Privacy Policy and Data Protection
Last updated: 08/06/2026
This Privacy Policy describes how CERP TECHNOLOGY S.L. (hereinafter, "CERP") collects, uses and protects the personal data of users and clients (hereinafter, "the Client") who access our website and contract our software as a service (SaaS).
This policy strictly complies with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
1. Identity of the Data Controller
- Owner: CERP TECHNOLOGY S.L.
- NIF: B24926800
- Registered Office: Madrid, Spain.
- Email for privacy matters: admin@cerp.es
2. Data We Collect
As a B2B SaaS platform, we strictly collect only the data necessary for service provision and billing:
- Contact and account data: Name, surname, corporate email address and position of the legal representative or account administrator.
- Billing data: Company name, tax ID (NIF/NIT/RUT), fiscal address and payment details. (Security note: Complete credit card data is processed directly by our payment gateway Stripe, Inc., and is not stored on CERP servers).
- Technical usage data: IP addresses, access logs and system usage metrics to ensure the proper functioning and security of the service.
- Social sign-in profile data: If you sign in with Google or Apple, we receive your name, email address and, where available, your profile picture from the identity provider (see section 8).
3. Purpose and Legal Basis for Processing
We process the Client's data for the following purposes and legal bases:
- Performance of the contract (Art. 6.1.b GDPR): For account creation, provision of SaaS licenses, delivery of consulting services and management of technical support.
- Compliance with legal obligations (Art. 6.1.c GDPR): Invoice issuance, accounting management and tax declarations (AEAT).
- Legitimate interest (Art. 6.1.f GDPR): For sending operational communications (system updates, outages, maintenance) and fraud prevention.
- Performance of the contract (Art. 6.1.b GDPR): Authentication (including social sign-in) and the artificial-intelligence features that form part of the service.
- Consent / legitimate interest (Art. 6.1.a / 6.1.f GDPR): Usage analytics and non-essential cookies, which require your consent, and product-improvement metrics.
4. Data Retention
Billing and contract data will be retained for a minimum period of six (6) years from the termination of the service to comply with Spanish commercial and tax obligations. Usage and access data will be deleted or anonymised once the Client requests definitive cancellation of the SaaS, unless they must be retained for the exercise or defence of claims.
5. Recipients and International Transfers
To provide the service, CERP relies on technology providers that act as Data Processors or Sub-processors on its behalf. The main ones are:
- Authentication and identity: Auth0 / Okta, Inc. (USA), including social login with Google and Apple.
- Artificial intelligence: Anthropic, PBC (USA) — analysis of documents, budgets and tender files, and assistants.
- Payment gateway: Stripe, Inc. (USA / EU) — subscription and billing.
- Backend hosting: Google Cloud (Google LLC), in the Madrid and Belgium regions (EU).
- Frontend hosting and usage analytics: Vercel, Inc. (USA).
- Database: MongoDB Atlas (MongoDB, Inc.).
- Integrations (opt-in by the user): Composio — connection with Gmail, Outlook, Calendar, Drive, OneDrive, Teams, Slack, Notion and WhatsApp.
- Messaging: WhatsApp Business API — Meta Platforms, Inc. (USA / Ireland).
Some of these providers are located in the United States. For those international transfers we rely, depending on the provider, on: (a) the EU-US Data Privacy Framework adequacy decision when the importer is certified under it; or (b) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by a transfer impact assessment and additional technical and organisational measures (encryption in transit and at rest, access controls), in accordance with the Schrems II ruling. The SaaS database is hosted within the European Economic Area.
6. Role of CERP as "Data Processor" (SaaS)
In relation to the information, databases, know-how and third-party personal data that the Client enters, uploads or manages within CERP's SaaS software, the Client acts as Data Controller and CERP acts as Data Processor, processing such data solely on the Client's documented instructions and for the exclusive purpose of providing the service. CERP does not use that data for its own purposes.
This processing is governed by a Data Processing Agreement (DPA) that complies with Article 28 GDPR and forms part of the Terms accepted on sign-up. It regulates, among others: confidentiality, security measures, the authorisation of the sub-processors listed in section 5 of this policy (with the Client's right to object to changes), assistance with data subject rights, notification of personal data breaches without undue delay, and the return or deletion of the data upon termination of the service.
7. Use of Artificial Intelligence
CERP includes artificial-intelligence features that help analyse documents, budgets and tender files and provide assistants and chat. To deliver these features, the relevant content and project data are processed by Anthropic, PBC (USA), acting as our sub-processor, with the international transfer safeguards described in section 5.
Anthropic does not use the data sent through its API to train its models. The AI features are assistive: their outputs support the user's decisions and do not produce legal or similarly significant effects on individuals on a solely automated basis. Confidential tender documents processed through the desktop application are kept locally on the user's device.
8. Sign-in with Google and Apple
If you choose to sign in with Google or Apple, we receive from the identity provider the data needed to create and identify your account: your name, your email address and, where available, your profile picture. We obtain this data from Google (Google LLC) or Apple Inc. as the source, and we process it to authenticate you and provide the service (Art. 6.1.b GDPR). We do not receive your password from these providers.
9. Cookies
A cookie is a small text file that a website stores on your device when you visit it. Cookies allow the site to remember your preferences, keep your session active and collect anonymous usage information to improve the service. Below we detail the cookies used on cerp.es and app.cerp.es.
Types of cookies we use
| Name | Owner | Purpose | Type | Duration |
|---|---|---|---|---|
| cerp_session | CERP (first-party) | Maintains the active session (access token) | Technical / necessary | Session |
| cerp_refresh | CERP (first-party) | Securely renews the user session | Technical / necessary | Session |
| cerp_oauth_state | CERP (first-party) | Security for Google/Apple sign-in (CSRF protection) | Technical / necessary | ~10 minutes |
| _ga, _ga_* | Google LLC (USA) | Website usage analytics | Analytics (third-party) | Up to 24 months |
| _fbp | Meta Platforms (USA) | Advertising measurement (Meta Pixel) | Advertising (third-party) | 3 months |
Technical / necessary cookies (cerp_session, cerp_refresh, cerp_oauth_state) are exempt from consent under Art. 22.2 of the Spanish LSSI-CE, as they are strictly essential for the service to function. Analytics and advertising cookies are only installed after you give explicit consent via the cookie banner. We also use Vercel Web Analytics, a cookieless, aggregated telemetry service that does not place cookies on your device.
Managing your consent
On your first visit you will see a cookie banner where you can accept all cookies or reject the non-essential ones. You may withdraw or change your consent at any time, with the same ease as it was given, by reopening the cookie preferences panel. We do not rely on "consent by browsing" or scrolling: consent is only considered given when you actively click "Accept".
How to disable cookies in your browser
In addition to our preferences panel, you can block or delete cookies from your browser settings (Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Edge all offer this under their privacy / cookies settings). Please note that disabling the technical / necessary cookies may prevent you from signing in to the application.
10. Security Measures
CERP applies appropriate technical and organisational measures to protect personal data, including encryption in transit (HTTPS) and at rest, role-based access controls, httpOnly/Secure session cookies, multi-tenant data isolation, activity logging and regular backups. In the event of a personal data breach, CERP will act in accordance with Articles 33 and 34 GDPR and, where it acts as processor, will notify the affected Client without undue delay.
11. User Rights (ARCO+ Rights)
The Client may exercise at any time their rights of:
- Access, Rectification and Erasure of their data.
- Restriction of and Objection to processing.
- Data portability.
To exercise these rights, send an email to admin@cerp.es from the email address associated with your account, indicating the right you wish to exercise. As a general rule a copy of an identity document is not required; we will only ask for additional, proportionate information to confirm your identity if we have reasonable doubts about it. We also inform you of your right to file a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) if you consider that your rights have been violated.