Privacy Policy

1. Data controller

2. Data we collect

We only collect the data needed to provide our service. Data is obtained directly from the user when registering and using the platform:

2.1. Registration and account data

• Full name
• Email address
• Password (stored with bcrypt hashing, never in plain text)

2.2. Company data

• Company name, tax/VAT number
• Billing address, city, country
• Phone, contact email, website
• Logo (if uploaded voluntarily)

2.3. Business data

• Client and contact information that the user enters into the platform
• Products, prices and generated quotes
• Activity history within the platform

2.4. Payment data

Payment data (credit card, bank details) is handled directly by Stripe, Inc. under the PCI DSS Level 1 standard. DealForge does not store, process or have access to full card data.

2.5. Technical data

• IP address (in server logs, not linked to the user profile)
• Browser type and operating system (standard HTTP headers)

3. Purposes of processing

• Service delivery: Enabling access, product configuration, quote generation and use of the AI assistant (Forge).
• Account management: Authentication, password recovery, profile management.
• Billing and payments: Processing subscriptions and issuing invoices through Stripe.
• Service communications: Transactional notifications (account confirmation, plan changes, quote approvals, security alerts).
• Product improvement: Aggregated, anonymized analysis of platform usage to improve features.
• Legal compliance: Data retention in line with applicable tax and legal obligations.

4. Legal basis for processing

5. Recipients and processors

We do not sell, rent or share your personal data with third parties for commercial purposes. Data is shared only with the following processors, which are necessary to deliver the service:

All processors have signed agreements ensuring GDPR compliance under Article 28.

6. International data transfers

Some of our providers are based in the United States. These transfers are made with the following appropriate safeguards under Article 46 GDPR:

• EU-US Data Privacy Framework (DPF): Stripe and Vercel are certified under the EU-US Data Privacy Framework, recognized as adequate by the European Commission (Adequacy Decision of 10 July 2023).
• Standard Contractual Clauses (SCCs): All US providers have signed the Standard Contractual Clauses approved by the European Commission (Decision 2021/914).
• Supplementary measures: Encryption in transit (TLS 1.2+) and at rest for all transferred data.

7. Retention periods

• Account data: For as long as the contractual relationship lasts. After cancellation, kept blocked for the applicable legal periods.
• Tax and billing data: 5 years under Spanish tax law (Art. 70, General Tax Act 58/2003).
• Business data (quotes, clients): 6 years under Art. 30 of the Spanish Commercial Code.
• Technical logs: Maximum 12 months.
• Consents: For the duration of processing and the limitation periods for possible legal actions.

Once these periods expire, data is securely and irreversibly deleted.

8. Your rights

Under the GDPR, you may exercise the following rights at any time:

• Access (Art. 15): Obtain confirmation of whether we process your data and access a copy.
• Rectification (Art. 16): Request the correction of inaccurate or incomplete data.
• Erasure (Art. 17): Request the deletion of your data when it is no longer necessary, you withdraw consent, or you object to processing.
• Restriction (Art. 18): Request the restriction of processing in certain circumstances.
• Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON/CSV).
• Objection (Art. 21): Object to processing based on legitimate interest or for direct marketing.

9. Cookies

DealForge uses exclusively essential, technical cookies needed for the platform to work:

• Session cookie (JWT): User authentication. Stored as an HttpOnly, Secure, SameSite=Lax cookie. Expires on logout or after 7 days.

On the public marketing site we additionally use analytics cookies (Google Analytics) subject to your consent via the cookie banner. The logged-in application uses only essential cookies.

10. Minors

DealForge is a B2B service aimed at businesses and professionals. It is not intended for anyone under 18. We do not knowingly collect personal data from minors. If we detect that a minor has registered, we will delete their account and personal data immediately. If you are a parent or legal guardian and believe a minor has provided personal data, contact us at info@dealforge.es.

11. Security measures

We implement appropriate technical and organizational measures under Article 32 GDPR:

• Encryption in transit: All communications use HTTPS with TLS 1.2 or higher.
• Encryption at rest: The database uses AES-256 encryption at rest (Supabase/AWS).
• Password hashing: Passwords are stored with salted bcrypt hashing, making them unrecoverable.
• Session tokens: JWTs signed with a secret key, with time-based expiry.
• Security headers: HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy.
• Least-privilege principle: Each system component accesses only the data strictly necessary.

12. Changes to this policy

We reserve the right to update this Privacy Policy to reflect changes in our practices or for legal reasons. For substantial changes, we will notify you at least 30 days in advance by email or via an in-app notice. The date of the last update is shown at the top of this document.

13. Supervisory authority

If you believe the processing of your personal data infringes applicable law, you have the right to lodge a complaint with a supervisory authority. As the controller is established in Spain, the competent authority is:

EEA and UK users may also contact their local data protection authority. In any case, we kindly ask that you contact us first at info@dealforge.es so we can try to resolve any issue amicably.