This Privacy Policy explains how Damian Diaz, with address at Carabelos 28 ("we", "us", or "PayShield"), processes personal data in connection with the website payshield.app and the PayShield service (the "Service").
We comply with Regulation (EU) 2016/679 ("GDPR") and Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD").
1. Data controller and contact
For data you provide to us as a PayShield user (your account, your billing, your interactions with our marketing pages and free tools), the data controller is:
- Name: Damian Diaz
- Registered address: Carabelos 28
- Contact email: contact@payshield.app
- Website: https://payshield.app
We have not appointed a Data Protection Officer, as we are not legally required to do so under Article 37 GDPR.
2. Controller vs. processor
When you use the Service to manage your end clients (e.g., portals, contracts, invoices, demand letters), you are the controller of the personal data of those end clients, and PayShield acts as a processor on your behalf. The processing terms in Sections 4–11 of this Policy form the data-processing agreement that governs that relationship.
3. Categories of personal data we collect
A. Data you provide directly
- Account data: name, email, password (stored hashed), profile slug, language preference.
- Profile data (optional): bio, location, specialty tags, hourly rate, links to external profiles, case studies, portfolio items.
- Billing data: billing name, address, country, VAT/NIF number, last four digits of card and card brand (received from Stripe; full card data is stored by Stripe, not by us).
- Free-tool inputs: the information you type into the demand-letter generator, the late-fee calculator, or any other public tool — including, where applicable, the names and contact details of your end clients.
- Waitlist signups: email address and the source page that referred you.
- Communications: any message you send us by email or through the Service.
B. End-client data, processed on your behalf
When you use the Service to operate your business, you may upload or generate personal data about third parties (your clients, contacts, project collaborators). This may include name, email, postal address, NIF, payment details, and the content of contracts, invoices, proposals, and demand letters. We process this data as a processor, on your documented instructions, for the purposes set out in our agreement with you.
C. Data we collect automatically
- Technical data: IP address, user agent, device type, time zone, language, referrer URL.
- Usage data: pages visited, features used, events and timestamps. If you have given consent, this is processed through PostHog (see Section 11 and the Cookie Policy).
- Cookies and similar technologies: essential cookies for authentication and security, plus analytics cookies subject to consent. See the Cookie Policy.
D. Data we receive from third parties
- From Stripe: payment confirmations, billing-country information, dispute and refund signals.
- From email providers (e.g., Resend): delivery, bounce, and spam-complaint events for the emails we send to you.
4. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and operating your account; providing the Service | Performance of a contract — Art. 6(1)(b) |
| Processing payments and complying with tax/accounting law | Performance of a contract; legal obligation — Art. 6(1)(b), 6(1)(c) |
| Sending operational emails (account, billing, security, service updates) | Performance of a contract — Art. 6(1)(b) |
| Sending product news, marketing emails, and waitlist updates | Consent — Art. 6(1)(a); withdrawable at any time |
| Free-tool processing (running the demand-letter or calculator on your inputs) | Performance of a contract requested by you — Art. 6(1)(b) |
| Preventing fraud, abuse, and security incidents | Legitimate interests — Art. 6(1)(f) |
| Product analytics, error monitoring, and service improvement | Consent (PostHog) — Art. 6(1)(a); legitimate interests for server-side error logs — Art. 6(1)(f) |
| Complying with legal obligations and responding to lawful requests | Legal obligation — Art. 6(1)(c) |
| Defending or pursuing legal claims | Legitimate interests — Art. 6(1)(f) |
5. AI processing
When you use AI-assisted features (e.g., the demand-letter generator), the inputs you provide and the prompts we construct are sent to our AI inference provider (currently OpenRouter, routing to stepfun/step-3.5-flash) for the sole purpose of generating the response.
We instruct providers contractually not to retain inputs for model training. Do not paste data you cannot share with a third-party processor (e.g., highly sensitive personal data, secrets) into AI features.
<!-- REVIEW: Confirm OpenRouter's current zero-retention configuration and that the upstream provider for stepfun has equivalent terms; refresh this section if the routing changes. -->6. Recipients and sub-processors
We do not sell your personal data. We share it only with the following categories of recipients, each acting as a processor or independent third party:
| Recipient | Purpose | Region |
|---|---|---|
| Vercel Inc. | Hosting and edge delivery of the Service | USA / EU |
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) |
| Stripe Payments Europe Ltd. | Payment processing, fraud prevention | Ireland / USA |
| Resend, Inc. | Transactional email delivery | USA / EU |
| PostHog Inc. | Product analytics (subject to your cookie consent) | EU |
| OpenRouter / upstream model provider | AI inference for AI-assisted features | USA |
| Tax advisors and accountants | Mandatory accounting and tax filings | Spain |
| Public authorities (AEPD, AEAT, courts) | Where legally required | Spain / EU |
We have signed a Data Processing Agreement with each processor, where required by Article 28 GDPR.
7. International transfers
Some of our processors are established outside the European Economic Area, primarily in the United States. Where transfers occur:
- we rely on the EU-US Data Privacy Framework for transfers to certified US providers;
- otherwise, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented where necessary by additional technical measures (encryption in transit and at rest, restricted access);
- you may request a copy of the safeguards applicable to a specific transfer by writing to contact@payshield.app.
8. Retention
We keep personal data only for as long as necessary to fulfil the purposes described above:
| Category | Retention |
|---|---|
| Account data | While the account is active; deleted within 90 days after account closure, except where retention is legally required |
| Billing records, invoices, and tax records | 6 years (Spanish Commercial Code; AEAT requirements) |
| Free-tool inputs | Processed in real time; not persisted server-side beyond the immediate request unless you opted to save the document to your account |
| Waitlist email | Until launch + 12 months, or earlier on unsubscribe |
| Server logs | 30 days (rolling) |
| Product analytics events (PostHog) | 12 months |
| Marketing-consent records | For the duration of the consent + 3 years after withdrawal, as evidence of consent |
After the retention period, data is deleted or irreversibly anonymised.
9. Your rights
Under the GDPR and the LOPDGDD, you have the right to:
- access your personal data and request a copy;
- request rectification of inaccurate data;
- request erasure of your data ("right to be forgotten"), subject to legal exceptions;
- restrict or object to certain processing;
- data portability for data we process by automated means under contract or consent;
- withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal);
- not be subject to a decision based solely on automated processing that produces legal effects on you — we do not currently make such decisions;
- lodge a complaint with the Spanish Data Protection Agency (AEPD) at https://www.aepd.es if you believe your rights have been infringed.
To exercise any of these rights, write to contact@payshield.app. We may need to verify your identity before responding. We will reply within one (1) month, extendable by two (2) further months for complex requests as permitted by Article 12(3) GDPR.
10. Security
We apply reasonable technical and organisational measures to protect personal data, including:
- TLS encryption in transit;
- encryption at rest for databases and backups, where supported by the underlying provider;
- least-privilege access controls and audit logs;
- routine dependency and vulnerability monitoring;
- segregation of production and development environments.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours as required by Article 33 GDPR, and notify you without undue delay where Article 34 applies.
11. Cookies and analytics
PayShield uses essential cookies for authentication and security, and — only with your consent — analytics cookies (PostHog) to understand how the Service is used. See the Cookie Policy for details and to change your preferences.
12. Children
The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact contact@payshield.app so we can delete it.
13. Changes to this Policy
We may update this Policy to reflect changes in the Service, our processors, or applicable law. Material changes will be announced by email (for registered users) and on /legal/privacy at least fifteen (15) days in advance. The "last updated" date at the top of this page indicates the most recent revision.
14. Contact
For any privacy question or to exercise your rights, write to:
- Email: contact@payshield.app
- Postal address: Carabelos 28