Automatia ABS

Privacy Policy

Last updated: 27 April 2026 — GDPR (EU) 2016/679 compliant.

1. Data Controller

The data controller for this website and the Automatia ABS product is Automatia BCN. Contact: Barcelona, Spain; privacy@automatiabcn.com.

2. Data We Collect

  • Email address — at purchase and waitlist signup.
  • Payment data — card details are processed by Stripe and never reach Automatia BCN servers. We store the Stripe customer_id and invoice reference only.
  • License activation metadata — JTI, install date, seat count.
  • Server access logs — IP, user-agent, request path; retained 30 days for security purposes.

Because ABS runs on your own server, your AI prompts and code are processed only on your infrastructure; Automatia BCN cannot access them.

3. Processing Purpose and Legal Basis

We process data to issue licenses, prepare invoices, provide support, and ensure security. Legal basis: GDPR Art. 6(1)(b) — contract performance, and Art. 6(1)(f) — legitimate interest (security, fraud prevention).

4. Third-Party Processors

  • Stripe Payments Europe Ltd. (Ireland) — payments, refunds, subscriptions. PCI-DSS Level 1.
  • Anthropic (Claude API) — invoked only by your server; Automatia BCN is not a relay.
  • Hetzner Online GmbH (Germany) — server hosting, GDPR-compliant DPA.

5. Data Retention Period

License and billing data are retained for the active license period plus 12 months (legal accounting obligation). Access logs are anonymised or deleted after 30 days. Following a refund, all personal data is deleted within an additional 30 days at the customer's request.

6. Your User Rights (GDPR Art. 15-22)

  • Right of access, rectification, erasure, restriction of processing.
  • Data portability — JSON-format export.
  • Right to object; you may object to processing for marketing purposes at any time.
  • Right to lodge a complaint with the supervisory authority — Spain: AEPD (aepd.es). (aepd.es)

6a. How to Exercise Your Rights (Self-Service)

With your license Bearer token you can call the following endpoints:

  • Data export (Art. 15): POST /v1/me/data-export — returns an encrypted ZIP (24h download link).
  • Account deletion (Art. 17): POST /v1/me/account/delete-request → POST /v1/me/account/delete-confirm. Automatic purge after 30-day grace period.
  • Consent management (Art. 7): GET/POST/DELETE /v1/me/consents.
  • Audit log: GET /v1/me/audit-log (last 90 days).

6b. Sub-processors and Data Processing Agreement

The current sub-processor list is in docs/legal/subprocessors.md; the DPA template for B2B customers is in docs/legal/dpa-template.md. docs/legal/subprocessors.md · docs/legal/dpa-template.md

7. Contact

privacy@automatiabcn.com For rights requests, contact privacy@automatiabcn.com. Requests are answered within 30 days after identity verification (free of charge).

Privacy Policy · Automatia ABS