GDPR Compliance
Last updated: 9 March 2026
This is an English translation provided for convenience. In the event of any discrepancy, the Spanish version prevails.
DealForge is firmly committed to compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD). This page details the technical, organizational and legal measures we implement to protect the personal data of our users and their clients.
1. Data processing principles
All personal data processing carried out by DealForge is governed by the principles set out in Article 5 GDPR:
Lawfulness, fairness and transparency
We process data lawfully, fairly and transparently. Users always know what data we collect and why.
Purpose limitation
Data is collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data minimisation
We collect only the data strictly necessary for each purpose. We do not request unnecessary information.
Accuracy
We keep data up to date and give users tools to correct it at any time.
Storage limitation
Data is kept only for as long as strictly necessary and in line with the legal periods established.
Integrity and confidentiality
We apply technical and organizational measures to ensure data security against unauthorized processing, loss or destruction.
Accountability
We document and demonstrate compliance with all of these principles on an ongoing basis.
2. Legal bases by processing type
| Processing activity | Data processed | Legal basis | Retention |
|---|---|---|---|
| User registration | Name, email, password (hash) | Contract (6(1)(b)) | Contract duration + legal periods |
| CPQ service delivery | Company, products, clients, quotes | Contract (6(1)(b)) | Contract duration + 30 days |
| Payment processing | Email, plan, Stripe ID | Contract (6(1)(b)) | 5 years (tax obligation) |
| AI assistant (Forge) | Queries in page context | Contract (6(1)(b)) | Conversations not stored |
| Transactional notifications | Email, name | Contract (6(1)(b)) | Contract duration |
| Tax data | Tax ID, billing address, invoices | Legal obligation (6(1)(c)) | 5 years (tax law) |
| Service improvement | Aggregated, anonymized data | Legitimate interest (6(1)(f)) | Indefinite (anonymous data) |
3. Technical security measures
Under Article 32 GDPR, we implement the following technical security measures:
3.1. Encryption
- In transit: All communications use HTTPS with TLS 1.2 or higher. HSTS (HTTP Strict Transport Security) is applied with the preload directive.
- At rest: The PostgreSQL database (Supabase/AWS) uses AES-256 encryption at rest for all data volumes.
3.2. Authentication and access control
- Password hashing: bcrypt with a random per-user salt. Passwords are never stored in plain text and cannot be recovered.
- Session tokens: JWTs (JSON Web Tokens) signed with a 256-bit secret key, with configurable time-based expiry.
- Secure cookies: HttpOnly, Secure, SameSite=Lax — inaccessible from client-side JavaScript.
3.3. HTTP security headers
X-Frame-Options: DENY— Clickjacking protection.X-Content-Type-Options: nosniff— MIME sniffing prevention.Referrer-Policy: strict-origin-when-cross-origin— Referrer information control.Permissions-Policy— Restriction of access to camera, microphone and geolocation.Strict-Transport-Security— HSTS with a 2-year max-age, includeSubDomains and preload.
3.4. Infrastructure
- Database hosted in the EU region (eu-west-1, Ireland) of AWS via Supabase.
- Automatic daily database backups.
- Deployment on Vercel with a global edge network and function isolation.
- Environment variables encrypted on the server — never exposed to the client.
4. Organizational security measures
- Least-privilege principle: Each system component and team member accesses only the data strictly necessary for their function.
- Environment separation: Development, testing and production environments are isolated. Production data is never used in development.
- Code review: All code that accesses personal data is reviewed before deployment to production.
- Vulnerability management: Continuous monitoring of dependencies and security updates.
- Infrastructure access control: Access to databases and servers restricted with multi-factor authentication.
5. Sub-processors
Under Article 28(2) GDPR, we disclose the authorized sub-processors with which we share personal data:
| Sub-processor | Service | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Supabase, Inc. (on AWS) | PostgreSQL database | All application data | EU (Ireland, eu-west-1) | Data in the EU, AES-256 at rest, signed DPA |
| Vercel, Inc. | Web hosting and serverless execution | HTTP requests, access logs | US and EU (Edge) | EU-US DPF, SCCs (Decision 2021/914), DPA |
| Stripe, Inc. | Payment processing | Email, name, card data (handled by Stripe) | US and EU | PCI DSS Level 1, EU-US DPF, SCCs, DPA |
| Anthropic, PBC | AI model for the Forge assistant | User queries in page context | US | SCCs, data not used for training, zero-retention API |
All sub-processors have signed Data Processing Agreements (DPAs) compliant with Article 28 GDPR. Users will be notified in advance of any change to the list of sub-processors.
6. Data subject rights
Under Articles 15 to 22 GDPR, data subjects may exercise the following rights:
Right of access (Art. 15)
Obtain confirmation of whether personal data is being processed and, where so, access a copy along with the information in Article 15(1).
Right to rectification (Art. 16)
Request the correction of inaccurate personal data or completion of incomplete data.
Right to erasure — 'right to be forgotten' (Art. 17)
Request deletion of personal data when it is no longer necessary, consent is withdrawn, you object to processing, it has been unlawfully processed, or a legal obligation must be met.
Right to restriction of processing (Art. 18)
Request restriction where the accuracy of the data is contested, the processing is unlawful, the data is no longer needed but you require it for legal claims, or you have exercised the right to object.
Right to data portability (Art. 20)
Receive your personal data in a structured, commonly used and machine-readable format (JSON or CSV) and transmit it to another controller.
Right to object (Art. 21)
Object to data processing based on legitimate interest or for direct marketing.
Right not to be subject to automated decisions (Art. 22)
Not be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. The AI assistant's suggestions are purely indicative and do not constitute automated decisions.
How to exercise your rights
Email info@dealforge.es stating:
- Your full name and the email associated with your account.
- The right you wish to exercise.
- A copy of an identity document so we can verify your identity.
Response time: Maximum 30 days from receipt of the request. Extendable by 2 months for complex or numerous requests, informing the data subject within the first month.
Cost: Free, except for manifestly unfounded or excessive requests (Art. 12(5) GDPR).
7. Record of processing activities (ROPA)
Under Article 30 GDPR, DealForge maintains an up-to-date Record of Processing Activities. A summary follows:
| Activity | Categories of data subjects | Categories of data | Erasure period |
|---|---|---|---|
| User management | Registered users | Identifying, contact | Cancellation + legal periods |
| Sales management (CPQ) | User's clients | Identifying, commercial | Cancellation + 6 years (Commercial Code) |
| Billing | Users on a paid plan | Identifying, financial | 5 years (tax law) |
| AI assistant | Active users | Queries (not stored) | Not retained |
8. Data breach notification
DealForge has a security breach management protocol under Articles 33 and 34 GDPR:
- Detection: Continuous infrastructure monitoring for the early detection of security incidents.
- Notification to the authority: In the event of a breach that may pose a risk to data subjects' rights and freedoms, we will notify the competent supervisory authority within a maximum of 72 hours of detection (Art. 33 GDPR).
- Notification to those affected: If the breach may entail a high risk to rights and freedoms, we will inform affected data subjects without undue delay (Art. 34 GDPR).
- Documentation: Every breach is documented in detail, including: the nature of the breach, the categories and number of data subjects affected, likely consequences and measures taken.
- Remediation: Immediate implementation of corrective measures to contain the breach and prevent recurrence.
9. Data Protection Impact Assessment (DPIA)
Under Article 35 GDPR, DealForge has carried out an Impact Assessment in relation to:
- Use of Artificial Intelligence (Forge): The AI assistant processes user queries within the platform context. The impact has been assessed and the following mitigations implemented:
- Queries are not stored or used to train AI models.
- No personal data of the user's clients is sent to the AI model — only the current page context.
- Responses are purely indicative and do not generate automated decisions with legal effects.
- Processing of business data: The processing of client and quote data takes place in the EU with the security measures described in sections 3 and 4.
10. International data transfers
When personal data is transferred outside the European Economic Area (EEA), the following safeguards apply under Chapter V GDPR:
- Adequacy decision: Transfers to the US rely on the EU-US Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023) for certified providers (Stripe, Vercel).
- Standard Contractual Clauses (SCCs): As an additional safeguard, all US providers have signed the SCCs approved by the European Commission (Implementing Decision 2021/914).
- Supplementary measures: Encryption of data in transit and at rest, pseudonymisation where possible, and a case-by-case assessment of the destination country's legal framework.
The main database is hosted in the EU (Ireland). Only the hosting (Vercel), payment (Stripe) and AI (Anthropic) services may involve transfers to the US, always with the safeguards described.
12. DealForge as a processor
When our users enter their own clients' data into the platform, DealForge acts as a processor (Art. 28 GDPR) and the user as controller. In this case:
- DealForge processes the data solely to provide the contracted service, in accordance with the user's instructions.
- We do not use the user's clients' data for our own purposes or share it with unauthorized third parties.
- We guarantee the same technical and organizational security measures described in this document.
- We assist the user in meeting their obligations as controller, including handling data subject rights requests.
- On termination of the service, we delete or return the data according to the user's choice.
Users who process their clients' personal data through DealForge must ensure they have an appropriate legal basis and inform their data subjects in accordance with the GDPR.
13. Data Protection contact
For any question relating to the processing of personal data or the exercise of your rights, you can contact our data protection point of contact:
Data Protection — DealForge
Email: info@dealforge.es
If you believe we have not handled your request appropriately, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es — C/ Jorge Juan, 6 — 28001 Madrid, Spain. EEA and UK users may also contact their local data protection authority.