Melchor
Back to home

Privacy

Last updated June 10, 2026.

Melchor is built privacy-first. This page tells you what we do, and what we don't do, with your data. It's short because there's little to tell.

Who we are

Melchor is run by Rubén Sospedra, self-employed in Spain (NIF 47951262B), Carretera de Rubí 130, 08223 Terrassa, Spain — the data controller, in GDPR words. Anything about your data: privacy@melchor.app.

What we collect on this website

Nothing for analytics. We don't use analytics, third-party trackers, or behavioral profiling. We have no ad network. We don't show a cookie banner because we don't set tracking cookies. Even invite links work without tracking — see "Invite links" below.

What your browser stores

Your browser keeps two preferences locally: your language and your theme (light, dark, or system). They never leave your device and they aren't cookies.

What the app collects

Less than you'd think. Anonymous account: your lists, wishes, photos and reservations. Real account: also your email or your Apple/Google ID, plus whatever profile you fill in — name, avatar, birthday. Notifications on: a push token, your platform, the app version, and on Android a device identifier, so the notification finds the right phone. That's the complete list.

Why we collect it

To run your lists and your account — the contract between us. Crash reports serve our legitimate interest in an app that doesn't crash; you can object with one toggle in the app. Notifications go out only if you allow them on your device. And if the law requires something of us, we comply. No other purposes hiding here.

Crash & error reports

The app sends crash and error reports to Sentry, hosted in the European Union (Frankfurt). They keep the app stable, so they're on by default — turn them off any time under Settings → Privacy in the app. Each report is tied to a random account ID, never your name, email, IP address or wishlist content, and it's deleted after 90 days. We run no advertising, profiling, product analytics or tracking across other apps or sites.

Who receives your data

Only who's needed to run the thing. Sentry (EU, Frankfurt) gets crash reports. Resend (EU, Ireland) sends our sign-in emails. Push notifications are delivered through Expo's push service in the US, certified under the EU–US Data Privacy Framework. Your lists live with our hosting provider in the EU (Ireland). Stores see that a click came from Melchor, never who you are. Nobody gets your data for advertising. Nobody buys it.

How long we keep it

While you want us to. Your data stays as long as your account exists and goes when you delete it. Push tokens are removed when they stop working. Crash reports expire after 90 days. Anonymous accounts with nothing in them are deleted after 30 days of inactivity; anonymous accounts with lists, after 24 months without a sign-in. The notification queue clears itself after a day.

Your rights

All of GDPR's: ask for a copy of your data (in JSON, portable), correct it, delete it, restrict or object to how we use it, and withdraw consent any time. Deleting is self-service — Settings → Delete account in the app — and it's a real delete: lists, photos, reservations, gone. For everything else, write to privacy@melchor.app; we answer within a month.

Complaints

If something feels wrong, tell us first and we'll fix it. You can also complain to the Spanish supervisory authority (AEPD, aepd.es) or to the one where you live.

Children

Melchor isn't directed at children under 14. If you believe a child is using it, write to privacy@melchor.app and we'll delete the account.

Affiliate links

Some product links (on your wishes, and sometimes on the blog) are affiliate links. If someone buys through one, the store leaves us a small commission. The store sees the click came from Melchor; it doesn't see who you are or what's on your list. You pay the same.

Invite links

Open an invite link without the app installed and the invite code stays on your device. Tapping the download button copies it to your clipboard, and on Android, Google Play hands it to the app at install. The app reads your clipboard only when you tap the paste button. No fingerprinting, no IP logging, nothing stored on our servers — we first see the code when you actually join.

AI training

We don't use your lists, your reservations, or anything you create to train AI models. Public blog content is open to LLM crawlers (GPTBot, ClaudeBot, PerplexityBot) so we can show up in their answers. That's the only AI surface.

Our promise

We'll never sell your data. There's no ad business here — the money comes from affiliate links. Full stop.

Changes to this policy

If we change this policy in a way that matters, we'll say so in the app instead of burying it. The date at the top always tells you which version you're reading.

Contact

Privacy questions: privacy@melchor.app. Deleting your account doesn't even need an email — Settings → Delete account in the app does it on the spot.