Last updated: December 21, 2025
Last updated: 21 Dec 2025 1. Data Controller Controller: [LEGAL NAME] Tax ID (NIF/CIF): [TAX ID] Address: [FULL ADDRESS] Email (privacy): [PRIVACY EMAIL] DPO (if applicable): [DPO NAME / DPO EMAIL] 2. Personal data we process Depending on how you use PayKit, we may process: Account data: name, email, phone (if provided), authentication tokens/session data. Professional/billing data: company name, tax ID, address, subscription/plan info. Client/supplier data you upload: names, tax data, contact details, invoice details. Files and content: invoices, documents, uploaded assets (e.g., profile logo), support messages. Technical data: IP address, device identifiers, logs, security events, and cookie data (where applicable). 3. Purposes and legal bases We process data for: Account creation and authentication Legal basis: performance of a contract / pre-contractual measures. Providing the Platform services (documents, customer management, invoicing workflows, storage) Legal basis: performance of a contract. Support and customer service Legal basis: contract and/or legitimate interest. Legal compliance (tax, accounting, fraud prevention, lawful requests) Legal basis: legal obligation. Security and abuse prevention Legal basis: legitimate interest. Marketing communications (only if you opt-in) Legal basis: consent (withdraw anytime). 4. Your role vs our role (important for SaaS) When you upload/manage personal data of your own clients within PayKit, typically: You are the Data Controller for that client data. PayKit acts as a Data Processor, processing data only to provide the service and under your instructions. Where required, a Data Processing Agreement (DPA) will apply. 5. Data sharing / recipients We may share data only as necessary with: Infrastructure providers (hosting, storage, authentication). Payment providers (e.g., Stripe) if you use paid plans. Email/notification providers if enabled. Analytics providers only if you consent to analytics cookies (where applicable). Public authorities where legally required. All providers are subject to appropriate contractual safeguards. 6. International transfers If data is processed outside the EEA, we apply appropriate safeguards (e.g., Standard Contractual Clauses) as required. 7. Data retention Account/service data: while your account remains active and as needed to provide services. Legal obligations: for the periods required by tax/accounting and legal responsibility rules. Support: as necessary to resolve issues and for related liability periods. Marketing: until you withdraw consent. 8. Your rights You may exercise your rights of access, rectification, erasure, objection, restriction, portability, and withdraw consent at any time. To exercise rights: email [PRIVACY EMAIL] with subject “Data Protection”. You may also lodge a complaint with the Spanish Data Protection Authority (AEPD) if you believe your rights were not respected. 9. Security We implement appropriate technical and organizational measures (access control, encryption in transit, logging, etc.). No system can be guaranteed 100% secure, but we work to reduce risks.