What we collect, and why.

CommonWealth Ops is operated by Jacobo López-Cortijo, a self-employed founder registered in Cádiz, Spain. Contact for any data request: jacobolopezcortijo@gmail.com.

When you join the waitlist on this site, we record exactly three things:

• Email address— the address you typed into the form. Used to send the confirmation message and the future launch announcement.
• IP address— captured by our reverse-proxy when you submit the form, stored alongside the row. Used as audit evidence that the consent was given from a particular network at a particular moment, as required for GDPR consent records (Article 7).
• Timestamp of consent— the date and time your row was created, and the moment you clicked the confirmation link.

We do not collect names, billing data, browsing history, device fingerprints, or marketing-tracker cookies at this stage of the product.

Consent under GDPR Article 6(1)(a). You opted in by checking the consent box on the waitlist form. There is no other legal basis — if you withdraw consent, your row stops being processed for any further communication.

Until commercial launch (the moment we send the launch announcement email) + 30 days for audit-trail preservation after you unsubscribe. After that retention window, your row is purged from production storage. Backups age out within 30 days of the production purge.

You have, at any time:

• Right to access— email the address above and we will reply with a copy of your row.
• Right to rectification— email us with the corrected email address; we will update the row.
• Right to erasure— click the unsubscribe link in any of our emails (single click, no auth). You can also email us. After the 30-day audit window your record is permanently removed.
• Right to lodge a complaint— with the Spanish DPA (Agencia Española de Protección de Datos) if you believe we have mishandled your data.

Only Jacobo (the registered controller above) and any system operator explicitly listed in the OWNER_EMAILS allowlist at deploy-time. The infrastructure that holds the data is the CommonWealth Ops Postgres database, hosted on a server we rent from a third-party VPS provider (KobiiClaw in Helsinki). The VPS provider does not have application-level access; they have block-storage access only.

Confirmation and launch-announcement emails are sent via Resend (resend.com), a third-party transactional email provider. Resend processes your email address purely to deliver the message and stores transient delivery logs subject to its own policy. We chose Resend over self-hosted SMTP for reliability; if you object to your address transiting a third-party provider, you can refuse the consent at signup time and you will not receive any email from us.

This site does not embed analytics scripts, marketing pixels, third-party fonts, or any other code that would transmit your visit to an external host as of Sprint 6. If we ever add any, this document will be re-versioned and the waitlist cohort will be re-notified.

Any material change to this policy will be communicated by email to every address on the waitlist before it takes effect. The version number and "Last updated" date at the top of this page change with every revision.