Privacy Policy
This Privacy Policy ("Policy") explains how
pibiCo Compañía de Inteligencia de Negocio y Control SL
("pibiCo", "we" or "our") collects, uses, discloses and protects personal data
when you use the application Scriptorium ("the
Platform"), a SaaS solution by pibiCo enhanced with AI and IoT capabilities.
pibiCo is a Spanish company incorporated under the laws of Spain and the
European Union (EU), with VAT number ES B52567831 and registered
office at Avenida de La Costa, 35-6T, 33201 Gijón, Asturias, Spain.
1. Scope of this Policy
1.1 Applicability
This Policy applies to personal data we collect from authorised Users and employees of contracting companies who access the Platform. There is no guest mode: all Users must register to obtain an account. Visitors of the public website may view general information without logging in; no personal data is collected from such visitors unless they voluntarily provide it through contact or subscription forms.
1.2 Data Protection Officer (DPO)
We have appointed our CTO as Data Protection Officer. For privacy-related inquiries, contact: soporte@pibico.es.
2. Personal data we collect
2.1 Types of personal data
While using Scriptorium we may collect the following categories of data:
- name
- org
2.2 No special categories
We do not collect health, biometric or sensitive financial data beyond what is strictly necessary for the subscription payment methods.
3. How we collect your data
3.1 Direct collection
Personal data is mainly collected when authorised Users or employees enter their information into Platform forms or complete the organisation onboarding.
3.2 System logs and local storage
We use local storage and logs to track User activity, ensure security, debug issues and keep accurate billing records.
3.3 No automated external collection
We do not collect personal data through external APIs or automated third-party integrations without prior agreement. Any additional integration is explicitly agreed with the contracting company.
4. Purposes of processing
4.1 Service delivery
We process personal data to provide and maintain Scriptorium's features, including analytics, reporting, calendar or IoT synchronisation where applicable, and integration with other pibiCo services under the same SSO.
4.2 Support and billing
Personal data may be used to provide customer support, issue Verifactu invoices, manage subscriptions and payments, and handle incidents.
4.3 Communications
With your explicit consent, we may send newsletters or notifications about service updates. Service communications (incidents, changes, legal notices) are always sent on legitimate-interest basis even without marketing consent.
4.4 No profiling or automated decisions
We do not use personal data to build profiles or make automated decisions with legal or similarly significant effects.
5. Legal bases for processing
| Legal basis (Art. 6 GDPR) | Application |
|---|---|
| Contract performance (Art. 6.1.b) | Service delivery, account management, authentication, subscription billing. |
| Legal obligation (Art. 6.1.c) | Invoicing, accounting retention and Spanish tax law (incl. RD 1007/2023 Verifactu). |
| Legitimate interest (Art. 6.1.f) | Security, anti-abuse, fraud prevention, service communications. |
| Consent (Art. 6.1.a) | Marketing communications, analytics and marketing cookies. |
6. Disclosure and data sharing
6.1 External processors
We do not share personal data with third parties except where necessary to process payments or comply with a legal request (courts or authorities).
6.2 AI processing
AI data processing in Scriptorium: cloud.
Some content may be processed by cloud AI providers (Anthropic, OpenAI). Data is not used for model training and is governed by a DPA contract with each provider.
6.3 No external transfers without agreement
We do not transfer personal data to external APIs, third-party software or services that are not explicitly agreed in your organisation's subscription contract.
7. Data retention
7.1 Retention periods
- Active subscription: indefinite_during_subscription.
- Account after trial without upgrade: 30 days in read-only mode, then permanent deletion.
- Billing data: 6 years (Spanish commercial and tax obligation).
- Security logs: 12 months.
7.2 Post-subscription retention
After subscription termination we may retain personal data for up to 5 years to comply with accounting, legal and regulatory requirements, unless the law requires a different period. After that, data is deleted or anonymised.
8. Data security
8.1 Technical and organisational measures
We use role-based access control (RBAC), permission management, encryption in transit (TLS 1.2+) and at rest where applicable, passwordless authentication (passkey + email-OTP), and complete activity logging. Only authorised personnel have access to personal data.
8.2 Data breaches
In case of a suspected breach we will investigate immediately, identify the scope, and where applicable notify affected data subjects and the AEPD within the 72-hour period set by Art. 33 GDPR.
9. International transfers
Where a processor is located outside the European Economic Area, transfers are made on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, or under an Adequacy Decision. By default, Scriptorium data is stored on European infrastructure.
10. Data subject rights
10.1 Your rights (GDPR and LOPDGDD)
- Access: obtain confirmation of which data we process and a copy of it.
- Rectification: correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion of your data.
- Objection: object to processing based on legitimate interest.
- Restriction: request temporary restriction of processing.
- Portability: receive your data in a structured, exportable format.
- Withdraw consent: at any time without affecting the lawfulness of prior processing.
10.2 Exercising your rights
To exercise any right write to soporte@pibico.es or to the DPO at soporte@pibico.es indicating the affected app and providing identification. We will respond within one month.
10.3 Complaint to the AEPD
If you believe your rights have not been properly addressed, you may file a complaint with the Spanish Data Protection Agency at www.aepd.es.
11. Children's data
Scriptorium is not directed at children under 16. We do not knowingly collect data from minors without proper authorisation from the contracting company or parents. If you detect that a minor has provided data without authorisation, contact soporte@pibico.es for immediate deletion.
12. Cookies
The use of cookies is governed by the Cookies Policy.
13. Updates to this Policy
Material changes (data collected, purposes, third parties, retention) will require fresh explicit consent and will be notified to subscribed Users by email before they take effect. Minor changes (corrections, formatting) are published with a new version and effective date without affecting prior consent.
14. Contact information
pibiCo Compañía de Inteligencia de Negocio y Control SL
Avenida de La Costa, 35-6T
33201 Gijón, Asturias, Spain
Email: soporte@pibico.es ·
DPO: soporte@pibico.es
Last updated: 2026-05-10 · Version 1.0.0