Privacy Policy

This Privacy Policy explains how Shadpay SL (“Shadpay”, “we”, “us”, or “our”) collects, uses, stores, shares and protects personal data when you visit our website, sign up for early access to our payment failover platform, or otherwise interact with us. We act as the data controller for the personal data described below.

1. Who we are

Shadpay SL is a private limited company incorporated in Spain, operating a payment orchestration and failover service for online merchants. You can reach our privacy team at privacy@shadpay.io.

2. Data we collect

We only collect what we need to evaluate demand for the product, communicate with you, and prepare your account when the platform launches.

2.1 Information you give us

• Account data: work email address and password (hashed, never stored in plaintext).
• Lead qualification data: company name and approximate monthly payment volume, if you choose to provide them.
• Communications: the content of any email, support message or form submission you send us.

2.2 Information we collect automatically

• Technical data: IP address, browser type, device type, language preference, timestamps and referring URL.
• Usage data: pages visited, links clicked, time on page and session duration, collected with privacy‑respecting analytics.
• Authentication metadata: session tokens issued by our authentication provider (Supabase) when you sign in.

We do not knowingly collect personal data from anyone under 16 years of age. If you believe a minor has provided us personal data, contact us and we will delete it.

3. How we use your data

• To create and manage your Shadpay account.
• To contact you about the private beta, your activation invitation, onboarding and product updates.
• To measure demand for the product, including aggregated ad‑campaign performance.
• To prevent fraud, abuse and security incidents, and to enforce our Terms of Service.
• To comply with legal obligations applicable to us.

4. Legal bases (GDPR Art. 6)

• Performance of a contract when you create an account or request access to the beta.
• Legitimate interests in measuring demand, securing our systems, and developing the product. We always balance these against your rights and freedoms.
• Consent for non‑essential analytics cookies and for marketing emails (where required). You can withdraw consent at any time.
• Legal obligation when we must retain or disclose data to comply with applicable law.

5. Sharing your data

We do not sell your personal data. We share it only with the sub‑processors strictly needed to operate the service:

• Supabase — authentication and database hosting (EU region).
• Vercel — website hosting and edge delivery.
• Email provider — transactional and onboarding emails.
• Regulators, law enforcement or other third parties where required by law or to protect our rights.

Each sub‑processor is bound by a data processing agreement that restricts how they may use your data and requires appropriate security measures.

6. International transfers

Where possible we keep data within the European Economic Area. When a sub‑processor processes data outside the EEA, we rely on the European Commission's Standard Contractual Clauses and supplementary measures to ensure your data benefits from an equivalent level of protection.

7. How long we keep your data

• Account data: for as long as your account is active, plus up to 24 months after deletion for accounting and dispute purposes.
• Lead data (if you do not become a customer): up to 18 months, after which we delete or fully anonymize it.
• Server logs and analytics: typically up to 12 months.

8. Your rights

Under GDPR you may exercise the following rights at any time, free of charge:

• Access a copy of the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”), subject to legal retention obligations.
• Restrict or object to certain processing.
• Request data portability in a machine‑readable format.
• Withdraw consent at any time, without affecting prior processing.

Send any of these requests to privacy@shadpay.io. We aim to respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — www.aepd.es).

9. Security

We use encryption in transit (TLS 1.2+), encryption at rest, hashed passwords, row‑level security on our database, principle‑of‑least privilege access for our staff, and continuous monitoring. No system is 100% secure; if we ever experience a personal data breach that is likely to affect you, we will notify you and the competent authority as required by law.

10. Cookies

We use a minimal set of cookies and local storage entries:

• Essential: authentication session and language preference. These cannot be turned off without breaking the site.
• Analytics (optional): aggregated, anonymized usage metrics. Only set with your consent where required.

11. Automated decision‑making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or via a prominent notice on the site before the changes take effect.

13. Contact

For any privacy question, contact us at privacy@shadpay.io.