Privacy Policy
Last updated: 5 May 2026 · Version: 1.0
1. Introduction
At Beezion we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have over it.
This policy applies to:
- The website www.beezion.es and associated subdomains
- The Beezion SaaS platform for invoice digitization
- Commercial and support communications we exchange with you
This policy is governed by Regulation (EU) 2016/679 (GDPR) and Spain's Ley Orgánica 3/2018 on the Protection of Personal Data (LOPDGDD).
2. Data Controller
| Legal name | Beezion Labs SL |
|---|---|
| Tax ID (CIF) | [PENDING] |
| Registered address | [Postal address] |
| General contact | contacto@beezion.es |
| Privacy contact | privacy@beezion.es |
If you have any questions about this policy or how we process your personal data, contact us at privacy@beezion.es.
3. Data We Collect
The data we collect depends on how you interact with us:
3.1 When you visit our website
- Technical data: anonymized IP address, browser type, operating system, language, pages visited, time on site
- Cookies: see Section 9 (Cookie Policy)
3.2 When you contact us or request information
- Name and surname
- Business email
- Company and role
- Phone number (optional)
- Content of your message or enquiry
3.3 When you register as a customer
- Account data: name, email, password (encrypted), company, role
- Billing data: legal name, tax ID (CIF/NIF), fiscal address
- Platform usage data: access logs, actions performed, configurations
3.4 When you use the platform
When you use Beezion to process invoices, the documents and extracted data are processed under our role as data processor (Article 28 GDPR), pursuant to the Data Processing Agreement (DPA) executed with you. Your company is the data controller of that data.
4. Purposes and Lawful Basis for Processing
| Purpose | Lawful basis |
|---|---|
| Provision of the contracted service | Contract performance (Art. 6.1.b GDPR) |
| Account management and technical support | Contract performance (Art. 6.1.b GDPR) |
| Billing and tax obligations | Legal obligation (Art. 6.1.c GDPR) |
| Commercial communications with customers | Legitimate interest (Art. 6.1.f GDPR) |
| Marketing to non-customer contacts | Consent (Art. 6.1.a GDPR) |
| Security and fraud prevention | Legitimate interest (Art. 6.1.f GDPR) |
| Service improvement and aggregated analytics | Legitimate interest (Art. 6.1.f GDPR) |
We do not use your data to train artificial intelligence models. The invoices you process through Beezion are never used to train, fine-tune, or modify any AI model — neither ours nor those of our providers.
5. Retention Periods
| Data type | Retention period |
|---|---|
| Account data | For the duration of the contract |
| Tax / billing data | 6 years (Spanish Commercial Code) |
| Documents and data extracted by the platform | Configurable by the customer; default 12 months |
| Access and security logs | 12 months |
| Encrypted backups | 30 days with rotation |
| Prospect and marketing data | Until unsubscribe is requested |
| Cookies | See Section 9 |
After contract termination, customer data is deleted within a maximum of 30 days, unless a legal retention obligation applies.
6. Recipients of the Data
To deliver the service, we share data with the following data processors (subprocessors):
6.1 Subprocessors
| Subprocessor | Service | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud infrastructure (compute, storage, database) | EU — Frankfurt, Germany (eu-central-1) | Intra-EEA processing. AWS GDPR DPA executed |
| Anthropic, PBC | AI model inference (extraction of invoice data) | United States | Anthropic DPA with Standard Contractual Clauses (Module 3, Processor-to-Processor). Zero-retention configuration where applicable |
6.2 Other recipients
- Public authorities: when a legal obligation applies (Tax Agency, Social Security, courts)
- External advisors: tax, labour, and legal advisors, under confidentiality obligations
- Service providers: email, support, monitoring — all bound by a signed DPA
7. International Data Transfers
Beezion processes data primarily within the European Economic Area (EEA). There is one international transfer that the user should be aware of:
7.1 EU–US transfer for AI inference
When an invoice is processed by the AI model, the document content is transmitted to Anthropic's API for inference. Anthropic processes this data in the United States.
Applicable safeguards:
- Anthropic's DPA incorporating Standard Contractual Clauses (SCCs) Module 3 (Processor-to-Processor), approved by the European Commission
- Contractual prohibition on the use of customer data to train Anthropic's models
- Encryption in transit (TLS 1.2+)
- Zero-retention configuration where applicable
- Documented Transfer Impact Assessment (TIA) available upon request
7.2 EU residency roadmap
We are evaluating migration to AWS Bedrock in eu-central-1, which would keep all customer data — including AI inference — within the EEA. Customers with strict EU residency requirements can contact us to discuss specific timelines and contractual commitments.
8. Your Rights
As the subject of personal data, you have the following rights:
- Access: know what data we hold about you
- Rectification: correct inaccurate data
- Erasure: request deletion of your data ("right to be forgotten")
- Restriction: limit processing in certain cases
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest
- Withdrawal of consent: withdraw given consent at any time
- Not to be subject to automated decisions that produce legal effects on you
How to exercise your rights
Send your request to privacy@beezion.es including:
- The right you wish to exercise
- A copy of your ID document or equivalent to verify your identity
We will respond within a maximum of 30 days from receipt of the request, extendable up to 2 months in complex cases (we will notify you in that case).
Complaints to the Spanish DPA
If you believe processing does not comply with the law, you may file a complaint with the Spanish Data Protection Agency (AEPD):
- C/ Jorge Juan, 6, 28001 Madrid
- www.aepd.es
9. Cookie Policy
Our website uses cookies to improve your browsing experience. We use the following types:
| Type | Purpose | Duration | Lawful basis |
|---|---|---|---|
| Technical | Necessary for site operation (session, preferences) | Session / persistent | Legitimate interest |
| Analytics | Usage statistics (Google Analytics or equivalent, anonymized IP) | Up to 2 years | Consent |
| Marketing | Ad personalization | Up to 1 year | Consent |
You can manage your cookie preferences via the banner shown on first access or through your browser settings.
10. Data Security
We implement appropriate technical and organizational measures pursuant to Article 32 GDPR to protect your data:
- Encryption: TLS 1.2+ in transit and AES-256 at rest (AWS KMS)
- Authentication: mandatory two-factor (2FA) for administrative accounts
- Access control: granular roles with least-privilege principle
- Isolation: multi-tenant segregation at application and storage layers
- Monitoring: access logs, 24/7 alerting, periodic penetration testing
- Backups: encrypted, automated, with documented disaster recovery plan
- Training: mandatory annual data protection training for the entire team
- Breach notification: documented procedure with notification to the AEPD within 72 hours per Article 33 GDPR
11. Artificial Intelligence
Beezion uses artificial intelligence to extract structured data from invoices. You should know:
- AI system: large language model (Claude, by Anthropic), accessed via API
- EU AI Act classification (Regulation (EU) 2024/1689): limited/minimal-risk system. Not a high-risk system under Annex III
- Your data does not train the model: the invoices you process are not used to train or fine-tune the AI model
- Human oversight: all extracted data is available for human review before final export
- Transparency: the user interface clearly indicates when data has been extracted by AI
- AI Governance Policy: we maintain an AI Governance Policy regulating the lifecycle of AI features, available upon request
12. Minors
Beezion is a service intended exclusively for businesses and professionals of legal age. We do not knowingly collect personal data from minors under 14. If we detect that we have received data from a minor without proper consent, we will delete it without delay.
13. Changes to This Policy
We may update this Privacy Policy occasionally to reflect legal, technical, or service changes. The date of the latest update appears at the top of the document.
When changes are material (for example, new processing purposes or new subprocessors), we will notify you by email and/or through a prominent notice on the platform with sufficient advance notice.
14. Contact
For any enquiry related to this Privacy Policy or the processing of your data:
- Privacy email: privacy@beezion.es
- General email: contacto@beezion.es
- Postal address: [Beezion Labs SL address]
Beezion Labs SL — Privacy Policy v1.0 — 5 May 2026