Privacy Policy
1. Data Controller
PPWR Software S.L. (“we”, “us”, “Company”), based in Barcelona, Spain, is the data controller for personal data processed in connection with the PPWR Service.
Contact: privacy@ppwr.io
2. Data We Collect
Account data
When you create an account: name, email address, hashed password, company name, and role within your organisation.
Usage data
Automatically collected when you use the Service: IP address, browser type, pages visited, actions taken (e.g. imports created, reports generated), timestamps. This data is used to operate and improve the Service.
Business data you upload
Product catalogues, bills of materials, sales records, and packaging quantities that you upload or generate through the Service. This data is processed exclusively on your behalf to provide the Service and is not used for any other purpose.
Billing data
Payment method details (card number, expiry) are collected and stored directly by Stripe. We receive only non-sensitive billing metadata (customer ID, subscription status, last 4 digits of card).
3. Legal Basis for Processing
- Performance of a contract (Art. 6(1)(b) GDPR): processing account data and business data to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, fraud prevention, service improvement, and anonymised analytics.
- Legal obligation (Art. 6(1)(c) GDPR): retaining billing records as required by tax law.
- Consent (Art. 6(1)(a) GDPR): sending product update emails (you can withdraw consent at any time).
4. Data Processors
We use the following third-party processors who access data only to provide services on our behalf:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription management | USA (EU SCCs in place) |
| Resend | Transactional email delivery | USA (EU SCCs in place) |
| Amazon Web Services (S3) | File storage for uploaded CSVs and declaration packs | EU (eu-west-1) |
| Database hosting provider | PostgreSQL database hosting | EU |
| Redis / BullMQ hosting | Background job queue | EU |
5. Your Rights
Under GDPR you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure: request deletion of your personal data (“right to be forgotten”)
- Portability: receive your data in a machine-readable format
- Restriction: ask us to restrict processing in certain circumstances
- Objection: object to processing based on legitimate interests
- Withdraw consent: at any time where processing is based on consent
To exercise any of these rights, email privacy@ppwr.io. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD) at aepd.es.
6. Retention Periods
- Account data: retained for the duration of your subscription plus 2 years, or until you request deletion.
- Business data (uploads, reports): retained for the duration of your subscription plus 7 years (to meet EU accounting and regulatory retention requirements).
- Billing records: retained for 7 years as required by Spanish tax law.
- Usage logs: retained for 90 days for security purposes, then deleted.
7. Cookies
We use a single session cookie to keep you logged in. We do not use advertising trackers or third-party analytics cookies. A language preference cookie is set when you change the UI language.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a notice in the Service. Continued use after changes are posted constitutes acceptance.
9. Contact
For privacy-related questions or to exercise your rights:
privacy@ppwr.io
For general legal matters, see our Terms of Service.