Privacy Policy

Last updated: March 11, 2026

Custodita ("we", "us", or "our") operates the custodita.com website and the Custodita platform (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.

1. Data Controller

The data controller responsible for your personal data is Custodita. For any questions about this Privacy Policy, you may contact us at [email protected].

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data (Creditors)

  • Email address, password (hashed)
  • Business name, tax ID, SEPA creditor identifier
  • IBAN and postal address

2.2 Mandate Data (Debtors)

  • Full name, IBAN, BIC, email address, postal address
  • Signature image (drawn on screen)
  • IP address and user agent at the time of signing

2.3 Audit and Technical Data

  • IP addresses and user agents for all mandate-related actions
  • Timestamps of creation, signing, downloads, and modifications
  • SHA-256 document hashes for integrity verification

3. Legal Basis for Processing

We process personal data on the following legal bases under GDPR:

  • Contract performance (Art. 6(1)(b)): To provide the Service to registered creditors and process mandate signatures from debtors.
  • Legal obligation (Art. 6(1)(c)): To comply with SEPA Direct Debit scheme rules, which require creditors to retain mandates and audit trails.
  • Legitimate interest (Art. 6(1)(f)): To maintain platform security, prevent fraud, and improve the Service.

4. How We Use Your Data

  • To create and manage SEPA Direct Debit mandates
  • To generate signed PDF documents with legal evidence
  • To maintain immutable audit trails as required by SEPA regulations
  • To send signing invitations and confirmation emails
  • To detect and prevent fraud or unauthorized access
  • To provide customer support

5. Data Retention

We retain data for the following periods:

  • Active mandates: For as long as the mandate is active, plus 14 months after revocation or expiration (to cover the 13-month SEPA chargeback period).
  • Audit logs: For the lifetime of the associated mandate plus the retention period above.
  • Account data: For as long as the account is active. After account deletion, data is retained for 30 days before permanent removal.

6. Data Sharing

We do not sell personal data. We share data only in the following circumstances:

  • Between creditor and debtor: Mandate data is shared between the creditor (who creates the mandate) and the debtor (who signs it), as necessary for the SEPA Direct Debit process.
  • Infrastructure providers: We use third-party services for hosting and file storage. These providers process data on our behalf under appropriate data processing agreements.
  • Legal requirements: We may disclose data if required by law, regulation, or legal process.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS)
  • Hashed passwords (bcrypt)
  • SHA-256 document integrity verification
  • Account-scoped data isolation (multi-tenant separation)
  • Immutable audit logs (no modification or deletion)
  • Time-limited signing tokens (7-day expiry)

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data, subject to legal retention requirements.
  • Restriction: Request that we limit processing of your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected].

Please note that audit logs and signed mandate documents may be exempt from erasure requests under Art. 17(3)(b) GDPR (legal obligation) as they constitute legally required evidence under the SEPA scheme rules.

9. Cookies

We use only essential session cookies required for the Service to function (authentication, locale preferences). We do not use tracking cookies, analytics cookies, or advertising cookies.

10. International Transfers

Your data is processed within the European Economic Area (EEA). If any data transfer outside the EEA becomes necessary, we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: [email protected]

You also have the right to lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.