Privacy Policy

This privacy policy explains how Zyntem ("we", "us") processes personal data when you use the Zyntem API, developer dashboard, and associated websites. We act as a data processor for transaction data submitted by customers to European tax authorities, and as a data controller for account and billing data.

1. Data we collect

• Account data. Name, business email, company name, country of establishment, and hashed credentials when you register for a dashboard account.
• API keys. We store only a one-way hash of each API key; the plaintext value is shown once at creation and cannot be recovered afterwards.
• Transaction data. Fiscal documents (invoices, receipts, and the fields required for signing and submission) that you send to our API. These may contain your end-customers' tax identifiers and purchase details when local law requires them.
• Operational telemetry. IP address, User-Agent, request timing, and error traces used for abuse prevention, debugging, and capacity planning.
• Billing data. Subscription tier, location count, invoice history, and VAT number when applicable. Payments are processed by a third-party PCI-DSS provider; we never store full card numbers.

2. Legal basis (GDPR Art. 6)

We rely on the following lawful bases, depending on the processing activity:

• Contract (Art. 6(1)(b)). Delivering the API, maintaining your account, and issuing invoices.
• Legal obligation (Art. 6(1)(c)). Retaining fiscal-submission evidence for the periods required by each supported tax authority (e.g. 4 years ES, 10 years IT, 6 years FR, 10 years PT).
• Legitimate interest (Art. 6(1)(f)). Abuse prevention, security monitoring, and aggregated product analytics.

3. Data retention

• Transaction submissions: retained for the longest period required by the applicable tax authority, then purged or archived as specified in the Data Processing Addendum.
• Account data: retained for the lifetime of the account, plus 24 months for statutory accounting.
• Operational logs: 90 days by default, longer only when required for an active security investigation.

4. Recipients and sub-processors

Personal data is disclosed only to the recipients and sub-processors required to deliver the service:

• European tax authorities. Fiscal documents are submitted to the competent authority in each supported country (AEAT in Spain, Agenzia delle Entrate / SdI in Italy, DGFiP in France, AT in Portugal) as required by law.
• Stripe Payments Europe, Ltd. (Ireland) — billing and payment processing. Stripe acts as an independent controller for card data under its own privacy policy.
• Anthropic, PBC (United States, optional) — used only when a customer opts in to AI-assisted error translation. No fiscal submission content is sent to Anthropic without explicit opt-in.
• Cloud hosting and operational tooling. EU-based providers for hosting (GCP europe-west1), email delivery, and error reporting. The current list is maintained in the Data Processing Addendum.

We notify customers at least 30 days before adding or replacing a sub-processor, and offer a right to object for material changes. A full list of sub-processors, transfer safeguards, and Art. 28 obligations is in the Data Processing Addendum.

5. International transfers

Primary infrastructure is hosted in the EU (europe-west1). The only routine transfer outside the EEA is to Anthropic in the United States, and only where a customer has opted in to AI-assisted error translation. That transfer is governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Modules 2 and 3 as applicable), together with the supplementary measures described in our transfer-impact assessment, which is available on request. Where data is transferred outside the EEA for support or redundancy purposes, the same SCC framework applies.

6. Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, and objection, and withdraw any consent previously given (without affecting the lawfulness of processing before withdrawal). For transaction data we act as a processor; please raise rights requests with the controller (the merchant) first. For account data you can email us directly.

You also have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the alleged infringement (GDPR Art. 77). The list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en.

7. Contact

Data protection queries: privacy@zyntem.dev. Company and supervisory-authority details are listed in the imprint.