Privacy Policy — FacturaOk.es

1. Data controller

Personal data collected through FacturaOk is processed by:

Controller: Nicolás Cieri (NIE: Z2248368P)
Trade name: FacturaOk
Tax address: Avenida Espana 230, local derecha, 29680 Estepona, Malaga, Spain
Contact email: privacidad@facturaok.es
Data Protection Officer (DPO): dpo@facturaok.es

2. Data we process

Category	Data	Purpose
Sign-up	Name, email, password (hash)	Create and manage your account
Invoicing	Tax ID, legal name, tax address, invoice data	Issuing invoices and tax compliance
Technical	IP, user-agent, access logs	Security, fraud prevention, performance
Payment	Billing email (Stripe handles card data)	Subscription management

We never collect biometric, genetic, health, sexual orientation or political/union affiliation data.

3. Legal basis for processing (GDPR Art. 6)

Contract performance: data necessary to provide the contracted service.
Legal obligation: tax data required by Spanish tax law (LGT, RD 1619/2012, Order HAC/1177/2024).
Legitimate interest: system security, fraud prevention, service improvement.
Consent: commercial communications (always optional and revocable).

4. Data retention

Account data: while the account is active + 30 days after deletion request.
Tax data and invoices: minimum 4 years (Art. 66 LGT) or up to 10 years if commercial obligations remain in force.
VeriFactu records: for the periods set by the AEAT (Art. 9 Order HAC/1177/2024).
Technical logs: maximum 12 months.
After account deletion: non-tax data is deleted within 30 calendar days. Encrypted backups are purged within an additional 90 days. Data subject to legal retention is blocked until the period expires and securely destroyed immediately afterwards.

5. Recipients and processors

Provider	Purpose	Location	Safeguards
Amazon Web Services EMEA SARL (AWS)	Cloud infrastructure, storage (S3), database (RDS), KMS	EU (eu-west-1, Ireland)	AWS DPA, ISO 27001/27017/27018, SOC 2, standard contractual clauses
Amazon SES (AWS)	Transactional email delivery	EU (eu-west-1, Ireland)	AWS DPA
Stripe Payments Europe Ltd.	Payment and subscription processing	EU (Ireland) with processing by Stripe Inc. in the USA	PCI-DSS Level 1, Stripe DPA, EU-US Data Privacy Framework
Anthropic, PBC	OCR of received invoices (Claude Vision): the user may upload a PDF/image and the bytes are sent to Anthropic for data extraction	USA	Anthropic Commercial Terms and DPA, EU-US Data Privacy Framework. Anthropic does not train models on data submitted via API.
AEAT (Spanish Tax Agency)	Reporting of VeriFactu invoicing records (when the user enables live mode)	Spain	Legal obligation (RD 1007/2023, Order HAC/1177/2024)
FACe / public B2B platform	Submission of invoices to the Spanish Public Administration when requested by the user	Spain	Legal obligation (Law 25/2013, Law 18/2022)

We do not sell or share personal data with third parties for advertising purposes. The OCR feature with Anthropic is opt-in: if you do not upload invoices to the expenses module, no data is transferred to Anthropic.

6. International transfers

Primary processing and storage take place on AWS servers in the European Union (Ireland, eu-west-1). International transfers to the United States occur in the following cases:

Stripe Inc. (USA): processing of payment data. Safeguard: EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) and standard contractual clauses as additional safeguard.
Anthropic, PBC (USA): only if the user uses the OCR feature. Safeguard: EU-US Data Privacy Framework. Anthropic contractually undertakes not to use API-submitted data to train models.

You may exercise your rights regarding these transfers or request a copy of the safeguards by writing to dpo@facturaok.es.

7. User rights (GDPR Arts. 15–22)

You may exercise the following rights at any time:

Access: know what data we hold about you.
Rectification: correct inaccurate data.
Erasure: request the deletion of your data (except for legal tax retention obligations).
Restriction: restrict processing in certain circumstances.
Portability: receive your data in a structured format (JSON/CSV).
Objection: object to processing based on legitimate interest.

To exercise any of these rights, write to privacidad@facturaok.es. We will respond within 30 days.

You may also lodge a complaint with the Spanish Data Protection Agency (AEPD).

8. Security measures

Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS)
Passwords stored with BCrypt (never in plain text)
JWT authentication with expiry
API keys hashed with SHA-256 (raw key never stored)
Rate limiting to prevent abuse
Encrypted backups with 5-year retention
Audit logs for full traceability

9. Cookies

FacturaOk uses only essential technical cookies. See our Cookie Policy for details.

10. Contact

Privacy: privacidad@facturaok.es
DPO: dpo@facturaok.es