Skip to content
Zynvio

Privacy Policy

Zynvio

Version: 2.0 — Last updated: April 2, 2026

1

Data Controller

In compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), you are hereby informed that the data controller responsible for processing personal data is:

PIXELARIS S.L.

Tax ID (CIF): B21739354
Registered office: Carrer Penyagolosa, Nº 8 - Pl. 5 - Prta. D, 12540 Vila-real (Castellón, Spain)
Data protection email: privacy@zynvio.com
Website: https://www.zynvio.com

Hereinafter referred to as "Zynvio" or the "Controller".

2

Scope of application

PIXELARIS S.L. is committed to protecting the privacy of all individuals with whom it interacts. This policy describes Zynvio's privacy practices and applies to:

  • Users who subscribe to and use the Zynvio platform ("Clients" or "Users").
  • Visitors to the public website www.zynvio.com ("Visitors").
  • Suppliers and business partners of PIXELARIS S.L. ("Suppliers").
  • Employees and internal collaborators of PIXELARIS S.L. ("Employees").

Zynvio fulfills two distinct roles with regard to data protection:

  • Data Controller: with respect to the data of Users, Visitors, Suppliers and Employees of PIXELARIS S.L., as well as technical and security data generated by the platform.
  • Data Processor: with respect to the data that Users enter into the platform about their own clients, suppliers, employees or other third parties as part of their professional activity.
SECTION A of this policy governs processing as Data Controller. SECTION B governs processing as Data Processor.

SECTION A — ZYNVIO AS DATA CONTROLLER

3

Data we process and purposes

Below are the categories of personal data that Zynvio processes as controller, together with their purposes and legal bases.

3.1 Data of Clients and Platform Users

Data processed:

  • First and last name, email address, phone number, country, profile picture
  • Password (stored in hashed format, never in plain text)
  • Authentication data: session tokens, verification codes, Google OAuth data (name and email)
  • User's business data: company name, Tax ID (NIF/CIF), tax address, type of activity
  • Zynvio subscription payment data (tokens provided by Stripe/PayPal)

Purposes:

  • Account registration, authentication and verification management
  • Provision of the contracted services (platform access)
  • Subscription billing and payment management
  • Communications strictly necessary for the service (email verification, system notifications)

Legal basis: Art. 6.1.b GDPR — Performance of a contract. For authentication via Google OAuth: Art. 6.1.a GDPR — Consent.

Retention: Duration of the contractual relationship + 5 years (Art. 1964 Spanish Civil Code). Payment data: duration of the contractual relationship.

3.2 Data of Website Visitors

Data processed:

  • Browsing data collected through Google Analytics (pages visited, session duration, device, approximate location)
  • Contact form data (name, email, message)

Purposes:

  • Statistical analysis of the use of the website www.zynvio.com to improve the user experience
  • Handling inquiries submitted through forms

Legal basis: Art. 6.1.a GDPR — Consent (for analytics). Art. 6.1.b GDPR — Performance of pre-contractual measures (for inquiries).

Retention: According to cookie duration (see Section 10). Contact data: 1 year from the resolution of the inquiry.

3.3 Data of Suppliers of PIXELARIS S.L.

Data processed:

  • Contact person's first and last name, position
  • Professional email address and phone number
  • Company name, Tax ID (NIF/CIF), tax address
  • Banking details for payment management (IBAN, account holder)

Purposes:

  • Management of the business relationship (contracts, orders, payments)
  • Compliance with tax and accounting obligations arising from the commercial relationship

Legal basis: Art. 6.1.b GDPR — Performance of a contract. Art. 6.1.c GDPR — Legal obligation (retention of tax documentation, Art. 30 Spanish Commercial Code).

Retention: Duration of the contractual relationship + 6 years (Art. 30 Spanish Commercial Code).

3.4 Data of Employees of PIXELARIS S.L.

Data processed:

  • Identification data: name, national ID (DNI/NIE), address, email, phone number
  • Contractual data: type of contract, start/end date, professional category
  • Salary data: base salary, supplements, deductions, personal income tax (IRPF), Social Security contributions
  • Working time records (clock-in, clock-out and break entries)

Purposes:

  • Management of the employment relationship (hiring, payroll, Social Security)
  • Compliance with working time recording requirements (Art. 34.9 Spanish Workers' Statute)
  • Compliance with tax (income tax withholdings) and labor obligations

Legal basis: Art. 6.1.b GDPR — Performance of the employment contract. Art. 6.1.c GDPR — Legal obligation (Spanish Workers' Statute, General Social Security Act, Law 35/2006 on Personal Income Tax).

Retention: Duration of the employment relationship + 4 years (Art. 4 Royal Legislative Decree 5/2000 — LISOS). Tax documentation: 6 years.

3.5 Technical and security data

Data processed:

  • Connection IP address
  • User-Agent (browser and operating system)
  • Activity logs (audit logs): action performed, module, entity, date and time

Purposes:

  • Ensuring the security, integrity and availability of the system
  • Fraud prevention, detection of unauthorized access and anomalous behavior
  • Operation traceability and regulatory compliance (Royal Decree 1007/2023 VERI*FACTU)

Legal basis: Art. 6.1.f GDPR — Legitimate interest (security and fraud prevention). Art. 6.1.c GDPR — Legal obligation (VERI*FACTU traceability).

Retention: 3 years, unless a longer legal obligation applies.

Zynvio has conducted a balancing test between its legitimate interests and the rights of data subjects, concluding that the processing is proportionate and does not override the data subject's rights.

4

Mandatory nature of data

Please note that:

  • For User registration: email address, name and password are mandatory. Without them, it is not possible to create an account.
  • For subscription billing: the User's Tax ID (NIF/CIF), company name and tax address are required.
  • Phone number, country and profile picture are optional; not providing them does not prevent the use of the service.
  • Data of Suppliers and Employees of PIXELARIS S.L. is necessary for the management of the respective contractual or employment relationships.
5

Data recipients

Data processed by Zynvio as controller may be disclosed to:

5.1 Public authorities

Spanish Tax Agency (AEAT), General Treasury of Social Security and other bodies, where necessary for the fulfillment of legal obligations of PIXELARIS S.L.

5.2 Service providers (sub-processors)

Zynvio engages the following providers for service delivery, all of which are bound by agreements compliant with Art. 28 of the GDPR:

ProviderServiceLocationData processed
OVHcloudInfrastructure and hostingEU (France)All data stored on the platform
VercelPublic website hostingEU / EEAVisitor browsing data
Google (OAuth)Social authenticationUSA (Data Privacy Framework)User name and email
Stripe / PayPalSubscription payment processingUSA (Data Privacy Framework)Tokenized user payment data
Google AnalyticsPublic website analyticsUSA (Data Privacy Framework)Anonymized visitor browsing data

These providers process data exclusively on behalf of PIXELARIS S.L. and in accordance with its instructions. No data is disclosed to third parties for purposes other than those indicated.

6

International transfers

Data is primarily stored and processed on servers located within the European Economic Area (EEA).

Where certain providers are located outside the EEA (Google, Stripe, PayPal), Zynvio ensures an adequate level of protection through:

  • European Commission adequacy decisions: in particular, the EU-US Data Privacy Framework (Commission Implementing Decision of July 10, 2023).
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914), supplemented with additional safeguards where necessary.
  • Transfer Impact Assessment (TIA) in accordance with CJEU case law (Schrems II judgment, Case C-311/18).

Data subjects may request detailed information by writing to: privacy@zynvio.com

7

Rights of data subjects

In accordance with Articles 15 to 22 of the GDPR, Users, Visitors, Suppliers and Employees of PIXELARIS S.L. may exercise the following rights with respect to the data that Zynvio processes as controller:

Access

Art. 15

Obtain confirmation of whether your data is being processed and access said data

Rectification

Art. 16

Request the correction of inaccurate data or the completion of incomplete data

Erasure

Art. 17

Request the deletion of your data when it is no longer necessary

Restriction

Art. 18

Request the suspension of processing under certain circumstances

Portability

Art. 20

Receive your data in a structured format and transmit it to another controller

Objection

Art. 21

Object to processing on grounds relating to your particular situation

Withdrawal of consent

Art. 7.3

Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

How to exercise your rights

By submitting a request to:

  • Email: privacy@zynvio.com
  • Postal mail: PIXELARIS S.L., Carrer Penyagolosa, Nº 8 - Pl. 5 - Prta. D, 12540 Vila-real (Castellón, Spain)

The request must include your first and last name, a copy of an identification document and a description of the right being exercised.

Timeframes and free of charge

  • Response time: one (1) month, extendable by up to two (2) additional months due to complexity.
  • The exercise is free of charge, except for manifestly unfounded or excessive requests (Art. 12.5 GDPR).

Limitations on the right to erasure

The right to erasure may be limited when processing is necessary for compliance with legal obligations (retention of tax and accounting documentation) or for the establishment, exercise or defense of legal claims.

Complaint to the supervisory authority

Data subjects may file a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD):

Web: https://www.aepd.es

SECTION B — ZYNVIO AS DATA PROCESSOR

8

Data processed on behalf of the User

When Users use the Zynvio platform to manage their professional activity, they enter data about third parties (their own clients, suppliers, employees, etc.). With respect to this data, the User is the data controller and Zynvio acts solely as the data processor, processing the data exclusively in accordance with the User's instructions.

Categories of data that the User may enter into the platform:

  • Data of the User's clients (tax identification, contact details, commercial data)
  • Data of the User's suppliers (tax identification, contact details, payment data)
  • Data of the User's employees (identification, contractual data, salary data, working time records)
  • Invoices issued and received by the User, accounting records, inventory
  • User's digital certificates for electronic signing and tax compliance (VERI*FACTU)
  • Any other data that the User enters as part of their business activity

Services provided by Zynvio as processor:

  • Issued and received invoicing (including VERI*FACTU-compliant systems)
  • Accounting (chart of accounts, journal entries, fixed assets)
  • Client, supplier and project management
  • Inventory and warehousing
  • Human resources (payroll, time tracking, employee management)
  • Data submission to the Spanish Tax Agency (AEAT) under the VERI*FACTU framework on behalf of the User
9

User's responsibility as data controller

The User, as the data controller of the data entered into the platform, undertakes to:

  • Have a sufficient legal basis for the processing of data (Art. 6 GDPR).
  • Inform the data subjects whose data is entered in accordance with Articles 13 and 14 of the GDPR.
  • Apply the principle of data minimization (Art. 5.1.c GDPR).
  • Not enter special categories of data (Art. 9 GDPR) unless a legal exception applies.
  • Comply with the data protection regulations applicable in their jurisdiction.
  • Determine, document and communicate to data subjects the retention periods for their data.
Zynvio shall not be held liable for the misuse of data entered by the User, nor for the User's failure to comply with their obligations as data controller.
10

Retention periods for User data

With respect to the data entered by the User into the platform:

  • Retention periods shall be those defined by the User and communicated to data subjects in accordance with applicable regulations.
  • In the absence of specific instructions from the User, Zynvio will apply the default legal retention periods: 6 years for commercial and tax documentation (Art. 30 Spanish Commercial Code), 4 years for employment data (LISOS).
  • Upon termination of the contractual relationship with the User, and unless otherwise instructed, data shall be returned or deleted in accordance with the Data Processing Agreement (DPA).
11

Data Processing Agreement (DPA)

The relationship between Zynvio as processor and the User as controller is governed by a Data Processing Agreement (DPA) in accordance with Art. 28 of the GDPR, which includes:

  • Subject matter, duration, nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Documented instructions from the controller
  • Confidentiality obligations of Zynvio's staff
  • Security measures applied (Art. 32 GDPR)
  • Conditions for engaging sub-processors
  • Assistance in exercising data subject rights
  • Security breach notification
  • Return or deletion of data upon termination of the contractual relationship
  • Right of audit by the controller

The DPA is available as a separate document and may be requested at: privacy@zynvio.com

12

Rights of data subjects (User data)

When a third party (client, supplier or employee of the User) wishes to exercise their data protection rights over information hosted on Zynvio, they must direct their request to the User, who is the data controller of said data.

Zynvio, as processor, will assist the User in handling such requests in accordance with the provisions of the DPA.

If a third party contacts Zynvio directly, they will be redirected to the corresponding User.

13

Sub-processors

For the provision of services as processor, Zynvio uses the following sub-processors, which also process User data:

ProviderServiceLocationData processed
OVHcloudInfrastructure and storageEU (France)All User data stored on the platform
VercelFile storageEU / EEAUser's PDFs, images, and attached documents
AEATReception of VERI*FACTU recordsSpainInvoice tax data (Tax ID, amounts, dates)

Zynvio will inform the User with reasonable prior notice of any changes in the addition or replacement of sub-processors (Art. 28.2 GDPR).

SECTION C — COMMON PROVISIONS

14

Security measures

Zynvio implements appropriate technical and organizational measures in accordance with Art. 32 of the GDPR, both for the data it processes as controller and as processor:

Technical measures

  • Encryption of data at rest and in transit (TLS/SSL, AES-256)
  • Password storage using salted hash functions
  • Cryptographically generated session tokens
  • SQL injection prevention through parameterized queries
  • Validation and sanitization of uploaded files
  • Role-based access control with granular permissions
  • Logical data isolation between companies (multi-tenant architecture)
  • Periodic backups
  • Protection against automated attacks

Organizational measures

  • Principle of least privilege for data access
  • Audit logging with operation traceability
  • Periodic evaluation of security measures
  • Confidentiality obligations for all staff
  • Security incident management procedures
15

Security breach notification

In compliance with Articles 33 and 34 of the GDPR:

As controller

  • Zynvio will notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours of any security breach that poses a risk to the rights and freedoms of data subjects.
  • Where the breach is likely to result in a high risk, the affected data subjects will be notified directly.

As processor

  • Zynvio will notify the User (controller) without undue delay of any security breach affecting the data processed on their behalf.
  • It is the User's responsibility, as controller, to determine whether notification to the AEPD and the affected data subjects is required. Zynvio will provide all necessary information to facilitate such notification.
16

Cookies and similar technologies

In compliance with Art. 22 of the LSSI-CE (Spanish E-Commerce Law):

Platform technical cookies

Zynvio uses exclusively technical and strictly necessary cookies, exempt from consent (Art. 22.2 LSSI-CE):

CookieTypePurposeDuration
session_tokenAuthenticationMaintain user session30 days
session_user_idAuthenticationUser identification in session30 days
session_user_emailFunctionalUser reference in the interface30 days
session_user_nameFunctionalDisplay of user name30 days
session_user_countryFunctionalRegional settings30 days
session_user_phoneFunctionalContact reference30 days
session_user_dominioFunctionalWorkspace identification30 days
session_user_avatarFunctionalProfile picture30 days
NEXT_LOCALEPreferenceLanguage preference1 year
active_businessFunctionalSelected active companySession
pending_verification_user_idAuthenticationEmail verification process20 minutes

Third-party cookies

Within the Zynvio application, no third-party cookies or advertising tracking technologies are used.

On the public website (www.zynvio.com), Google Analytics is used, subject to visitor consent. Users can manage these cookies through the consent banner or their browser settings.

Meta Pixel and similar tracking tools are not used in any of the environments.

Local storage

The platform uses localStorage exclusively for visual theme preference (light/dark mode), without storing personal data.

17

Minors

Zynvio is intended exclusively for professional users. No data is collected from minors under the age of 14 (Art. 7 LOPDGDD). If data from a minor is detected, it will be immediately deleted.

18

Automated decisions

Zynvio does not make decisions based solely on automated processing of data, including profiling, that produce legal effects on the data subject (Art. 22 GDPR). The platform's automated processes (payroll calculations, invoice generation, depreciation) are support tools that require human oversight.

19

Applicable law and jurisdiction

This policy is governed by:

  • Regulation (EU) 2016/679 (GDPR)
  • Spanish Organic Law 3/2018 (LOPDGDD)
  • Spanish Law 34/2002 (LSSI-CE)
  • Applicable Spanish tax, accounting and labor legislation

For any dispute, the parties submit to the Courts and Tribunals of Castellón de la Plana, unless the data subject is a consumer (courts of their domicile).

Competent supervisory authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD).

20

Policy amendments

Zynvio reserves the right to amend this policy to adapt it to legislative or technical developments.

Substantial changes will be communicated to users by means of a notice on the platform or by email with reasonable prior notice.

The updated version will be published at this same link.

21

Contact

This privacy policy (version 2.0) takes effect on April 2, 2026.

PIXELARIS S.L.

CIF: B21739354

privacy@zynvio.com