Privacy Policy
Last updated: April 13, 2026
This Privacy Policy explains how egrelos.dev ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our cloud-based invoicing platform (the "Service"). This policy is designed to comply with the Swiss Federal Act on Data Protection (nDSG), the EU General Data Protection Regulation (GDPR), and the Spanish Organic Law on Data Protection and Digital Rights Guarantee (LOPD-GDD).
1. Data Controller
- Company name: [COMPANY_NAME]
- Legal form: Einzelfirma (sole proprietorship) under Swiss law
- Address: [STREET_ADDRESS], [POSTAL_CODE] [CITY], Switzerland
- Privacy contact email: [PRIVACY_EMAIL]
EU Representative (Article 27 GDPR)
- Name: [EU_REPRESENTATIVE_NAME]
- Address: [EU_REPRESENTATIVE_ADDRESS]
- Email: [EU_REPRESENTATIVE_EMAIL]
[PENDING: An EU representative must be appointed before the service is made available to users in the European Union.]
Data Protection Officer
We have not appointed a Data Protection Officer (DPO) as our core activities do not consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale, nor do they involve large-scale processing of special categories of data (Article 37 GDPR). Should this assessment change, we will appoint a DPO and update this policy accordingly.
2. Personal Data We Collect
2.1 Account Data
When you register and use the Service, we collect:
- Identity data: your full name
- Contact data: your email address
- Authentication data: your password (stored only as a cryptographic hash), two-factor authentication secrets and recovery codes (stored encrypted)
- Preference data: your preferred language and country
2.2 Organization Data
When you create or manage an organization, we collect:
- Business identity: organization name, tax identification number (VAT/CIF/NIF), tax ID type
- Address: street address, city, postal code, province/state, country
- Contact details: phone number, email address, website
- Financial data: IBAN (bank account number), currency preference
- Branding: organization logo (uploaded file)
- Tax compliance: digital certificates and certificate passwords (stored encrypted) for VERI*FACTU submissions to the Spanish Tax Agency (AEAT)
- Document settings: invoice/quote notes, terms, and signature preferences
2.3 Customer Data
When you add customers to the Service, you may enter:
- Customer name, tax ID, contact person, email, phone number, and full address
- Notes and business/individual classification
Important: For the customer data you enter, you act as the data controller and egrelos.dev acts as a data processor. You are responsible for ensuring that you have a lawful basis to process your customers' personal data and that you inform them accordingly. A Data Processing Agreement (DPA) is available upon request.
2.4 Financial and Document Data
The Service processes and stores:
- Invoices, quotes, and associated line items (products, quantities, prices, discounts, tax rates)
- Payment records and payment method names
- Prepayment/deposit records
- Tax submission records (encrypted request and response payloads for VERI*FACTU compliance)
2.5 Audit and Security Data
To maintain the security and integrity of the Service, we automatically collect:
- Audit logs: records of user actions within the Service (e.g., login events, document creation, settings changes), including the user who performed the action, a description of the event, and associated metadata
- Session data: your IP address, browser user agent, and last activity timestamp
2.6 Module-Specific Data
If you enable optional modules:
- Repairs module: device information (type, brand, model, serial number), repair descriptions, diagnosis, technician assignments, and repair status history
- Time tracking module: clock-in/clock-out timestamps, work dates, durations, and notes
3. Purposes and Legal Bases
| Purpose | Data Categories | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Service | Account, Organization, Financial, Module data | Performance of contract (Art. 6(1)(b)) |
| Authenticate users and manage sessions | Account, Session data | Performance of contract (Art. 6(1)(b)) |
| Send transactional communications (email verification, password resets, team invitations) | Account (email, name) | Performance of contract (Art. 6(1)(b)) |
| Process subscription payments | Organization (name, email) | Performance of contract (Art. 6(1)(b)) |
| Comply with tax obligations (VERI*FACTU submissions to AEAT) | Organization, Financial, Tax compliance data | Legal obligation (Art. 6(1)(c)) |
| Retain financial records as required by law | Financial, Document data | Legal obligation (Art. 6(1)(c)) |
| Maintain security, detect fraud, and ensure service integrity | Audit logs, Session data (IP, user agent) | Legitimate interest (Art. 6(1)(f)) |
4. Data Recipients and Third-Party Processors
We share personal data only with the following categories of recipients, acting as data processors under appropriate contractual safeguards:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Hosting provider | Infrastructure and data storage | All data stored in the Service | European Union |
| Payment processor | Subscription billing and payment management | Organization name, email, subscription data | United Kingdom |
| Email service provider | Transactional email delivery | Email addresses, message content | United States |
| Bunny Fonts (BunnyWay d.o.o.) | Web font delivery | No personal data (GDPR-compliant CDN) | European Union |
Additionally, for organizations using VERI*FACTU tax compliance, invoice data is submitted to the Spanish Tax Agency (Agencia Estatal de Administracion Tributaria, AEAT) as required by Spanish tax law. This is a legal obligation, not a voluntary data sharing arrangement.
We do not sell, rent, or trade your personal data to any third party.
5. International Data Transfers
Your data is primarily stored on servers located within the European Union.
Where data is transferred outside the EU/EEA:
- United Kingdom: Our payment processor is based in the UK. The European Commission has adopted an adequacy decision for the UK (Decision 2021/1772), recognizing an adequate level of data protection.
- United States: Our email service provider is based in the US. Transfers are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), supplemented by appropriate technical and organizational measures.
Switzerland is recognized by the European Commission as providing an adequate level of data protection (Decision 2000/518/EC).
6. Data Retention
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Retained while your account is active; deleted upon account deletion | Contract performance |
| Organization and customer data | Retained while the organization exists; subject to account deletion | Contract performance |
| Financial data (invoices, tax submissions) | Minimum 4 years (VERI*FACTU), up to 6 years (Spanish commercial law), or as required by the applicable law of your jurisdiction | Legal obligation |
| Audit logs | 4 years (1,460 days), then automatically deleted | Legitimate interest (security, fraud prevention, compliance verification) |
| Session data | 120 minutes of inactivity (configurable) | Contract performance |
| Password reset tokens | 60 minutes after creation | Contract performance |
7. Your Rights
Under the GDPR, the Swiss nDSG, and the Spanish LOPD-GDD, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR / Art. 25 nDSG): You may request confirmation of whether we process your personal data and, if so, obtain a copy.
- Right to rectification (Art. 16 GDPR / Art. 32 nDSG): You may request correction of inaccurate personal data. You can also update most of your data directly through the Service settings.
- Right to erasure (Art. 17 GDPR / Art. 32 nDSG): You may request deletion of your personal data. Please note that financial records (invoices, tax submissions) may be retained where required by law, even after account deletion.
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right not to be subject to automated decision-making (Art. 22 GDPR): We do not make any automated decisions that produce legal effects concerning you or similarly significantly affect you.
How to Exercise Your Rights
To exercise any of these rights, please contact us at: [PRIVACY_EMAIL]
We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. If your request is complex or numerous, we may extend this period by an additional 60 days, and we will inform you of any such extension.
You also have the right to delete your account directly through the Service settings, which will trigger the deletion of your personal data (subject to mandatory legal retention periods).
Right to Lodge a Complaint
If you believe that we have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
- Spain: Agencia Espanola de Proteccion de Datos (AEPD) — www.aepd.es
- Other EU/EEA countries: The supervisory authority of your country of habitual residence
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and sensitive data at rest (AES-256)
- Cryptographic password hashing (bcrypt)
- Two-factor authentication (TOTP) support
- Encrypted storage of digital certificates and sensitive credentials
- Immutable, append-only audit trail for all critical operations
- Role-based access control with granular permissions
- Session management with automatic expiry and HTTP-only cookies
- CSRF protection on all forms
9. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data as soon as possible.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised.
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
11. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
- Email: [PRIVACY_EMAIL]
- Postal address: [COMPANY_NAME], [STREET_ADDRESS], [POSTAL_CODE] [CITY], Switzerland