Privacy policy

SACO (Safe Contract) is a digital platform for signing and archiving private agreements. This policy explains what personal data we process, why, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Spain's LOPDGDD (Organic Law 3/2018).

1. Who is the data controller

The data controller for personal data processed through SACO is the entity below. You can contact us or our Data Protection Officer (DPO) at the addresses provided.

SACO, S.L.

[Dirección registrada — por definir antes del lanzamiento]

[NIF — por definir antes del lanzamiento]

Privacy: privacy@saco.app

DPO: dpo@saco.app

Legal: legal@saco.app

Support: support@saco.app

Until our final registration details are published, the company entity is in the final stages of incorporation. The privacy and DPO mailboxes above are live and monitored.

2. Scope of this policy

This policy applies to:

Visitors of our marketing site (saco.app and localised subpaths);
Registered users who create, send, pay for, or receive contracts on SACO;
Counterparties who are invited to review and sign a contract by a SACO customer, even when they do not hold a SACO account;
People who contact us through forms, email, or request a product demo.

Some pages or flows are operated by third parties on our behalf — notably Tecalis (the electronic identification and signing provider) and Stripe (payments). Where that is the case, those providers may also process your personal data as independent controllers or joint controllers; we call this out in section 5.

3. What personal data we process

We only collect data that is necessary to provide a trustworthy signing service and to comply with our legal obligations. The main categories are:

Account data — email address, encrypted password, language preference, authentication tokens, and (optionally) name and profile details.
Contract data — the content of the contracts you upload or compose, party names and email addresses, any fields you fill in, timestamps, the pre-sign and post-sign cryptographic hashes (SHA-256), and the final signed PDF.
Identity verification data (KYC, when purchased) — ID document images, selfie capture, liveness-check results, and verification outcome. The data is captured directly by Tecalis; SACO receives only the verification outcome and a reference ID, never the raw biometric material.
Signing ceremony data — one-time-password dispatch and verification timestamps, IP address and user agent of the signer, and the Tecalis audit report.
Payment data — billing address, VAT number (if provided), Stripe customer and subscription IDs, amount paid, invoice number, and transaction status. The card number / PAN is entered directly on a Stripe-hosted element and never reaches SACO servers.
Usage and technical data — log entries, IP address, user agent, page timings, consent records, and security-related events (failed logins, rate-limit triggers).
Communications — messages you send us through forms or email, and our replies.

We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with data, please contact us and we will delete it.

4. Purposes and lawful bases

We process each category of data only for the purposes listed below, each on a specific GDPR lawful basis (Article 6 GDPR; Article 9 for special categories).

Purpose	Lawful basis	Notes
Providing the SACO service: account creation, contract dispatch, signing, storage, download.	Article 6(1)(b) — performance of the contract with you.	Without this data we cannot execute and archive your agreement.
Identity verification (KYC) when you purchase the add-on.	Article 6(1)(b) and explicit consent for biometric data under Article 9(2)(a) captured by Tecalis.	You may sign without KYC if your plan allows it; the add-on is always optional.
Taking payment, issuing invoices, VAT reporting.	Article 6(1)(b) and Article 6(1)(c) — legal obligation (Spanish tax law).	Invoice data is retained for the statutory period even after account deletion.
Sending transactional emails about your contracts (sent, accepted, paid, signed, archived).	Article 6(1)(b).	These are service messages, not marketing. You cannot opt out while the contract is active.
Marketing emails, product newsletters.	Article 6(1)(a) — consent, freely given and withdrawable at any time.	Only sent if you opt in. Every message includes an unsubscribe link.
Platform audit log (app.contract_audit_events).	Article 6(1)(c) and Article 6(1)(f) — legitimate interest in evidential integrity.	Source of truth for dispute resolution. Append-only, hash-chained.
Security, fraud prevention, abuse detection, rate limiting.	Article 6(1)(f) — legitimate interest in keeping the service safe.	We do not use this data to profile users or take automated decisions with legal effect.
Blockchain anchoring of signed-document hashes on Arweave (add-on).	Article 6(1)(a) — explicit, separate consent acknowledging permanence.	Only a SHA-256 hash is anchored. It is not reversible to the document content, but it cannot be removed.
Legal defence, responding to authorities, exercising our rights.	Article 6(1)(c) and Article 6(1)(f).	Only what is strictly necessary, and only when legally required.

5. Who we share data with

We do not sell personal data. We share data only with the processors and providers below, each under a written data-processing agreement that meets the requirements of Article 28 GDPR. Some providers act as independent controllers for parts of the journey; where that is the case we note it in the table.

Provider	Role	Purpose	Location
Tecalis	Processor (signing) and independent controller (for KYC identity data it captures directly)	Identity verification, OTP dispatch and verification, signing ceremony, audit report generation.	European Union (Spain)
Amazon Web Services (S3)	Processor	Encrypted storage of drafts, signed PDFs, and audit reports for the retention window.	European Union (Ireland / Frankfurt)
Supabase	Processor	Managed PostgreSQL database, authentication, and file metadata storage.	European Union
Stripe	Independent controller for payment card data; processor for billing metadata.	Payment processing, card tokenisation, tax calculation, invoicing, SCA / 3-D Secure.	European Union / United States under the EU–US Data Privacy Framework and SCCs.
Arweave / ArDrive (blockchain add-on only)	Independent public ledger	Permanent anchoring of the SHA-256 hash of the signed PDF. We anchor no personal data.	Distributed, global. Anchored entries are immutable by design.
Mailgun (or equivalent transactional provider)	Processor	Dispatch of transactional email (sent, accepted, paid, signed, audit report).	European Union region
ClamAV (self-hosted) or equivalent	Processor	Scanning uploaded files for malware before they are written to storage.	Within our EU infrastructure
Google reCAPTCHA	Independent controller	Bot-protection on public forms (contact, login). Activated only on form submission.	United States under SCCs. Data minimised to risk score and required metadata.

6. International transfers

Our primary infrastructure is hosted in the European Union. Where a limited subset of data is transferred outside the EU/EEA (for example to Stripe or Google reCAPTCHA in the United States), we rely on one of the transfer mechanisms recognised under Chapter V of the GDPR:

The European Commission's adequacy decision and the EU–US Data Privacy Framework, where the recipient is a certified participant; and
Standard Contractual Clauses (SCCs) approved by the European Commission, with supplementary technical and organisational measures where required by the Schrems II ruling.

You may request a copy of the safeguards in place for any specific transfer by emailing dpo@saco.app.

7. How long we keep data

We apply strict retention limits. Documents and personal data are deleted when they are no longer necessary for the purpose for which they were collected, unless a legal obligation requires us to keep them longer.

Data category	Retention period
Signed contracts, draft PDFs, audit reports (in Amazon S3)	Five (5) years from the signing date. An automated job hard-deletes the files at retention_expires_at.
Platform audit events (app.contract_audit_events)	Retained as metadata (hashes, timestamps, event type) beyond document deletion for evidential integrity. No document content is stored here.
Account data for users with no active subscription or open contract	Deleted 24 months after the last activity, or on request.
Invoices and tax records	Retained for the period required by Spanish commercial and tax law (generally 4 to 6 years).
Security and access logs	Up to 12 months, then aggregated or deleted.
Marketing consent and unsubscribe records	For the duration of the consent plus proof-of-consent retention (typically 3 years).
Blockchain-anchored SHA-256 hashes (Arweave)	Permanent and immutable by design of the Arweave protocol — this is why the add-on requires explicit, separate consent.

8. Your rights under the GDPR

As a data subject you have the following rights. You can exercise any of them by emailing privacy@saco.app. We will respond within one month. If the request is complex we may extend by two further months and will tell you why.

Access — obtain confirmation of whether we process your data and a copy of that data.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your data when one of the GDPR grounds applies. Important limits: once a contract is signed we may be required by its evidential purpose and by law to retain certain records until the retention window expires; Arweave-anchored hashes cannot be revoked (see below).
Restriction — ask us to limit processing while a complaint is being resolved.
Portability — receive the data you have provided in a structured, commonly used, machine-readable format.
Objection — object to processing based on legitimate interest or to direct marketing at any time.
Withdraw consent — where processing relies on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Not be subject to solely automated decisions with legal or similarly significant effects. We do not take such decisions.
Complain to a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD). You can also contact the authority in your EU country of residence.

Arweave limitation: if you purchased the blockchain-anchoring add-on, the SHA-256 hash of your signed document was stored on a public, immutable ledger with your explicit prior consent. This hash is not personal data by itself (it is a one-way cryptographic digest) and, by design of the underlying network, it cannot be deleted on request. We explain this in plain language at the moment of purchase and record your consent as an audit event before anchoring.

9. Cookies and similar technologies

SACO uses a small number of cookies and equivalent storage technologies. We split them into three categories:

Strictly necessary — authentication, session, CSRF protection, load balancing, consent state. Cannot be switched off.
Preferences — language and interface choices.
Analytics and marketing — only set if you opt in through the consent banner. No cross-site tracking cookies are used.

You can review or change your choices at any time through the cookie banner control. Your consent state is stored against your account (if logged in) or in a first-party cookie otherwise.

10. Security

We apply technical and organisational measures proportionate to the risk, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256) for stored documents and backups;
Row-level security on every database table, scoped by authenticated user;
Password hashing with industry-standard KDFs and multi-factor authentication on admin access;
Virus scanning of every uploaded file before storage;
Rate limiting and bot-protection on public endpoints;
Append-only, hash-chained audit log for every contract state transition;
Least-privilege access control for personnel with documented review cadence.

In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the AEPD within 72 hours and, where legally required, notify the affected users without undue delay.

11. Counterparties invited to sign

When a SACO customer invites you as a counterparty to review and sign a contract, we process the minimum data necessary to deliver the signing flow: your email address, the content of the contract you are asked to sign, the timestamps of your review and signature, your IP address and user agent at the moment of signing, and (if the initiator purchased the KYC add-on) the identity-verification outcome captured by Tecalis.

You may exercise any GDPR right against us directly (see section 8). For questions about the content of the contract or the reason you were invited, please contact the SACO customer who sent it — they are the controller of that content.

12. Changes to this policy

We may update this policy to reflect changes in our service, our processors, or the law. Material changes are communicated by email to registered users at least 15 days before they take effect. The "Last updated" date at the top always reflects the most recent revision.

13. Contact

For any privacy-related question or request, please contact:

General privacy mailbox: privacy@saco.app
Data Protection Officer: dpo@saco.app
Spanish supervisory authority: Agencia Española de Protección de Datos
European Data Protection Board: edpb.europa.eu