Legal
Privacy Policy
Last updated: March 15, 2026
1. Data controller
The controller of the personal data collected through sayso.es is:
- Name: Sayso
- Contact email: contact@sayso.es
- Address: Spain
Hereinafter, "Sayso", "we", or "the controller".
2. Data we collect
We collect the following data depending on how you use the service:
2.1 Account data
- Email address
- Encrypted password (managed by Supabase Auth)
- Account creation date
2.2 Service usage data
- Projects created (name, slug, visual configuration)
- Testimonials received: author name, role, rating, text, and optional photo
- Testimonial requests sent: recipient name and email
- Account activity logs (internal)
2.3 Billing data
- Subscription information (plan, status, renewal date)
- Card data is handled directly by Stripe; Sayso does not store or access full payment data
2.4 Technical data
- IP address, browser type, and operating system (server logs)
- Session cookies necessary for the service to function
3. Purpose and legal basis for processing
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Manage your account and authentication | Performance of a contract (art. 6.1.b) |
| Provide the testimonial collection and publication service | Performance of a contract (art. 6.1.b) |
| Process payments and manage subscriptions | Performance of a contract (art. 6.1.b) |
| Send transactional communications (receipts, account alerts) | Performance of a contract (art. 6.1.b) |
| Comply with legal obligations (invoicing, record keeping) | Legal obligation (art. 6.1.c) |
| Improve and maintain the service (aggregated internal usage analysis) | Legitimate interest (art. 6.1.f) |
4. Retention periods
We keep your data for as long as necessary for the purposes described:
- Account data: while the account is active. After deletion, data is removed within a maximum of 30 days, unless a legal retention obligation applies.
- Billing and transaction data: 5 years from the date of the transaction, in accordance with Spanish tax regulations.
- Testimonials received: linked to the user's project; deleted when the project or account is deleted.
- Technical logs: maximum 90 days.
5. Recipients and international transfers
We share data only with the following third parties, acting as data processors:
- Supabase (database and authentication infrastructure) — EU hosting
- Stripe (payment gateway) — PCI DSS certified; payment data processed on EU/EEA servers
- Resend (transactional email delivery) — EU servers
- Vercel (application hosting) — EU infrastructure
All providers have signed EU standard contractual clauses or have equivalent GDPR-compliant transfer mechanisms in place.
We do not sell or transfer personal data to third parties for commercial or advertising purposes.
6. Your rights
As a data subject, you may exercise the following rights at any time before the data controller:
- Access: obtain confirmation of whether we process your data and receive a copy of it.
- Rectification: correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion of your data when, among other reasons, it is no longer necessary for the purpose for which it was collected.
- Restriction of processing: request that we suspend processing in certain circumstances.
- Portability: receive your data in a structured, commonly used format.
- Objection: object to processing based on legitimate interest.
- Withdrawal of consent: when processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, write to us at contact@sayso.es with the subject "GDPR rights request". We will respond within a maximum of one month.
If you believe that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the Spanish Data Protection Agency (aepd.es).
7. Cookies
We only use strictly necessary technical cookies for the service to function:
- Session cookie: keeps you authenticated during your visit. Deleted when you close the browser or sign out.
- Preferences cookie: stores language or interface settings chosen by the user.
We do not use advertising, tracking, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies, in accordance with Spanish Law 34/2002 (LSSI-CE) and AEPD guidelines.
8. Security
We apply appropriate technical and organizational measures to protect your data against unauthorized access, accidental loss, or destruction:
- Password encryption using bcrypt
- Encrypted communications via TLS/HTTPS
- Row Level Security (RLS) policies in the database
- Restricted data access by personnel
9. Minors' data
The service is aimed at professionals and businesses. We do not knowingly collect data from minors under 16. If you are a parent or guardian and believe a minor has provided personal data, contact us at contact@sayso.es so we can proceed with deletion.
10. Changes
We may update this policy to reflect changes in the service or applicable regulations. We will notify you of relevant changes by email or through a visible notice on the platform at least 15 days in advance. The most recent version will always be available at sayso.es/privacy.
11. Contact
For any questions about this policy or the processing of your data, you can contact us at:
- Email: contact@sayso.es