1. Data Controller
The data controller is:
Daniel Valcarce Miranda
Fiscal address: Carrer de Floridablanca 68, 08015 Barcelona, Spain
Contact email: support@acopio.dev
2. Data We Collect and Why
We collect the following categories of personal data:
a) Account data — name, email address, authentication identifiers provided through Logto. Legal basis: performance of a contract (GDPR Art. 6.1.b). Retention: for the life of your account plus 30 days after deletion.
b) Billing data — subscription plan, billing cycle, payment status. Payment card details are processed and stored exclusively by Paddle (our Merchant of Record); we never see or store raw card numbers. Legal basis: performance of a contract (Art. 6.1.b) and compliance with legal obligations (Art. 6.1.c). Retention: 5 years from the last transaction, as required by Spanish tax law (Ley 58/2003 General Tributaria).
c) Usage data — tool catalog entries you create (URLs, titles, descriptions, tags), quota usage counters. Legal basis: performance of a contract (Art. 6.1.b). Retention: for the life of your account plus 30 days after deletion.
d) Technical and log data — IP address, browser type, timestamps of requests. Collected automatically by our hosting infrastructure. Legal basis: legitimate interest in operating and securing the Service (Art. 6.1.f). Retention: 90 days in server logs.
3. Recipients of Your Data
We share your data only with the following processors, each bound by a Data Processing Agreement:
Logto (self-hosted) — identity and authentication. We operate our own Logto instance on our infrastructure; authentication data is not shared with a third-party identity provider.
Paddle.com Market Limited — Merchant of Record for billing. Paddle acts as a co-controller for payment data. Registered in Ireland.
Hetzner Online GmbH — cloud hosting. Data located in: Helsinki, Finland (EU).
We do not sell your personal data to third parties.
4. International Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure an adequate level of protection through Standard Contractual Clauses adopted by the European Commission (Art. 46.2.c GDPR) or by relying on an adequacy decision. Our self-hosted Logto identity service runs on EU-based infrastructure, so authentication data does not leave the EEA.
5. Your Rights
Under GDPR and LOPDGDD you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate data (Art. 16).
- Erasure ("right to be forgotten") subject to legal retention obligations (Art. 17).
- Restriction of processing in certain circumstances (Art. 18).
- Data portability for data processed by automated means based on consent or contract (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time where processing is based on consent (Art. 7.3).
To exercise any of these rights, contact us at support@acopio.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.
6. Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22).
7. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including TLS encryption in transit and encrypted storage at rest.
8. Children
The Service is not directed at children under 14 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice within the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.