Privacy Policy

1. Data Controller

In compliance with EU Regulation 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD), and Law 34/2002 on Information Society Services (LSSI-CE), we inform you that the data controller for your personal data is:

2. Introduction

At Cotiza, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and protect your information when you use our quote generation platform. This policy complies with the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD).

3. Data Processing Principles

The processing of your data is governed by the principles of Article 5 of the GDPR:

• Lawfulness, fairness and transparency: we process your data lawfully, fairly and transparently
• Purpose limitation: we collect data for specified, explicit and legitimate purposes
• Data minimization: we only process data that is adequate, relevant and necessary
• Accuracy: we keep data accurate and up to date
• Storage limitation: we retain data only for as long as necessary
• Integrity and confidentiality: we ensure the security of data
• Accountability: we are responsible for compliance with these principles

4. Data We Collect

We collect the following types of personal data:

• Identifying data: name, surname, email address, and password to create and manage your account
• Professional data: trade name, tax ID (NIF/CIF), fiscal address, logo, and banking details you add to your profile to issue quotes
• Activity data: information about jobs, materials, prices, and your clients' data that you enter to generate quotes
• Browsing data: pages visited, features used, session time, and service performance
• Technical data: device type, operating system, browser, IP address, and strictly necessary cookies

5. Legal Basis for Processing

The processing of your personal data is based on the following legal grounds (Art. 6 GDPR):

• Contract performance: processing is necessary to provide you with the quote generation service you have contracted (Art. 6.1.b GDPR)
• Consent: for sending marketing communications about news and offers, upon your express request (Art. 6.1.a GDPR)
• Legitimate interest: to improve our services, prevent fraud, and ensure platform security (Art. 6.1.f GDPR)
• Legal obligation: to comply with tax, accounting, and anti-money laundering obligations (Art. 6.1.c GDPR)

6. Purposes of Processing

We process your personal data for the following purposes:

• Service provision: create your account, generate AI-powered quotes, process payments, and manage your subscription
• Service communications: send you confirmations, invoices, security alerts, and notices about service changes
• User support: respond to your inquiries, resolve technical issues, and provide assistance
• Service improvement: analyze platform usage to improve calculation accuracy and user experience
• Legal compliance: comply with tax obligations, respond to authority requests, and exercise or defend claims

7. Artificial Intelligence Processing

Cotiza uses artificial intelligence systems to analyze job descriptions and automatically generate quotes. The data you enter (job description, photographs, voice notes) is processed by our AI providers to calculate materials, time, and prices. This processing is covered by contract performance (Art. 6.1.b GDPR). No automated decisions with legal effects are made without human intervention. You can always review and modify generated quotes before sending them to your clients.

8. Data Recipients

Your personal data may be disclosed to the following recipients:

• Supabase Inc. (USA): database storage and authentication service. SOC 2 Type II certified and compliant with the EU-US Data Privacy Framework.
• Anthropic PBC (USA): AI processing for automatic quote generation. Data processed transiently without permanent retention.
• Stripe Inc. (USA): secure card payment processing. PCI DSS Level 1 certified and compliant with the Data Privacy Framework.
• Vercel Inc. (USA): web application hosting and content delivery. Compliant with the Data Privacy Framework.
• Resend Inc. (USA): transactional email delivery (confirmations, invoices, alerts).

9. International Transfers

Some of our service providers are located in the United States. These transfers are covered by the EU-US Data Privacy Framework approved by the European Commission, or by EU Standard Contractual Clauses when the provider is not certified under the framework. You can request information about applicable safeguards by contacting us.

10. Retention Periods

We retain your data for the following periods:

• While your account is active and you maintain a contractual relationship with us
• After account deletion: 30 days to delete all your personal data
• Tax data and invoices: 5 years (legal obligation under Spanish General Tax Law)
• Data for claim defense: 3 years (civil action limitation period)
• Access and security logs: 2 years (LOPDGDD)

11. Your Rights

The GDPR and LOPDGDD grant you the following rights over your personal data:

• Right of access (Art. 15 GDPR): obtain confirmation of whether we process your data and access them
• Right to rectification (Art. 16 GDPR): correct inaccurate data or complete incomplete data
• Right to erasure (Art. 17 GDPR): request deletion of your data when no longer necessary or you withdraw consent
• Right to restriction (Art. 18 GDPR): request we suspend processing in certain circumstances
• Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used format (JSON/CSV)
• Right to object (Art. 21 GDPR): object to processing based on legitimate interest or for direct marketing
• Right to withdraw consent (Art. 7.3 GDPR): withdraw your consent at any time for consent-based processing

To exercise these rights, send an email to soporte@cotizapro.es

We will respond within a maximum of one month, extendable to two months in complex cases.

12. Data Security

We implement appropriate technical and organizational measures to ensure the security of your personal data, including: data encryption in transit using TLS 1.3 and at rest using AES-256, secure authentication with JWT tokens and support for two-factor authentication, automatic daily backups with 30-day retention, role-based access control following least privilege principle, continuous monitoring and periodic security audits. Our main providers hold SOC 2 Type II and ISO 27001 certifications.

13. Cookies

We exclusively use strictly necessary technical cookies for the service to function: authentication, language preferences, and payment processing. We do not use analytics, advertising, or tracking cookies. You can find detailed information in our Cookie Policy.

14. Children's Data

Cotiza is a service exclusively intended for professionals and businesses. We do not knowingly collect personal data from children under 14 (Art. 7 LOPDGDD). If you become aware that a minor has provided us with their data, please contact us immediately so we can delete it.

15. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or applicable legislation. We will notify you of substantial changes at least 30 days in advance via email or a prominent notice in the application. The 'last updated' date at the top indicates when it was last modified. We recommend reviewing this policy periodically.

16. Contact and Data Protection Officer