Privacy Policy

Devura Digital SL (NIF: B24830317)
av. Ferrocarril, 83, 12560 Benicassim, Castelló, ES
Email: [email protected]

• Account and organization data: email address, encrypted or hashed password, company or legal name, tax ID, address, language, timezone, and configuration settings.
• Commercial and invoicing data: customers, suppliers, products, quotes, invoices, payments, amounts, line items, tax addresses, and related documents.
• Employment and payroll data when those modules are enabled: employees, tax IDs, addresses, contract details, IBAN, social security data, payroll runs, certificates, and attachments.
• Banking and payment data when financial integrations are enabled: accounts, IBAN, bank transactions, mandates, direct debit collections, payouts, and reconciliation metadata.
• Support, contact, and lead data: forms, emails, support requests, consent records, and communications with you or your gestoria.
• Usage and security data: IP address, browser agent, activity logs, audit events, session identifiers, and technical preferences.

The exact categories depend on the modules and services you use in Fiscora. If you upload documents, certificates, or supporting files, we also process their contents to provide the service and comply with legal obligations.

• Performance of a contract: Processing is necessary to provide the invoicing service you contracted (Art. 6.1.b GDPR).
• Consent: We process certain optional preferences, communications, and actions that you actively enable on the basis of your consent (Art. 6.1.a GDPR).
• Legal obligation: Retention of invoices, tax records, payroll records, statutory books, and communications with authorities where required by applicable law (Art. 6.1.c GDPR).
• Legitimate interest: Platform security, fraud prevention, traceability, defense of legal claims, and service improvement (Art. 6.1.f GDPR).

We apply different retention periods depending on the data category. Account data is kept while the account remains active; invoicing and audit data subject to tax retention is kept for at least 4 years; consents, exports, email records, sensitive-data access logs, and employment attachments follow their own retention and deletion schedules. After account closure, we delete or anonymize data where appropriate unless we must retain it by law.

We may disclose or make data available to providers and recipients that are necessary to deliver the service, comply with the law, or run optional modules that you enable.

• Infrastructure and database providers: application hosting, queues, backups, and managed database services (for example EU hosting and MongoDB Atlas).
• File and export storage: Cloudflare R2 or equivalent providers for PDFs, supporting files, attachments, and export packages.
• Transactional email and support providers: services such as Postmark or SMTP providers for verification, notifications, invitations, and document delivery.
• Subscription billing and platform payment providers: Stripe and collection or direct debit providers where applicable.
• Bank connectivity and reconciliation providers: services such as Afterbanks or GoCardless Bank Data when you enable PSD2 connections or direct debit workflows.
• Document processing assistance: OCR or AI services, such as OpenAI, only when you enable automated document extraction features.
• Public authorities and regulators: the Spanish Tax Agency (AEAT) or other recipients required by tax, accounting, or employment law.

The exact list of providers and recipients depends on the modules you contract or enable. Where a provider processes data on our behalf, we require appropriate contractual data protection safeguards.

Under the GDPR, you have the following rights:

• Right to access your personal data.
• Right to rectify inaccurate data.
• Right to erasure (right to be forgotten).
• Right to request restriction of processing where legally applicable.
• Right to data portability.
• Right to object to processing.
• Right to withdraw your consent at any time for processing based on consent.

To exercise your rights, contact us at: [email protected]

You may also file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

We aim to prioritize providers and hosting within the European Economic Area. However, some optional features or providers may involve access from or processing in countries outside the EEA. In those cases we rely on an appropriate legal transfer mechanism under Chapter V GDPR, such as an adequacy decision or the Standard Contractual Clauses, together with supplementary measures where required.

We apply technical and organizational measures that are proportionate to the risk in order to protect the personal data processed in Fiscora.

• Encryption in transit, encryption or equivalent protection at rest, and controls over sensitive keys and secrets.
• Organization-level isolation, role-based access controls, activity logging, and review of sensitive events.
• Strong password hashing, session controls, rate limiting, traceability, and anti-fraud protections.
• Backups, incident management, sub-processor review, and additional restrictions for banking data, certificates, and employment documents.