Plate & PunchBack to login

Privacy Policy

Last updated: 6 July 2026

1. Data Controller

PCL (sole trader), Tax ID 46688225L, 08911-Badalona (Barcelona), Spain. Contact for data protection matters: legal@plateandpunch.rest / dpo@plateandpunch.rest.

2. Personal data we process (as controller)

  • Identification and contact data: name and email address.
  • Account data: password (stored hashed with Argon2), subscription and plan.
  • Billing data, where applicable.
  • Security and audit logs: user identifier, actions within the application, timestamps and IP address.

3. Purposes and legal bases

  • Providing and managing the service and your account — performance of a contract (Art. 6(1)(b) GDPR).
  • Invoicing and legal/tax obligations — compliance with a legal obligation (Art. 6(1)(c) GDPR).
  • Security, audit logging and fraud prevention — legitimate interest (Art. 6(1)(f) GDPR).

4. Data processed on behalf of our customers (as processor)

Business customers upload operational data to the application (staff and supplier data). For that data the customer is the controller and Plate & Punch acts as a processor under a Data Processing Agreement (Art. 28 GDPR). We process such data only on the customer's documented instructions.

5. Retention

We keep personal data for the duration of the contractual relationship. Billing data is retained for the minimum periods required by tax and commercial law. Security logs are kept for 12 months. Account deletion is available with a 30-day grace period, retaining only the legally required minimum.

6. Recipients and processors

  • Hetzner Online GmbH — hosting (Germany, EU).
  • Google Ireland Ltd. (Workspace) — encrypted backups (EU/EEA).
  • Resend (Plus Five Five, Inc.) — transactional email (USA; EU SCCs + EU-U.S. Data Privacy Framework).
  • OpenAI Ireland Ltd. — AI features, where enabled (EU SCCs).
  • Stripe — payment processing, once enabled (EU SCCs).

7. International transfers

The bulk of processing takes place within the EU/EEA. Where a processor is located outside the EEA (e.g. in the USA), transfers are covered by the Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, additional safeguards.

8. Your rights

You have the right of access, rectification, erasure, restriction of processing, data portability and objection. You can exercise them by contacting legal@plateandpunch.rest. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es).

9. Security

We apply appropriate technical and organisational measures (Art. 32 GDPR): encryption in transit (TLS), passwords hashed with Argon2, role-based access control, multi-tenant isolation and daily encrypted backups.

10. Changes

We may update this Privacy Policy. Material changes will be communicated through the service.