Last updated: April 22, 2026
1. Data controller
In accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD), we inform you that the data controller is:
- Controller: Genki Cáceres Guzman
- Tax ID (NIF): 13312886A
- Address: Av. Jacinto Benavente 25, 46005, Valencia, Spain
- Email: main.genki@gmail.com
2. Data we collect
We collect the following categories of personal data:
2.1. Account data
When registering through Clerk (our authentication provider), we collect:
- First and last name
- Email address
- Profile picture (if registering via Google OAuth)
- Unique user identifier (Clerk ID)
Purpose: Service provision, account management and communication with the user.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.2. Service usage data
- Credits consumed and available balance
- Tools used and dates of use
- Number of files and pages processed per job
- Output formats selected
Purpose: Service provision, billing, internal audit and service improvement.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).
2.3. Technical data
- IP address
- Browser type and operating system
- HTTP request data (method, URL, response code)
Purpose: Service security, abuse detection and rate limiting.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
2.4. Contact data
When using the contact form, we collect: name, email and message content.
Purpose: Responding to the user's inquiry.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or consent (Art. 6(1)(a) GDPR).
2.5. Billing data (future)
When paid plans are implemented, billing data (name, address, tax ID) will be collected through Stripe. Credit/debit card data is managed entirely by Stripe and is never stored on our servers.
Purpose: Billing and compliance with tax obligations.
Legal basis: Legal obligation (Art. 6(1)(c) GDPR) and performance of a contract (Art. 6(1)(b) GDPR).
3. User-uploaded documents
This section is particularly important. idpura is a document processing tool. PDF and DOCX files uploaded by users may contain personal data of third parties (e.g., invoices with names, tax IDs, addresses).
3.1. Processing roles
Regarding uploaded documents:
- The user is the data controller of personal data contained in their documents. It is the user's obligation to ensure they have a legal basis for processing such data and that they comply with applicable data protection regulations.
- idpura acts as a data processor (Art. 28 GDPR), processing documents solely to provide the extraction service requested by the user.
3.2. Document processing
- Original documents are processed in memory and deleted immediately after extraction is complete. No copies are stored on disk.
- Extraction results are temporarily stored on the server with automatic deletion after 24 hours.
- We do not access the content of user documents except to perform the requested extraction.
3.3. No use for AI training
idpura does not use user documents or extracted data to train, improve or fine-tune any artificial intelligence or machine learning models. Documents are processed exclusively to provide the requested extraction service.
When tools using third-party AI (such as Google Gemini) are implemented, documents will be temporarily sent to the corresponding API for processing and will not be stored or used by the AI provider for training, in accordance with the provider's Data Processing Addendum.
4. Recipients and sub-processors
Personal data may be shared with the following third parties, exclusively for the purposes indicated:
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Clerk Inc. | Authentication and user management | Name, email, profile picture, session | United States |
| Hetzner Online GmbH | Server hosting (VPS) | All data processed by the platform | Germany (EU) |
| n8n (self-hosted) | Contact form processing | Name, email, contact message | Germany (EU) — same VPS |
| Google LLC (future) | Gemini API — AI document processing | Document content (temporarily) | United States |
| Stripe Inc. (future) | Payment gateway | Billing and payment data | United States |
We do not sell, rent or share personal data with third parties for marketing or advertising purposes.
5. International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA), particularly in the United States. These transfers are made with the following safeguards under Articles 44 to 49 of the GDPR:
- Clerk Inc. (US): Standard Contractual Clauses (SCCs) of the European Commission, included in Clerk's Data Processing Agreement (DPA).
- Google LLC (US, future): Standard Contractual Clauses (SCCs) and Google Cloud Data Processing Addendum.
- Stripe Inc. (US, future): Standard Contractual Clauses (SCCs) and PCI DSS Level 1 certification for payment data.
idpura's main server is located in Germany (Hetzner Online GmbH), within the EEA, so the main data processing does not involve international transfer.
6. Data retention periods
| Data type | Retention period |
|---|---|
| Original uploaded documents | Immediate deletion after processing |
| Extraction results | 24 hours — automatic deletion from the server |
| Account data (Clerk) | While the account is active. Deleted upon user request. |
| Transaction history | Duration of contractual relationship + legal tax retention period (4 years, Art. 66 Spanish General Tax Law) |
| Billing data | Legal obligation: 4 years (General Tax Law) / 6 years (Commercial Code Art. 30) |
| Contact data (form) | Until the inquiry is resolved, maximum 12 months |
| Technical data (logs) | Maximum 90 days |
7. User rights
In accordance with Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:
- Access (Art. 15 GDPR): Know what personal data we process and obtain a copy.
- Rectification (Art. 16 GDPR): Correct inaccurate data or complete incomplete data.
- Erasure (Art. 17 GDPR): Request the deletion of your personal data ("right to be forgotten").
- Restriction of processing (Art. 18 GDPR): Request the restriction of processing in certain circumstances.
- Data portability (Art. 20 GDPR): Receive your data in a structured, commonly used and machine-readable format.
- Objection (Art. 21 GDPR): Object to the processing of your data on grounds relating to your particular situation.
- Not to be subject to automated decisions (Art. 22 GDPR): Not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
To exercise these rights, send an email to main.genki@gmail.com indicating which right you wish to exercise and attaching a copy of your identification document.
Response time: 30 days from receipt of the request. This period may be extended by up to 60 additional days if the complexity or number of requests justifies it, with prior notice to the data subject (Art. 12(3) GDPR).
If you believe that the processing of your data does not comply with applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es, C/ Jorge Juan 6, 28001 Madrid, Spain.
8. Data security
We implement appropriate technical and organizational measures to ensure the security of personal data, in accordance with Article 32 of the GDPR:
- Encrypted communication via HTTPS/TLS on all connections.
- Secure authentication using asymmetric key-signed JWTs (Clerk).
- Dedicated server in Germany (Hetzner), not sharing infrastructure with third parties.
- Password-protected databases with restricted access.
- Automatic deletion of original documents after processing.
- Automatic deletion after 24 hours for temporary results.
- Distributed locks for critical operations (credits).
- Rate limiting to prevent abuse (60 requests/minute).
9. Minors
The service is intended for users aged 18 and over. idpura does not knowingly collect personal data from individuals under 18 years of age.
If you become aware that a person under 18 has used the service, please contact us at main.genki@gmail.com so we can delete their data.
10. Use of artificial intelligence
Currently, idpura uses deterministic processing (no AI) for native document data extraction.
In the future, tools using third-party AI (Google Gemini API) will be implemented for processing scanned documents and structured field extraction. When this happens:
- Documents will be temporarily sent to the Google API for processing.
- Google will not store the documents or use them to train its models, in accordance with Google Cloud's Data Processing Addendum.
- Results will be temporarily stored on our servers (24 hours) and then automatically deleted.
- Users will be informed before using AI tools and of the associated credit cost.
idpura does not make automated decisions with legal effects on users within the meaning of Article 22 of the GDPR. Data extraction is a tool that users use under their own responsibility and judgment.
11. Changes to this policy
We reserve the right to modify this Privacy Policy to adapt it to legislative, jurisprudential or business practice developments. Any changes will be published on this page with the corresponding update date.
For substantial changes affecting the processing of personal data, we will notify registered users by email with a minimum of 30 days' notice.