This Privacy Policy explains how SISTEMAS DIGITALES Y DE DATOS SL ("we", "us", "our") collects, uses, discloses, and protects personal data when you visit our websites, use our software-as-a-service products, or otherwise interact with us. This Policy is intended to comply with the EU/EEA GDPR, Spain's LOPDGDD, and, where relevant, the UK GDPR.
1. Who we are (Controller)
- Legal entity: SISTEMAS DIGITALES Y DE DATOS SL (Sociedad Limitada)
- Registered address: Calle Madreselva, 144, 24400 Ponferrada (León), Spain
- Tax ID (NIF): B22771505
- Email: [email protected]
- Phone: +34 678 00 48 86
For the activities described in Section 5.1, we act as Data Controller. For the activities in Section 5.2, we act as Data Processor on behalf of our Customers (business users of our Service).
2. Scope
This Policy applies to:
- Our websites and dashboards (the "Sites");
- Our cloud applications and APIs (the "Services"); and
- Communications with us via email, support channels, and social media.
It does not apply to third-party websites, services, or integrations you connect to the Services (e.g., Shopify, Mirakl, Amazon Marketplace). Those are governed by their own privacy terms.
3. Personal data we collect
3.1 Data you provide directly
- Account & profile: name, surname, job title, company name, company ID (VAT/VIES), email address, phone number, password (hashed), preferences.
- Billing & tax: billing address, payment method tokens (via our payment provider), transaction details, invoice identifiers, tax/VAT numbers.
- Support: content of requests, attachments, call/chat recordings if you consent.
- Marketing: newsletter opt-ins, event registrations, survey responses.
3.2 Data we process via integrations (on your instructions)
If you connect shops/marketplaces (e.g., Shopify, Mirakl, Amazon, eBay), we may process:
- Catalog & product data: SKUs, titles, descriptions, images, pricing, stock levels.
- Orders & fulfillment: order IDs, items, quantities, timestamps, shipping method, tracking details, store notes.
- End-customer data (your buyers): names, shipping/billing addresses, emails, phone number, order messages necessary to fulfill orders.
For these data, we act as Processor to you (the Customer/Controller). See Section 5.2 and our DPA.
3.3 Data collected automatically
- Technical & usage: IP address, device identifiers, browser type/version, operating system, language, referring/exit pages, feature usage, timestamps, error logs.
- Cookies and similar technologies: session identifiers, authentication tokens, analytics. See our Cookie Policy. .
3.4 Data from third parties
- Identity/business information from public or commercial sources (e.g., VIES VAT validation, sanctions/PEP checks when legally required).
- Leads or referrals from partners, with appropriate notices.
We do not intentionally collect special category data or data about children. See Section 12.
4. Purposes and legal bases (GDPR Art. 6)
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide, maintain, and secure the Services | account creation, authentication, access control, uptime, incident response | Contract (Art. 6(1)(b)); Legitimate interests (security, fraud prevention) |
| Process orders, synchronize data across integrations | product sync, order import/export, stock updates, invoice delivery | Contract (Art. 6(1)(b)); Legitimate interests (service efficiency) |
| Billing, payments, and tax compliance | invoicing, VAT calculations, refunds, accounting records | Contract; Legal obligation (tax, accounting) |
| Customer support and communications | troubleshooting, product updates, notices of changes | Contract; Legitimate interests |
| Service improvement and analytics | performance metrics, feature usage, A/B tests (non-essential with consent) | Legitimate interests; Consent where required |
| Marketing (B2B) | newsletters, webinars, product announcements | Consent or Legitimate interests (soft opt-in) with opt-out |
| Compliance & enforcement | KYC/AML if applicable, sanction screening, legal claims | Legal obligation; Legitimate interests |
5. Our roles
5.1 Controller activities
We act as Controller for personal data you provide to register, pay for, and use the Services (Sections 3.1 & 3.3) and for our marketing and website operations.
5.2 Processor activities (Data Processing Agreement)
When you connect the Services to your e-commerce systems and marketplaces and we process your end-customer and order data (Section 3.2), we act as your Processor. These processing terms are governed by our Data Processing Agreement (DPA), which incorporates the EU Standard Contractual Clauses where applicable.
- Request to [email protected]
- You are responsible for providing adequate privacy notices to your buyers and obtaining any consents required by law.
6. Retention
- Account data: for the life of the account, then deleted or anonymized within 90 days.
- Logs: 30–365 days, depending on security and operational needs.
- Invoices & accounting records: retained for at least 6 years under the Spanish Commercial Code and applicable tax laws.
- Support records: 2 years after resolution unless a longer period is necessary for legal claims.
7. International transfers
We primarily process data in the EU/EEA. Where personal data are transferred outside the EEA/UK, we rely on adequacy decisions, the EU Standard Contractual Clauses (2021/914, Modules 2 and/or 3) and, where applicable, the UK IDTA/Addendum, together with supplementary measures informed by transfer impact assessments (e.g., encryption, access controls, vendor due diligence).
8. Security
- Encryption in transit and at rest
- Role-based access control and MFA for privileged accounts
- Network segmentation and least-privilege principles
- Secure development lifecycle and vulnerability management
- Continuous monitoring, logging, and backup strategies
- Vendor due diligence and confidentiality obligations
If we act as Controller and become aware of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify the AEPD within 72 hours where required and affected individuals when legally required. When we act as Processor, we will notify the Customer without undue delay after becoming aware of a personal data breach and assist the Customer with its obligations.
9. Your rights (EU/EEA & UK)
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase data (right to be forgotten)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests or direct marketing
- Data portability (receive data in a structured, commonly used format)
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with a supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD).
We respond to requests within one month of receipt (extendable by two months for complex requests). We may request information to verify identity. Requests are free of charge, except where manifestly unfounded or excessive. To exercise your rights, contact us at [email protected].
10. Sharing and disclosures
We share personal data only as necessary:
- Service providers / Sub-processors: cloud hosting, databases, payments, email, analytics, customer support, and security tools under data processing terms.
- Third-party integrations (at your instruction): e.g., Shopify, Mirakl, Amazon, eBay. We transmit data you request to or from those platforms.
- Corporate transactions: in a merger, acquisition, or asset sale, subject to safeguards.
- Legal: where required by law or to protect rights, property, or safety.
10.1 Sub-processors
| Vendor | Purpose | Entity & Region | Transfer mechanism |
|---|---|---|---|
| Google Cloud | Hosting, storage, logging | Google Cloud EMEA Ltd., EU regions | Intra-EU processing; SCCs if cross-border |
| Supabase | Postgres DB, Auth | Supabase B.V., EU/US regions per config | EU hosting preferred; SCCs if cross-border |
| Stripe | Payments & invoicing | Stripe Payments Europe, Ltd. (IE), Stripe, Inc. (US) | Intra-EEA + SCCs |
| Google Workspace | Email & docs | Google Ireland Ltd., EU | Intra-EU processing; SCCs if cross-border |
| OpenAI (if AI features enabled) | AI-assisted features | OpenAI, L.L.C. (US) and affiliates | SCCs + supplementary measures |
We maintain an up-to-date list of sub-processors at /legal/subprocessors. We will provide at least 15 days notice before adding or replacing a sub-processor. Customers may object on reasonable data-protection grounds; if unresolved, you may terminate the affected Services and receive a pro-rata refund for the unused term.
11. Cookies and tracking
We use essential cookies for authentication and operation of the Service. Non-essential cookies (e.g., analytics, marketing) are used only with your prior consent in accordance with the ePrivacy rules and AEPD guidance. You can manage preferences at any time via our cookie banner or settings.
12. Children’s privacy
Our Services are intended for business users and are not directed to minors. We do not knowingly process personal data of children under the age applicable in their country (for Spain, 14). If you believe a minor has provided personal data, contact us and we will delete it.
13. Automated decision-making
We do not engage in automated decision-making producing legal or similarly significant effects without human involvement. Where we use AI features, they assist users based on inputs and configurations you control. We configure our AI providers not to use Customer Data to train generalized models. You can disable AI features at any time.
14. Third-party links and integrations
The Services may contain links to or allow connections with third parties. We are not responsible for their privacy practices. Review their policies before sharing data.
15. Changes to this Policy
We may update this Policy to reflect legal, technical, or business changes. We will post the updated version with a revised “Effective date” and, where appropriate, notify you by email or in-product notice. Material changes will be highlighted.
16. Contact us
- Email: [email protected]
- Mail: SISTEMAS DIGITALES Y DE DATOS SL, Calle Madreselva, 144, 24400 Ponferrada (León), Spain
- Supervisory authority (Spain): Agencia Española de Protección de Datos (AEPD)
17. Regional addenda
17.1 United Kingdom
References to GDPR include the UK GDPR and the Data Protection Act 2018. You can lodge complaints with the ICO. SCCs are replaced or supplemented by the UK IDTA/Addendum as applicable.
17.2 California (CPRA)
We do not "sell" or "share" personal information as defined by CPRA. California residents may request access, deletion, correction, and limit the use of sensitive personal information (if collected). Submit requests to [email protected].