Privacy Policy and Data Protection

Last updated: 03/03/2026

This Privacy Policy describes how CERP TECHNOLOGY S.L. (hereinafter, "CERP") collects, uses and protects the personal data of users and clients (hereinafter, "the Client") who access our website and contract our software as a service (SaaS).

This policy strictly complies with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).

1. Identity of the Data Controller

  • Owner: CERP TECHNOLOGY S.L.
  • NIF: B24926800
  • Registered Office: Madrid, Spain.
  • Email for privacy matters: admin@cerp.es

2. Data We Collect

As a B2B SaaS platform, we strictly collect only the data necessary for service provision and billing:

  • Contact and account data: Name, surname, corporate email address and position of the legal representative or account administrator.
  • Billing data: Company name, tax ID (NIF/NIT/RUT), fiscal address and payment details. (Security note: Complete credit card data is processed directly by our payment gateway Stripe, Inc., and is not stored on CERP servers).
  • Technical usage data: IP addresses, access logs and system usage metrics to ensure the proper functioning and security of the service.

3. Purpose and Legal Basis for Processing

We process the Client's data for the following purposes and legal bases:

  • Performance of the contract (Art. 6.1.b GDPR): For account creation, provision of SaaS licenses, delivery of consulting services and management of technical support.
  • Compliance with legal obligations (Art. 6.1.c GDPR): Invoice issuance, accounting management and tax declarations (AEAT).
  • Legitimate interest (Art. 6.1.f GDPR): For sending operational communications (system updates, outages, maintenance) and fraud prevention.

4. Data Retention

Billing and contract data will be retained for a minimum period of six (6) years from the termination of the service to comply with Spanish commercial and tax obligations. Usage and access data will be deleted or anonymised once the Client requests definitive cancellation of the SaaS, unless they must be retained for the exercise or defence of claims.

5. Recipients and International Transfers

To provide the service, CERP shares data exclusively with top-tier technology providers acting as Data Processors:

  • Hosting and Servers: SaaS data is hosted on servers located in Belgium (within the European Economic Area), ensuring the highest GDPR security standards.
  • Payment Gateway: Stripe, Inc. (Used for subscription and billing).

When selling in LATAM, international data transfers outside the EEA are carried out under the Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring maximum security.

6. Role of CERP as "Data Processor" (SaaS)

In relation to the information, databases, know-how and personal data of third parties that the Client enters, uploads or manages within CERP's SaaS software, the Client acts as Data Controller and CERP acts exclusively as Data Processor. CERP is limited to providing the technical infrastructure and will not use such data for its own purposes nor transfer it to third parties. The detailed relationship on this matter is governed by our Data Processing Agreement (DPA), available upon request.

7. User Rights (ARCO+ Rights)

The Client may exercise at any time their rights of:

  • Access, Rectification and Erasure of their data.
  • Restriction of and Objection to processing.
  • Data portability.

To exercise these rights, the Client must send an email to admin@cerp.es attaching a copy of an identity document and indicating the right they wish to exercise. We also inform you of your right to file a complaint with the Spanish Data Protection Agency (AEPD) if you consider that your rights have been violated.