Privacy Policy

Introduction

ELD Technologies SL ("we," "our," or "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Factumo service.

This policy applies to personal data processed through our website, application, and related services (collectively, the "Service").

1. Data Controller Information

The data controller responsible for your personal data is:

• Company: ELD Technologies SL
• Trading Name: Factumo
• Tax ID (CIF/NIF): B72979180
• Registered Address: Calle los Jazmines 2, 29651, Las Lagunas de Mijas, Málaga, Spain
• Email: privacy@factumo.com
• Phone: +34 604 446 397

You can contact us regarding any questions about this Privacy Policy or to exercise your data protection rights using the contact information above.

2. Personal Data We Collect

2.1 Information You Provide to Us

When you use our Service, we collect:

• Account Information: Name, email address, password (encrypted), company name, tax identification number
• Profile Information: Business address, phone number, website, logo
• Financial Information: Bank account details (for receiving payments from your clients), VAT/tax information
• Business Documents: Invoices, estimates, credit notes, and related financial documents you create
• Client Data: Information about your clients (names, addresses, contact details, tax IDs) that you add to the system
• Communication Data: Messages you send to our support team

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, click patterns
• Device Information: IP address, browser type and version, device type, operating system
• Audit Logs: Actions taken in the system (document creation, modifications, deletions) for compliance with Spanish tax law
• Cookies: See our Cookie Policy for detailed information

2.3 Payment Information

Payment card information is collected and processed directly by our payment processor, Stripe. We do not store complete payment card details on our servers. We receive only limited information (last 4 digits, card brand, expiration date) for display purposes.

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance (Article 6(1)(b) GDPR): To provide the Service, process payments, and fulfill our contractual obligations to you
• Legal Obligation (Article 6(1)(c) GDPR): To comply with tax laws, accounting requirements, and Spanish legal obligations (including 7-year retention of financial records as required by Spanish tax law)
• Legitimate Interests (Article 6(1)(f) GDPR): To improve our Service, prevent fraud, ensure security, and conduct business analytics
• Consent (Article 6(1)(a) GDPR): For marketing communications and optional features (you can withdraw consent at any time)

4. How We Use Your Personal Data

We use your personal data for the following purposes:

• Service Provision: To create and manage your account, process invoices and estimates, store business documents
• Payment Processing: To process subscription payments and billing
• Communication: To send service-related notifications, respond to inquiries, provide customer support
• Legal Compliance: To comply with Spanish tax law, maintain audit logs, respond to legal requests
• Security: To protect against fraud, unauthorized access, and security threats
• Service Improvement: To analyze usage patterns, develop new features, improve user experience
• Marketing: To send promotional communications (only with your consent, which you can withdraw at any time)

5. Data Sharing and Third-Party Processors

5.1 Service Providers (Data Processors)

We share your personal data with trusted third-party service providers who assist us in operating our Service. These processors act on our instructions and are bound by Data Processing Agreements (DPAs):

• Supabase (BaaS): Database hosting, user authentication, file storage (EU-based infrastructure, GDPR-compliant)
• Stripe: Payment processing and billing (EU operations, GDPR-compliant)
• Resend: Transactional email delivery (GDPR-compliant with Standard Contractual Clauses for any non-EU processing)
• Cloud Hosting: Application hosting and content delivery (EU-based servers, GDPR-compliant)

Important: Our primary infrastructure, including all database servers and application hosting, operates within the European Union to minimize data transfers outside the EEA.

5.2 Legal Obligations

We may disclose your data when required by law:

• To comply with legal obligations, court orders, or subpoenas
• To Spanish tax authorities (Agencia Tributaria) as required by law
• To protect our rights, property, or safety, or that of our users
• In connection with a business transaction (merger, acquisition, sale of assets)

5.3 Your Client Data

Important: When you add your clients' personal data to Factumo, you act as a data controller for that data. You are responsible for ensuring you have a legal basis to process your clients' data and for complying with GDPR and Spanish data protection law in your relationship with them. We act as a data processor for this client data on your behalf.

6. International Data Transfers

Your data is primarily stored and processed within the European Union. All our core infrastructure, including database servers (Supabase) and application hosting, operates on EU-based servers to ensure your data remains within the EEA.

However, some of our service providers may process limited data outside the EEA (such as for email delivery or payment processing support functions). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to countries without adequacy decisions
• Adequacy Decisions: Transfers to countries deemed by the EU Commission to provide adequate data protection
• Processor Commitments: All processors are GDPR-compliant and have implemented appropriate technical and organizational measures

Data Residency: Your invoices, estimates, client data, and all business documents are stored exclusively on EU servers and are not transferred outside the European Economic Area for storage or primary processing.

You have the right to obtain information about the specific safeguards we use for any international transfers by contacting us at privacy@factumo.com.

7. Data Retention

We retain your personal data for the following periods:

• Account Data: As long as your account is active, plus 30 days after account deletion (to allow for account recovery)
• Financial Documents & Audit Logs: 7 years from the date of creation, as required by Spanish tax law (Real Decreto 1619/2012) and commercial law
• Payment Records: 7 years for tax compliance purposes
• Support Communications: 2 years after the last interaction
• Marketing Data: Until you withdraw consent or request deletion, whichever comes first
• Backups: Retained for up to 90 days for disaster recovery purposes, then permanently deleted

After the retention period expires, we will securely delete or anonymize your personal data, except where we are required to keep it longer by law.

8. Your Rights Under GDPR

Under GDPR and Spanish data protection law (LOPDGDD), you have the following rights:

8.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access that data and receive information about how it is processed.

8.2 Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data in certain circumstances. However, we may need to retain certain data to comply with legal obligations (such as the 7-year retention requirement for financial records under Spanish tax law).

8.4 Right to Restriction of Processing (Article 18 GDPR)

You can request that we limit the processing of your personal data in certain situations (e.g., while we verify data accuracy or assess whether we have legitimate grounds for processing).

8.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (CSV, JSON) and to transmit it to another controller. You can export your data from your account settings.

8.6 Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

8.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where we process your data based on consent, you have the right to withdraw that consent at any time (e.g., for marketing communications).

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@factumo.com. We will respond to your request within one month (or inform you if we need an extension up to two additional months for complex requests).

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, secure, and improve our Service. For detailed information about the cookies we use and your choices, please see our Cookie Policy.

Cookie types we use:

• Essential Cookies: Required for the Service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how users interact with our Service (only with your consent)

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage:

• Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control, multi-factor authentication
• Infrastructure Security: Secure cloud hosting with regular security audits
• Monitoring: Continuous monitoring for security threats and vulnerabilities
• Employee Training: Regular data protection and security training for our staff
• Incident Response: Established procedures for data breach notification within 72 hours as required by GDPR

Despite our security measures, no system is 100% secure. If you suspect unauthorized access to your account, please contact us immediately at support@factumo.com.

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately, and we will delete such information.

12. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics we perform are for aggregate statistical purposes only and do not result in automated decisions about individuals.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on this page with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification upon your next login

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or our data protection practices, please contact us:

• Email: privacy@factumo.com
• Postal Address:
  ELD Technologies SL
  Attn: Data Protection
  Calle los Jazmines 2
  29651 Las Lagunas de Mijas
  Málaga, Spain
• Phone: +34 604 446 397

15. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Spanish Data Protection Authority:

You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.