Privacy Policy

1. Data Controller

The data controller for your personal data is:

2. Data We Collect

We collect different types of information to provide our services and improve your experience:

2.1. Identification and Contact Data

• Account information: full name, email address, phone number, company/studio name
• Billing information: tax address, tax ID, data required for invoicing
• Authentication data: encrypted password, session tokens, two-factor authentication information

2.2. Project Content Data

• Documents: PDF files, DWG, drawings, technical specifications and any uploaded documents
• Images and photographs: site photos, renders, design images with EXIF metadata (date, location if available)
• Messages and communications: chats, comments, shared notes within the platform
• Planning: schedules, tasks, project milestones, team assignments
• Reports: generated reports, project analysis, statistics

2.3. Usage and Technical Data

• Browsing information: pages visited, features used, session time, navigation flow
• Device data: device type, operating system, browser version, screen resolution
• Network data: IP address, approximate geolocation based on IP, internet provider
• Server logs: access timestamp, HTTP requests, response codes
• Performance data: load times, errors, interface interactions

2.4. Cookies and Similar Technologies

• Essential cookies: necessary for platform operation (authentication, security)
• Analytics cookies: to understand how you use the service and improve the experience
• Preference cookies: to remember your settings and customizations
• Local storage and session storage: to temporarily store data in your browser

3. Legal Basis and Processing Purposes

We process your personal data based on the following legal bases and for the following purposes:

3.1. Contract Performance

• Provide, manage and maintain access to the Tabiquo platform
• Process and store your content (documents, photos, schedules)
• Facilitate collaboration between team members and clients
• Manage your account, billing and payments
• Provide technical support and customer service

3.2. Consent

• Send commercial communications, newsletters and promotional material (you can withdraw consent at any time)
• Use non-essential cookies (analytics, marketing)
• Perform behavioral analysis to personalize your experience

3.3. Legitimate Interest

• Improve and develop new platform features
• Prevent fraud, abuse and unauthorized use
• Ensure the security of the platform and users
• Perform aggregated and anonymous statistical analysis
• Detect and resolve technical issues

3.4. Legal Obligation

• Comply with tax and accounting obligations
• Respond to judicial requirements or from competent authorities
• Retain data according to established legal deadlines

4. Sharing Data with Third Parties

We do not sell, rent or trade your personal data. We only share your data in the following circumstances:

4.1. Essential Service Providers

We share data with trusted providers who help us operate the platform. All providers are subject to confidentiality agreements and GDPR-equivalent data protection obligations:

• Hetzner Online GmbH (Germany): application and database server hosting. Servers are located in data centers in Germany (EU), complying with ISO 27001 standards and German security certifications
• Cloudflare, Inc. (USA/EU): file storage (S3), CDN and DDoS protection. Files are stored in Cloudflare European data centers, protected by Standard Contractual Clauses (SCC) approved by the European Commission
• Payment processors: Stripe or equivalent providers for card payments (we only process minimum necessary data, we never store complete card data)
• Transactional email services: to send notifications, account confirmations and necessary service communications
• Analytics tools: to analyze platform usage through aggregated and anonymized data

4.2. With Your Explicit Consent

• When you share a project with clients or collaborators within the platform
• When you expressly authorize integration with third-party services (e.g., Google Drive, calendar)
• When you request technical support and authorize us to access your account to resolve issues

4.3. By Legal Obligation

• When required by applicable law, regulation, legal process or governmental request
• To enforce our Terms of Service and policies
• To protect our rights, property or security, or those of our users
• To detect, prevent or address fraud, security or technical issues

4.4. Corporate Operations

In case of merger, acquisition, asset sale or insolvency proceedings, personal data may be transferred to successors. We will notify you in advance and you will be informed of your options regarding your data.

5. Data Location and International Transfers

5.1. Primary Data Location

5.2. Transfers Outside the EEA

When it is necessary to transfer personal data outside the European Economic Area (EEA), we ensure adequate protections through:

• Standard Contractual Clauses (SCC): contracts approved by the European Commission that guarantee GDPR-equivalent protection
• Adequacy Decisions: transfers only to countries recognized by the EU with adequate levels of protection
• Impact Assessments: we perform transfer impact assessments (TIA) according to EDPB recommendations
• Data minimization: we only transfer data strictly necessary for the specific purpose

5.3. Supplementary Technical Measures

To protect international transfers, we implement additional technical measures such as end-to-end encryption for sensitive data, pseudonymization when possible, and strict access controls.

6. Data Security

We implement high-level technical and organizational security measures to protect your personal data against unauthorized access, loss, alteration or disclosure:

6.1. Technical Measures

• Robust encryption:
  • TLS 1.3 for data in transit (mandatory HTTPS connections)
  • AES-256 for data at rest (database and files)
  • Column-level encryption for particularly sensitive data
• Authentication and access control:
  • Multi-factor authentication (MFA) available and recommended
  • Passwords hashed with bcrypt (cost factor 12+)
  • Role-based access control (RBAC)
  • Secure session tokens with automatic expiration
  • Protection against brute force attacks (rate limiting)
• Network security:
  • Web application firewalls (WAF) through Cloudflare
  • DDoS protection at network and application level
  • Virtual private networks (VPN) for administrative access
  • Network segmentation and principle of least privilege
• Monitoring and response:
  • Continuous 24/7 monitoring of systems and logs
  • Automatic detection of anomalies and suspicious activities
  • Real-time alert system
  • Audit logging of all critical actions

6.2. Organizational Measures

• Regular backups: daily encrypted backups, stored in multiple geographic locations, with 30-day retention and restoration capability in less than 24 hours
• Business continuity plan: documented procedures for disaster recovery (RTO: 4 hours, RPO: 1 hour)
• Staff training: mandatory annual training in data protection and information security for all employees
• Incident management: established protocol to respond to security breaches in compliance with GDPR Article 33 (notification within 72 hours)
• Restricted access: only authorized and necessary personnel have access to personal data, with complete audit logs
• Security assessments: periodic security audits, annual penetration testing and vulnerability reviews

6.3. Vendor Management

All vendors processing personal data are contractually obligated to maintain equivalent security measures, are regularly audited and must immediately notify us of any security incident.

7. Your Rights Under the GDPR

In accordance with the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

7.1. Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you, including information about what data we process, for what purposes, with whom we share it and for how long we retain it. Response deadline: 1 month.

7.2. Right to Rectification (Art. 16 GDPR)

You can correct inaccurate or incomplete data at any time through your account settings or by contacting us. Response deadline: 1 month.

7.3. Right to Erasure - "Right to be Forgotten" (Art. 17 GDPR)

You can request the deletion of your personal data in the following circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent and there is no other legal basis for processing
• You object to the processing and there are no overriding legitimate interests
• The data has been processed unlawfully
• The data must be deleted to comply with a legal obligation

Note: This right is not absolute. We may retain certain data if we are legally required to do so (for example, tax data for 10 years under Spanish law) or if it is necessary to establish, exercise or defend legal claims. Deletion deadline: 90 days from request confirmation.

7.4. Right to Restriction of Processing (Art. 18 GDPR)

You can request that we restrict the processing of your data in the following cases:

• You contest the accuracy of the data (for the time we need to verify it)
• The processing is unlawful but you oppose deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (while we verify whether our legitimate grounds override yours)

During restriction, we will only store the data without actively processing it, except for legal claims or with your consent.

7.5. Right to Data Portability (Art. 20 GDPR)

You can receive the personal data you provided to us in a structured, commonly used and machine-readable format (JSON, CSV, XML). You can also request that we transmit this data directly to another controller when technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means. Response deadline: 1 month.

7.6. Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your data at any time when:

• Processing based on legitimate interest: we will stop processing your data unless we demonstrate compelling legitimate grounds that override your interests
• Direct marketing: absolute right to object without justification. You can unsubscribe at any time from emails or your account settings
• Profiling: you can object to automated decisions that produce legal effects or significantly affect you

7.7. Right to Withdraw Consent (Art. 7 GDPR)

When processing is based on your consent, you can withdraw it at any time as easily as you gave it. Withdrawal of consent will not affect the lawfulness of prior processing. Immediate effect after request.

7.8. Right Not to be Subject to Automated Decisions (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect you. Currently, Tabiquo does not perform automated decision-making of this type.

7.9. How to Exercise Your Rights

7.10. Right to Lodge a Complaint with the Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent data protection authority:

We recommend contacting us first to resolve any concerns, but you have the absolute right to go directly to the AEPD if you prefer.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, tax or reporting obligations:

8.1. Specific Retention Periods

• Active account data: For the duration of the contractual relationship plus 90 days after service cancellation
• Project content (documents, photos, messages): During active subscription + 90 days after cancellation. After this period, they are permanently and irreversibly deleted
• Billing and transaction data: 10 years from invoice issuance (Spanish tax legal obligation under General Tax Law)
• Audit and security logs: 2 years from generation for security and fraud detection purposes
• Support communications: 3 years from the last interaction for service evidence
• Marketing data (with consent): Until you withdraw consent or 3 years from your last active interaction with commercial communications
• Anonymized data for statistics: Indefinitely, as it does not allow identification (usage aggregates, performance metrics)

8.2. Account Deletion Process

When you cancel your account or request deletion of your data:

1. Immediate deactivation: your account is deactivated and you can no longer access it
2. 30-day grace period: we keep your data in "pending deletion" state in case you change your mind (you can contact us to recover the account)
3. Progressive deletion (days 31-90): permanent deletion of all personal data and project content from all systems, backups and copies
4. Legal retention (after day 90): we only retain data strictly necessary for legal obligations (invoices, tax data) in secure archive systems with restricted access

Important: Data deletion is irreversible after the grace period. Make sure to export any information you need before canceling your account.

8.3. Periodic Review

We periodically review stored data and automatically delete data that has exceeded its necessary retention period, unless there is a legal obligation to retain it longer.

9. Minors

Tabiquo is not intended for minors under 18 years of age. We do not knowingly collect personal data from minors without parental or legal guardian consent.

In Spain, according to the GDPR and LOPDGDD, those over 14 years of age can consent to the processing of their data themselves. However, for the use of Tabiquo (professional B2B service), we require users to be at least 18 years old.

If we discover that we have collected data from a minor without proper authorization, we will delete that information immediately. If you are aware that a minor has provided personal data, please contact: privacy@tabiquo.com

10. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services or legal requirements. When we make changes:

• Minor changes (clarifications, corrections): we will update the "Last updated" date at the top of this policy
• Substantial changes (new purposes, recipients): we will notify you at least 30 days in advance by email and with a prominent notice on the platform
• Changes requiring consent: we will request your explicit consent before applying the changes to your data

We recommend reviewing this policy periodically to stay informed about how we protect your data. Continued use of the service after changes constitutes acceptance of the updated policy, unless the changes require explicit consent.

11. Contact and DPO

For any questions, requests or concerns about this Privacy Policy or the processing of your personal data:

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if you believe your rights have not been respected.