GDPR

Privacy Policy

How Runtruffle (operated by ZDS Zander Digital Services S.L.) collects, uses and protects your personal data under the EU GDPR.

Last updated: 2026-06-04
Service provider: ZDS Zander Digital Services S.L. · Mallorca, Spain · info@zds.es

1. Data controller

The data controller under Art. 4(7) GDPR is ZDS Zander Digital Services S.L., Mallorca, Spain. Contact: info@zds.es.

2. Categories of personal data processed

Account data: email, full name, password hash, language preference, time zone.
Billing data: Stripe customer ID, plan tier, invoice history (full card data lives at Stripe, never on our servers).
Usage data: project IDs, prompt history, AI-model selections, run timestamps, IP address (truncated, 30-day retention), user-agent.
Communications: email replies, in-app feedback, support tickets.

3. Purposes & legal basis

Service delivery (Art. 6(1)(b) GDPR — contract).
Billing & fraud prevention (Art. 6(1)(b) and 6(1)(f)).
Service improvement & aggregated analytics (Art. 6(1)(f) — legitimate interest; opt-out via consent banner).
Marketing emails (Art. 6(1)(a) — consent; one-click unsubscribe).

4. Sub-processors

To deliver the service we share data with the following sub-processors, all bound by GDPR-compliant Data Processing Agreements:

Stripe Payments Europe Ltd. (Ireland / US) — billing & checkout.
Brevo (Sendinblue SAS) (France) — transactional and marketing email.
OpenAI Ireland Ltd., Anthropic PBC (US), Google LLC (US), OpenRouter Inc. (US), Perplexity AI Inc. (US) — AI-model providers that run tracked prompts on our behalf. Personal data is not used to train their models (per their enterprise / API terms).
Hetzner Online GmbH (Germany) — infrastructure hosting (EU region).
Cloudflare Inc. (US / EU edge) — CDN, DDoS protection, web analytics.

5. International transfers

Where sub-processors operate outside the EU/EEA, transfers are based on the EU Standard Contractual Clauses (SCC 2021) and, where applicable, the EU-US Data Privacy Framework.

6. Retention

Account data: until you delete your account.
Billing data: 10 years (Spanish commercial law).
Usage logs: 90 days (server-side), aggregates indefinitely.
Marketing list: until you unsubscribe.

7. Your rights (Art. 15–22 GDPR)

You have the right to access, rectify, erase, restrict, port and object to processing. To exercise any right, email info@zds.es; we respond within 30 days. You may also lodge a complaint with the Spanish AEPD or your local supervisory authority.

8. Cookies

We use a strictly necessary auth cookie (HttpOnly, Secure, SameSite) and an optional analytics consent layer (Cloudflare / GA4). Details: cookie policy (where applicable).

9. Security

Data in transit is TLS 1.2+, data at rest is encrypted at the hosting provider level. Passwords are hashed with bcrypt. Personal data is processed under strict access controls.

This is the structural stub of the document. The final wording is in legal review. For specific data-protection questions please contact <a href="mailto:info@zds.es">info@zds.es</a>.