Email: privacy@hekimalabs.com

2. What Data We Collect

When you use The Finch Club, we may collect the following personal data:

Identity data: full name, country of origin.
Contact data: email address, WhatsApp phone number.
Travel data: cities you plan to visit in Spain, travel dates.
Payment data: payment information processed securely by Stripe. We do not store your credit card details on our servers.
Usage data: interactions with the WhatsApp bot, AI feature usage (menu translations, scam checks, price verifications, safe walk requests).
Device data: browser type, operating system, IP address, and cookies (see Section 8).

3. Purpose and Legal Basis

We process your data for the following purposes:

Service delivery (contractual necessity): creating your digital membership card, generating your personalized city guide, sending real-time alerts and daily tips.
AI-powered features (contractual necessity): processing your queries through our AI assistant for menu translation, scam detection, price checking, and safe walk routing.
WhatsApp support (contractual necessity): providing 24/7 customer assistance via WhatsApp.
Payment processing (contractual necessity): processing your membership purchase through Stripe.
Digital wallet passes (contractual necessity): creating and updating your Apple Wallet or Google Wallet pass.
Transactional emails (contractual necessity): sending confirmation emails, card delivery, and important service updates.
Analytics (legitimate interest): understanding how our service is used so we can improve it. You can opt out via our cookie banner.

4. Third-Party Data Processors

We share your data with the following third-party processors, all of which maintain appropriate data protection measures:

Stripe (San Francisco, USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework.
Supabase (San Francisco, USA) — database hosting for member accounts and travel data. Data is stored in EU-region servers.
Anthropic / Claude AI (San Francisco, USA) — AI-powered features (menu translation, scam detection, price checking, safe walk, city guide generation). Queries are processed in real-time and not retained by Anthropic for training purposes.
Twilio (San Francisco, USA) — WhatsApp Business API for 24/7 messaging support.
Resend (San Francisco, USA) — transactional email delivery.
Google (Mountain View, USA) — Google Wallet pass creation and delivery. Also Google Analytics for website usage analytics (with your consent).
Vercel (San Francisco, USA) — website hosting and serverless functions.

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions.

5. Data Retention

We retain your personal data as follows:

Account and membership data: for the duration of your membership plus 12 months after your last trip, unless you request earlier deletion.
Payment records: as required by Spanish tax law (minimum 5 years).
WhatsApp conversations: 90 days after your trip ends.
AI feature queries: processed in real-time and not stored beyond the session.
Analytics data: anonymized after 14 months.

6. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

Right of access: you can request a copy of all personal data we hold about you.
Right to rectification: you can ask us to correct inaccurate data.
Right to erasure: you can request deletion of your personal data, subject to legal retention requirements.
Right to data portability: you can request your data in a structured, machine-readable format.
Right to restrict processing: you can ask us to limit how we use your data.
Right to object: you can object to processing based on legitimate interest, including analytics.
Right to withdraw consent: where processing is based on consent (e.g., analytics cookies), you can withdraw at any time.

To exercise any of these rights, contact us at privacy@hekimalabs.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS/HTTPS) and at rest.
Access controls and authentication for all systems.
Regular security reviews of our infrastructure.
Payment data is handled exclusively by Stripe (PCI DSS Level 1 compliant).

8. Cookies

Our website uses the following cookies:

Essential cookies: required for the website to function (e.g., session management, cookie consent preference). These do not require consent.
Analytics cookies (Google Analytics 4): used to understand how visitors interact with our website. These are only loaded with your explicit consent via our cookie banner.

You can manage your cookie preferences at any time by clearing your browser's local storage for our domain, which will cause the cookie banner to reappear.

9. Children's Privacy

The Finch Club is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically.

11. Contact Us

For any questions or concerns about this privacy policy or your personal data, contact us at:

Hekima Labs SL
Email: privacy@hekimalabs.com