Legal

Privacy Policy

The short version: your files are end-to-end encrypted before they leave your device, we cannot read them, and we collect the minimum account metadata needed to run the service. The long version follows.

1. Who we are

SP3 is an end-to-end encrypted storage service operated from Alicante, Spain, in the European Union. SP3 is the data controller for account and billing metadata and the data processor for the file content you upload.

2. What we collect

2.1 Account metadata (controller)

• Email address you register with.
• Display name, if you choose to set one.
• Public key material generated during enrolment.
• Billing identifier provided by our payments processor — never the card number itself.

2.2 File content (processor)

Stored only as AES-256-GCM ciphertext sealed with keys we never possess. We see file sizes and per-account totals — nothing about names, formats, or contents.

2.3 Operational logs

• Timestamped connection events (region, coarse IP prefix) for abuse detection and incident response.
• Error traces, with any customer identifier stripped before they reach long-term storage.

We do not collect: analytics cookies, ad-network identifiers, device fingerprints, location beyond EU-region granularity, or social-login tokens. We have no tracking pixels.

3. Legal bases

• Contract (GDPR Art. 6(1)(b)): the data needed to operate the account you signed up for.
• Legitimate interests (Art. 6(1)(f)): coarse operational logs used for security.
• Legal obligation (Art. 6(1)(c)): retention required by Spanish tax and accounting law.

4. Retention

• Account metadata: life of the account + 30 days to let you change your mind.
• Ciphertext: until you delete it, or 30 days after account closure.
• Operational logs: 30 days unless retained longer for an active incident.
• Billing records: the period mandated by Spanish law (currently six years).

5. Sub-processors

Our sub-processor categories and safeguards are described on Data Processing; the current named list is shared in the signed DPA. Every sub-processor is contractually bound to the same confidentiality terms and is located in the EU or operates under approved transfer safeguards.

6. Your rights

You may request access, rectification, erasure, portability, or restriction at any time by writing to legal@sp3.es. We reply within 30 days. You may also complain to the Spanish Agencia Española de Protección de Datos (AEPD).

7. Children

SP3 is not directed at children under 16. We do not knowingly onboard minors.

8. Changes

Material changes are communicated by email to every account holder at least 30 days before taking effect.

Version 2025-04-22. Prior versions available on request.