Privacy Policy
Last updated: April 2025 · Language: English · Legal basis: GDPR (EU) 2016/679
This Privacy Policy describes how Euricio S.L. collects, uses, and protects your personal data in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) when you use the Euricio CRM or visit our website.
1. Data Controller
The data controller responsible for the processing of your personal data is:
Euricio S.L.
Represented by: Eric Zetzsche
Calle Mequinez 2
38400 Puerto de la Cruz
Islas Canarias, Spain
CIF: B09638917
Email: ez@euricio.es
Website: euricio.es
2. Data We Collect
2.1 Account and Contract Data
- First and last name
- Email address
- Company name and business details
- Billing address
2.2 Payment Data
Payment details (e.g. credit card numbers, bank account details) are processed exclusively by our payment service providers Stripe and PayPal. We do not store full payment credentials ourselves. We only receive transaction confirmations and, where applicable, anonymised payment instrument identifiers (e.g. the last four digits of a card).
2.3 Usage Data
- Actions within Euricio CRM (e.g. leads created, properties added, tasks completed)
- Account settings and configuration
- Support requests and correspondence history
2.4 Log Files
When you access our services, technical log data is collected automatically:
- IP address (anonymised after 7 days)
- Date and time of access
- URL requested
- Browser type and operating system
- HTTP status code
3. Purposes and Legal Basis of Processing
| Purpose | Legal Basis |
|---|---|
| Provision and performance of the SaaS subscription contract (Euricio CRM) | Art. 6(1)(b) GDPR — performance of a contract |
| Payment processing via Stripe and PayPal | Art. 6(1)(b) GDPR — performance of a contract |
| Customer support and handling of enquiries | Art. 6(1)(b) GDPR — contract / Art. 6(1)(f) GDPR — legitimate interests |
| Ensuring technical security, error diagnosis, and abuse prevention | Art. 6(1)(f) GDPR — legitimate interest (IT security) |
| Aggregated, non-personal product analytics for service improvement | Art. 6(1)(f) GDPR — legitimate interest (product development) |
| Setting technically necessary cookies | Art. 6(1)(b) GDPR — contract performance (no consent required for strictly necessary cookies) |
| Processing based on your explicit consent (e.g. optional analytics cookies, if introduced in future) | Art. 6(1)(a) GDPR — consent |
| Compliance with statutory retention obligations | Art. 6(1)(c) GDPR — legal obligation |
4. Data Processors and Third Parties
We engage the following processors, with whom we have entered or will enter into Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR:
| Provider | Purpose | Location / Data Region | Privacy Information |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, data storage | EU region (Frankfurt, AWS eu-central-1) | supabase.com/privacy |
| Vercel, Inc. | Application and website hosting | USA (Standard Contractual Clauses per Art. 46 GDPR) | vercel.com/legal/privacy-policy |
| Stripe, Inc. | Payment processing (credit/debit cards, SEPA) | USA / Ireland (Standard Contractual Clauses per Art. 46 GDPR) | stripe.com/privacy |
| PayPal (Europe) S.à.r.l. et Cie, S.C.A. | Payment processing (PayPal) | Luxembourg (EU) | paypal.com/privacy |
Where data is transferred to third countries (e.g. the USA), we ensure an adequate level of protection through appropriate safeguards — in particular EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
5. Cookies
Our website and the Euricio CRM currently use only technically necessary cookies. These cookies are strictly required for the operation of the service and cannot be refused without impairing functionality.
| Cookie Type | Purpose | Retention |
|---|---|---|
| Authentication session | Keeping you signed in; session management (Supabase Auth) | Session / until sign-out |
| CSRF protection token | Protection against cross-site request forgery attacks | Session |
| Language preference | Remembering your chosen language | 1 year |
We currently use no tracking, advertising, or analytics cookies. If this changes in the future, we will obtain your prior consent.
6. Data Retention Periods
| Data Category | Retention Period |
|---|---|
| Contract data (account details, subscription) | Duration of the contractual relationship + 10 years (statutory retention under Spanish commercial and tax law) |
| Invoices and payment records | 10 years from invoice date (Art. 30 Código de Comercio) |
| Communications (email, support) | 3 years after last contact |
| Log files | 30 days (IP anonymised after 7 days) |
| CRM content (leads, properties, notes) | Until account deletion; 30 days grace period for recovery after cancellation, then permanently deleted |
7. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, obtain a copy of it.
- Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data or completion of incomplete data.
- Right to erasure (Art. 17 GDPR): You may request deletion of your personal data under the conditions set out in the GDPR ("right to be forgotten").
- Right to restriction of processing (Art. 18 GDPR): You may request that processing of your data be restricted in certain circumstances.
- Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time with effect for the future.
To exercise your rights, please contact us by email: ez@euricio.es
We will respond to your request within 30 days. In complex or high-volume cases, this period may be extended by a further two months; we will notify you of any such extension.
8. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that processing of your personal data infringes the GDPR.
Lead Supervisory Authority (Spain):
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es
Phone: +34 912 663 517
Your Local Supervisory Authority:
You also have the right to contact the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. A list of EU data protection authorities is available at the European Data Protection Board (EDPB).
9. Data Security
We implement appropriate technical and organisational measures (TOMs) to protect your data against unauthorised access, loss, or misuse:
- Encrypted data transmission via TLS/HTTPS
- Encryption at rest (Supabase / AES-256)
- Access control and role management (Row-Level Security in Supabase)
- Regular automated backups
- Access restricted to authorised personnel only
10. Automated Decision-Making and Profiling
We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal or similarly significant effects on you.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements or our services. The current version is always available at euricio.es/legal/privacy-policy.html. We will notify registered users of material changes by email.
12. Contact for Data Protection Enquiries
For any questions, concerns, or requests regarding this Privacy Policy or the exercise of your rights, please contact:
Euricio S.L. — Data Protection
Eric Zetzsche
Email: ez@euricio.es
Calle Mequinez 2, 38400 Puerto de la Cruz, Islas Canarias, Spain