Privacy policy

Last updated: 18 April 2026

1. Data controller

bell is a personal project that provides free desktop and mobile applications to track prices and availability of products in online stores, as well as the maribell.es website.

The data controller is Miguel Titos Ramis, Palma de Mallorca (Spain), acting as a natural person. Any change in the legal form of the project will be updated in this policy.

In case of discrepancies between the language versions of this policy (Spanish, Catalan and English), the Spanish version shall prevail.

If you have any question or request regarding your data, please write to: hola@maribell.es

2. Data we collect
2.1. In the desktop application
  • Email and password: required to create your account and sync your data across devices.
  • Products you track: URLs, names, observed prices and configured alerts.
  • App preferences: language, scan frequency, notification settings.

This data is stored locally on your computer (SQLite database) and is synchronised in encrypted form with the cloud so you don't lose it.

2.2. In the mobile application (iOS and Android)
  • Email and password (or Google/Apple identifier if you use social sign-in): to access your account and keep it in sync with your desktop application.
  • Unique user identifier in Supabase.
  • Tracked products, alerts, preferred stores and settings synchronised with the cloud.
  • Push notification token (only if you grant notification permission): an identifier that allows us to deliver alerts to your device when the price or availability of a product changes. It is stored linked to your account and deleted when you sign out.
  • Language and local app settings.

The mobile application does not collect usage analytics or crash reports. We do not use Sentry, Firebase Analytics or any other tracking SDK in the app.

2.3. On the website (maribell.es)
  • Email: if you subscribe to the newsletter.
  • Name and email: if you use the contact form (not stored permanently, only used to reply).
3. How prices are fetched from online stores

Prices and availability are queried by the desktop application running on your own computer, connecting directly from your internet connection only to the public pages of the products you have added. There is no central server that crawls the stores in bulk; each user tracks only their own products from their own device.

The mobile application does not perform these queries: it only receives push notifications when the desktop application detects a relevant change in a product you track.

4. How we collect data
  • Registration form in the desktop and mobile applications.
  • Sign-in with Google or Apple (OAuth) in the mobile application, if the user chooses it.
  • Newsletter subscription form on the website.
  • Contact form on the website.
  • Push notification token registration when you grant permission in the mobile app.
  • Technical and session cookies on the website (required for basic functionality).
  • Google Analytics cookies on the website (optional, require your consent).
5. Purpose of processing
  • User account: manage your access to the apps and synchronise data between desktop and mobile.
  • Push notifications: notify you on mobile when a product you track changes price or availability, according to the alerts you have configured.
  • Newsletter: send you news, offers and recommendations (only if you subscribe).
  • Contact form: reply to your questions or suggestions.
  • Analytics (web): understand how the website is used to improve it (anonymised data).
6. Legal basis for processing
  • Performance of a contract (GDPR art. 6(1)(b)): to provide the service you have requested when creating your account, including synchronisation between devices.
  • Consent (GDPR art. 6(1)(a)): to send you push notifications, for the newsletter subscription and for analytics cookies on the website. You can withdraw consent at any time without affecting your use of the service.
  • Legitimate interest (GDPR art. 6(1)(f)): to reply to the messages you send us through the contact form.
7. Sharing data with third parties

We do not share your personal data with third parties for commercial purposes.

To provide the service, the following providers act as data processors / sub-processors:

  • Supabase — database, authentication and storage of the push notification token. Region: AWS eu-west-1 (Ireland).
  • Google and Apple — OAuth identity providers, only if you choose to sign in with their accounts. They return your email and a unique identifier to us; we do not request additional permissions.
  • Expo Push Service, Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) — routing of push notifications to the device. They only receive the device token and the notification content.
  • Google Analytics — only on the website and only if you accept analytics cookies. Operates under the EU-US Data Privacy Framework.
8. International data transfers
  • Account and app data (Supabase): stored exclusively in the European Union (AWS, eu-west-1 region — Ireland). No international transfer.
  • Sign-in with Google or Apple: if you choose this method, Google or Apple may process the login-associated data in the United States under the EU-US Data Privacy Framework.
  • Push notification delivery: tokens and notification content are processed through Expo Push Service (servers in the United States), APNs (Apple) and FCM (Google). These services only receive the device token and the notification; no other personal data of the user.
  • Google Analytics (web only): may transfer anonymised data to the United States under the EU-US Data Privacy Framework.
9. Data retention period
  • User account and associated data: for as long as your account is active.
  • Deletion upon request: if you request deletion of your data, we will erase it within a maximum of 30 days from the request.
  • Newsletter: until you unsubscribe.
  • Contact form: used only to reply; not stored permanently.
  • Google Analytics: 26 months since the last visit.
10. User rights

You can exercise the following rights by writing to hola@maribell.es:

  • Access: know what data we hold about you.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of your data.
  • Data portability: receive a copy of your data in a readable format.
  • Restriction and objection: restrict or object to certain processing activities.

If you consider that the processing of your data does not comply with the regulations, you can file a complaint with the Spanish Data Protection Agency (AEPD) (aepd.es).

11. Security measures
  • All communications between the apps (desktop and mobile) and the servers are made over encrypted connections (TLS/SSL).
  • The mobile application uses certificate pinning to verify the server identity and prevent interception attacks.
  • Passwords are stored encrypted through Supabase Auth mechanisms. bell has no direct access to user passwords.
  • Access to data is restricted by Row Level Security (RLS) in the database: each user can only access their own data.
  • The session token is stored in the device's secure storage (Keychain on iOS, Keystore on Android).
  • Account activation requires email address verification.
  • bell does not store bank card data or payment information of any kind.
12. Cookies policy (web)

Technical / session cookies: required for the basic functioning of the website (contact form). They do not require consent.

Analytics cookies (Google Analytics): optional. They are activated only if you accept analytics cookies through the banner or the cookies manager.

13. Minimum age

The minimum age to register and use bell is 14 years, in accordance with article 7 of the Spanish LOPDGDD (Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights). bell does not include material inappropriate for minors; even so, parental supervision is recommended for minors.

14. Contact

For any question or request regarding this privacy policy, please write to: hola@maribell.es

Need help?
  • Email: hola@bell.es