Privacy Policy

Effective date: 29 September 2025
Last updated: 29 September 2025

This Privacy Policy explains how PastWipe S.L. (“PastWipe”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data when you visit pastwipe.com (and subdomains), use our products and services (the “Services”), interact with us, or otherwise provide personal data. It also describes your rights and choices. If you are a customer of PastWipe, the processing of end-user data we perform on your instructions is governed by our Data Processing Addendum (DPA); this Policy primarily covers where PastWipe acts as a data controller (e.g., marketing sites, account administration, billing, support).

This document includes operational detail suitable for compliance review. It should be read together with our Terms of Service, Cookie Notice, and DPA (where applicable).


1) Who we are & how to contact us

Controller
PastWipe S.L.
Address: Marbella, 29602, Málaga, Spain
Domain: pastwipe.com
Email (privacy): [email protected]
Email (security incidents): [email protected]
Email (support): [email protected]

Data Protection Officer (DPO)
Heather Sageman
Email: [email protected]

EU/EEA establishment: Spain.
Lead supervisory authority: Agencia Española de Protección de Datos (AEPD), Madrid — aepd.es. You may lodge a complaint with your local authority or the AEPD.

EU/UK representatives (Art. 27): Not required at this time because PastWipe is established in the EU. We will appoint representatives if our processing activities require it.


2) Scope & roles

  • When PastWipe is Controller: website visitors, sales/marketing contacts, event/webinar registrants, account owners/admins, billing contacts, and job applicants.

  • When PastWipe is Processor: we process Customer Data only under a written DPA and on the customer’s documented instructions (e.g., configuration, logs generated by your use, policy enforcement telemetry). For data-subject requests relating to Customer Data, contact the relevant customer (the “controller”) directly; we will assist as required.


3) Key definitions

  • Personal Data / Personal Information: information that identifies or is reasonably linkable to an individual or household.

  • Special Categories of Data: e.g., health, biometric identifiers, precise geolocation, political opinions, religious beliefs, union membership, sexual orientation, genetic data.

  • Process / Processing: any operation performed on personal data (collection, storage, analysis, disclosure, deletion).

  • Sell / Share (US state laws): as defined under the California Consumer Privacy Act (as amended by CPRA).


4) What we collect

We collect personal data in three ways: (A) you provide it, (B) we collect it automatically, (C) we receive it from third parties.

A) Data you provide directly

  • Contact & account data: name, email, phone, role, organization, country/region, login credentials, preferences.

  • Commercial & transaction data: subscription tier, invoices, payment status, billing address, tax IDs. (Card data is handled by our PCI-DSS compliant payment processor; we receive tokens and limited metadata.)

  • Support/communications: messages, attachments, call notes, troubleshooting logs.

  • Forms & surveys: demo requests, “Contact Sales,” beta sign-ups, webinars, feedback.

  • Job applications: CV/resume, cover letter, employment history, education, references, eligibility.

B) Data collected automatically

  • Device & usage data: IP address, device identifiers, browser/OS, language, referrers, pages viewed, timestamps, session duration, clicks, feature use, error events, performance metrics.

  • Cookies & similar tech: HTTP cookies, local storage, pixels, tags, and SDKs. See Section 11 (Cookies).

  • Service telemetry: authentication events, API calls, policy evaluations, and security/audit logs generated by your use of our Services.

C) Data from third parties

  • Service providers: payments (status, fraud checks), analytics, security, hosting/CDN, email delivery.

  • Partners & resellers: lead referrals and eligibility checks.

  • Public/professional sources: business contact data from professional networks, industry directories, event organizers, or public websites, consistent with applicable law.

We do not knowingly collect Special Categories of Data via our marketing websites. Customers must not submit Special Categories to our Services unless agreed in writing and appropriately safeguarded.


5) Purposes & legal bases (GDPR/UK GDPR)

Purpose Examples Legal basis
Provide Services account setup, authentication, user management, configurations, uptime Contract (Art. 6(1)(b)); Legitimate interests (service integrity)
Billing & payments invoicing, tax, fraud prevention Contract; Legal obligation (tax)
Security & abuse prevention access controls, logging, incident detection/response, anti-fraud Legitimate interests; Legal obligation where applicable
Product improvement diagnostics, analytics, QA, feature telemetry Legitimate interests (improve and secure Services)
Communications service notices, administrative emails Contract / Legitimate interests
Marketing newsletters, webinars, events, B2B outreach Consent where required; otherwise Legitimate interests (B2B)
Compliance & governance audits, regulatory requests, litigation defense Legal obligation / Legitimate interests
Recruitment evaluate candidates, schedule interviews Legitimate interests / Consent where required

We perform balancing tests when relying on legitimate interests and provide opt-outs where required. Where we rely on consent (e.g., non-essential cookies, some marketing), you may withdraw it at any time (see Section 12).


6) How we use personal data

  • To operate, secure, and maintain our websites and Services.

  • To create and manage accounts, including authentication and authorization.

  • To deliver, measure, and improve features, reliability, and performance.

  • To send service messages (e.g., maintenance notices, changes to terms, security alerts).

  • To provide support and resolve issues.

  • For billing, payments, collections, and tax.

  • For research and development, including de-identified or aggregated analysis.

  • For B2B marketing to business contacts, with appropriate permissions.

  • To comply with laws, enforce our agreements, and protect rights, safety, and property.

AI & model usage. We may use automated systems to detect abuse, optimize performance, or suggest configurations. We do not use your customer content to train our foundation models unless you (or your organization) give explicit, informed consent or enable such a setting in a signed agreement.


7) Disclosures & recipients

We disclose personal data to:

  • Service providers / subprocessors: cloud hosting, CDN, DDoS protection, email delivery, analytics, CRM, billing/payments, customer support tools, security providers (engaged under data-protection agreements and used only for specified purposes).

  • Partners & resellers: to fulfill transactions, support, or co-marketing you engage in.

  • Corporate transactions: a merger, acquisition, financing, reorganization, or asset sale (subject to appropriate safeguards).

  • Legal & safety: to comply with law, enforce agreements, respond to lawful requests, or protect rights, property, users, and the public.

  • With your direction: if you ask us to share data or integrate with a third-party product.

A current list of subprocessors is maintained in our Trust Center (or available upon request). We will provide notice of material changes as required.


8) International data transfers

We operate globally. Where personal data is transferred outside the EEA/UK/Switzerland, we use lawful transfer mechanisms, such as:

  • EU Standard Contractual Clauses (SCCs) (and UK Addendum/IDTA),

  • Adequacy decisions (where applicable), and

  • Supplementary measures (e.g., encryption, access controls, pseudonymization).

We perform transfer impact assessments and implement technical and organizational measures consistent with regulatory guidance.


9) Data retention

We retain personal data only for as long as necessary to fulfill the purposes described above or as required by law.

Data category Example retention
Account & profile Account lifetime; 12–24 months after closure (records & backups)
Billing & tax 6–10 years (legal/tax obligations)
Support tickets 24 months after resolution (audit & quality)
Marketing leads 24 months from last meaningful interaction or until you opt out
Logs & telemetry 30–365 days depending on log type and security needs
Job applications 6–24 months unless hired or local law requires longer

Backups and archives may persist for limited additional time, after which they are overwritten or deleted in the ordinary course of business.


10) Security

We apply administrative, technical, and physical safeguards aligned with industry practices, including (as appropriate):

  • Encryption in transit (TLS) and at rest; key management (KMS/HSM).

  • Network segmentation, firewalls, WAF/CDN, DDoS protection.

  • Access controls (least privilege, MFA, SSO), audit logging.

  • Secure SDLC, code reviews, dependency scanning, vulnerability management.

  • Incident response & breach notification procedures.

  • Employee confidentiality and security training.

  • Vendor risk management and DPAs with subprocessors.

No system is 100% secure; if we become aware of a breach affecting your personal data, we will notify you and regulators in accordance with applicable law and our contractual commitments.


11) Cookies & similar technologies

We use essential and non-essential cookies:

  • Strictly necessary: required for core site functions, authentication, security.

  • Functional/Preference: remember choices (e.g., language).

  • Performance/Analytics: measure usage to improve the site.

  • Advertising/Targeting (if used): only where we run campaigns and you consent.

Where required, we obtain consent via a cookie banner and Consent Management Platform (CMP). You can manage preferences at any time via the banner link in the footer or your browser settings. Blocking cookies may impact site functionality.

We honor browser-based Global Privacy Control (GPC) signals where legally required.


12) Your rights

Depending on your location, you may have rights to:

  • Access your personal data and obtain a copy;

  • Rectify inaccurate or incomplete data;

  • Erase (right to be forgotten);

  • Restrict processing;

  • Object to processing (including direct marketing);

  • Data portability;

  • Withdraw consent at any time (without affecting prior lawful processing);

  • Lodge a complaint with a supervisory authority.

How to exercise: email [email protected] or [email protected] with your request. We may ask for information to verify your identity (and authority, if acting as an agent). We will respond within the timeframes required by law.

Customer/Processor context: if your data was submitted to our Services by a PastWipe customer, contact that customer (controller). We will assist them in fulfilling your request.


13) Marketing choices

  • Email marketing: use unsubscribe links or contact us at [email protected].

  • B2B marketing: we may contact professional addresses on a legitimate-interests basis; you can opt out at any time.

  • Preference center (where available): manage communication types.

  • Cookies/ads: see Section 11 for cookie choices and GPC.


14) US state privacy disclosures (California & others)

California (CPRA/CCPA). For California residents:

  • Categories collected: identifiers (e.g., name, email, IP), commercial information (transactions), internet/electronic activity (usage, logs), professional information (role, employer), inferences (product interest segments), and coarse geolocation (derived from IP).

  • Sources: you, your devices, our providers, partners, and public sources.

  • Business/commercial purposes: as listed in Sections 5–6.

  • Retention: see Section 9.

  • Sensitive Personal Information: we do not use or disclose SPI to infer characteristics; we only process limited SPI if strictly necessary (e.g., MFA tokens), and we do not use SPI for purposes requiring a “Limit the Use” link.

“Sell”/“Share” of Personal Information:

  • We do not “sell” personal information (for money or otherwise) as defined by the CPRA.

  • We do not “share” personal information for cross-context behavioral advertising.
    If this changes, we will update this Policy and provide “Do Not Sell or Share” mechanisms.

California rights: know (access), correct, delete, portability, opt-out of sales/sharing (currently not applicable), limit use/disclosure of sensitive data (not applicable), non-discrimination. Submit a verifiable request to [email protected]. Authorized agents may submit on your behalf with proof of authorization and verification.

Other states (e.g., VA, CO, CT, UT): we honor applicable rights (access, correction, deletion, portability, targeted advertising opt-out where relevant). Appeals: If we deny your request, you may appeal by replying to our decision email or writing to [email protected] with “Appeal” in the subject line.


15) Children’s privacy

Our websites and Services are not directed to children (typically under 16; under 13 in the US). We do not knowingly collect children’s personal data. If you believe a child has provided data, contact us and we will take appropriate steps to delete it.


16) Third-party websites & services

Our websites may contain links to third-party sites or integrations. Their privacy practices are governed by their own policies. We are not responsible for their content or practices.


17) Automated decision-making & profiling

We do not engage in automated decision-making that produces legal or similarly significant effects without human involvement. We may use limited profiling for security (e.g., anomaly detection) and B2B marketing segmentation; you may object where applicable (see Section 12).


18) DPIAs, RoPA & accountability

Where required, we conduct Data Protection Impact Assessments (DPIAs) and maintain Records of Processing Activities (RoPA) under Art. 30 GDPR. Customers may request security and compliance information under our DPA.


19) International users

By accessing our sites or using our Services from outside Spain, you acknowledge that your data may be processed in Spain and other countries with different data-protection standards. We implement safeguards described in Section 8.


20) Changes to this Policy

We may update this Policy to reflect legal, technical, or business developments. We will post the updated version with a new “Last updated” date and, where required, provide advance notice (e.g., email or in-product). Your continued use after the effective date constitutes acceptance.


21) How to contact us


Appendices

Appendix A — Detailed data categories & purposes

Category Examples Purpose(s) Source
Identifiers name, email, phone, IP, device ID account, comms, security, support, B2B marketing you; device; providers
Commercial subscription, invoices, payment status billing, tax, fraud prevention you; payment processor
Usage/Telemetry page views, API calls, error codes, latency security, diagnostics, improvement device; services
Professional data employer, role, department B2B sales & success you; partners; public sources
Support content tickets, call logs, attachments troubleshooting, quality you
Inferences engagement tier, interest clusters product improvement, B2B outreach derived

We do not intentionally collect Special Categories via our marketing sites. Customers should not submit Special Categories to the Services unless contractually permitted.


Appendix B — Subprocessors (overview)

We engage carefully vetted providers under data-processing terms and appropriate transfer safeguards. Categories typically include:

Subprocessor category Purpose Typical locations Transfer mechanism
Cloud hosting & databases Compute, storage, backup EU/US SCCs + supplementary measures
CDN/WAF & DDoS Security, performance Global SCCs / adequacy
Email delivery Transactional email, notifications EU/US SCCs
Analytics (privacy-respecting) Site/product analytics EU (preferred) N/A (in-EEA) or SCCs
Payment processor Billing & payments (PCI DSS) EU/US SCCs
CRM & marketing ops B2B sales pipeline EU/US SCCs
Support desk Ticketing, live chat EU/US SCCs
Error/Logging & APM Monitoring & diagnostics EU/US SCCs
Integration platform Workflow automation (e.g., CRM↔support) EU/US SCCs

A current, named list of subprocessors (with purposes and regions) is available upon request at [email protected] and will be published in our Trust Center when live.


Appendix C — Retention schedule (reference)

Data Default retention Rationale
Customer account records Life of contract + 24 months audit, disputes, potential reactivation
Billing & tax 10 years statutory obligations
Security logs (auth events) 180 days incident investigation
App telemetry & errors 90 days reliability analysis
Marketing leads (B2B) 24 months from last activity relevance window
Support tickets 24 months after closure quality/audit
Job applicant data 12 months (or per local law) recruitment pipeline

Appendix D — Jurisdiction-specific disclosures

EEA/UK/Switzerland: GDPR rights and legal bases (see Sections 5 & 12). Transfers outside the EEA/UK/CH rely on SCCs/IDTA/Addendum and supplementary measures.

California: CPRA rights (see Section 14). No “selling” or “sharing” as defined by CPRA; no use of Sensitive PI to infer characteristics.

Virginia/Colorado/Connecticut/Utah, etc.: access, correction, deletion, portability, and opt-out of targeted advertising or profiling where applicable. Appeal: [email protected].

Canada (PIPEDA): we rely on consent or other lawful bases; you may access and correct personal data and challenge compliance.

Australia (APPs): we comply with the Australian Privacy Principles where applicable.


Appendix E — Processor commitments (summary)

When acting as a Processor for customers, PastWipe will:

  1. Process personal data only on documented instructions and for agreed purposes.

  2. Ensure staff confidentiality and appropriate training.

  3. Implement security measures described in Section 10 and the DPA.

  4. Assist controllers with data-subject requests, security incidents, DPIAs, and consultations.

  5. Use subprocessors only with notice and contractual protections; remain responsible for their performance.

  6. Notify controllers of personal-data breaches without undue delay.

  7. Delete or return personal data at contract end, subject to legal retention obligations.

  8. Make available information necessary to demonstrate compliance (including audit rights per the DPA).


Versioning

  • Version: 1.0

  • Effective date: 29 September 2025


Implementation checklist (internal)

  • Publish this Policy at pastwipe.com/privacy and add footer links (Privacy, Cookies, DPA, Terms).

  • Configure cookie banner/CMP and link to this Policy + preferences page.

  • Stand up a simple rights-request workflow (ticketing, verification, deadlines).

  • Keep subprocessor register updated and accessible on request.

  • Verify incident response and breach notice playbooks reflect this Policy.

  • Maintain RoPA, DPIAs, and TIAs; review annually or on material change.

If you want, I can also output this as an Elementor-ready HTML block (with anchor links and collapsible sections) and a PDF for downloads.