Privacy policy
What personal data we process, why, on which legal basis, and what rights you have. Written to be read, not to tick a box.
1. Who the controller is
The controller of the personal data collected through this website and the platform isDeCA Platform ("we", "us"). For any privacy matter you can write tohola@deca.example.
2. Controller or processor: an important distinction
We provide a service for issuing and safekeeping electronic transport documents. That means we act in two different roles depending on the data:
- As controller: for the data of your account and the users who administer it (registration, billing, support, communications). This policy applies to that processing.
- As processor (GDPR Art. 28): for the personal data contained in the documents you issue (for example driver names and phone numbers, vehicle plates, your customers' contact details). For that data you are the controller, and our processing is governed by the data processing agreement (DPA).
3. What data we process as controller
- Registration and account data: name, email, phone (optional), company, company tax ID and access credentials.
- Billing data: legal name, tax ID, registered address and purchase transaction data. Card data is handled exclusively by our payment provider (Stripe): it never reaches our servers.
- Usage and support data: technical access logs (IP address, date and time, user agent), relevant panel actions and any communications you have with us.
- Browsing this website: this website uses no tracking or third-party cookies. We only store your language preference in your browser, and we load no resources from external domains.
4. Purposes and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account, providing the service and support | Performance of a contract (Art. 6(1)(b)) |
| Billing, accounting and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Service security, fraud and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Service communications (operational alerts, changes to terms, credit balance) | Performance of a contract (Art. 6(1)(b)) |
| Commercial communications about our own similar products | Legitimate interest (Spanish LSSI Art. 21.2), one-click opt-out in every email |
We do not build profiles or make automated decisions with legal effects about you.
5. How long we keep data
- Account data: while the account is active and, after closure, blocked for the limitation periods of applicable legal liabilities.
- Billing data: the periods required by tax and commercial law (as a general rule, 4 and 6 years respectively in Spain).
- Issued transport documents: at least 1 year from issuance — the custody period required by Spanish transport law — even if the account is closed, so the parties can keep meeting their own retention obligation.
- Technical logs: only as long as needed for security purposes, as a general rule no more than 24 months.
6. Who we share data with
We do not sell personal data or disclose it to third parties for their own purposes. We use a small number of infrastructure providers (subprocessors) that process data under our instructions: the full list, with services, locations and safeguards, is published on thetrust & due diligence page and in the annex of theDPA. We may also disclose data to public authorities where the law requires it.
7. International transfers
The database and primary document storage reside in the European Union. Where a provider is headquartered outside the EU, processing relies on the European Commission's Standard Contractual Clauses and, where applicable, on its EU-U.S. Data Privacy Framework certification.
8. Your rights
You can exercise your rights of access, rectification, erasure, objection, restriction of processing and portability at any time by writing tohola@deca.example from the email address linked to your account (or by otherwise proving your identity). We reply within one month at the latest.
If you believe we have not handled your data correctly, you may lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (aepd.es). We would appreciate you writing to us first: almost everything gets resolved faster by talking.
9. Security
We apply technical and organisational measures proportionate to the risk: encryption in transit and at rest, per-account isolation enforced in the database itself, an operation log with a verifiable hash chain, and daily backups. They are described in detail — without fog — on the security page. To report a vulnerability: security@deca.example.
10. Changes to this policy
If we change this policy, we will publish the new version on this page with its date and, for material changes, notify account administrators by email with reasonable notice. Current version: 1.0, dated 6 July 2026.