1. Who we are

Presupuestero is operated by [LEGAL-NEEDED — registered company name and NIF], [LEGAL-NEEDED — registered address]. Contact: hola@presupuestero.com.

2. What we collect

When you use Presupuestero we process the following categories of data:

• Account data — your email address, name (optional), and authentication tokens, used to log you in.
• Workspace data — your business name, NIF, fiscal address, contact email, phone, logo, brand color, default VAT rate.
• Quote content — clients you create, line items, attached photos and voice memos. This data is yours; we store it on your behalf.
• Usage events — when quotes are created, sent, viewed, accepted or rejected. Used for plan-limit enforcement and internal billing audit.
• Technical data — IP address, browser, and basic request metadata, captured by our hosting and error-tracking providers.

3. Why we process it

We process your data to:

• provide the Service (storage, retrieval, PDF rendering);
• transcribe voice memos and extract structured items from photos (with Google Vertex AI as a sub-processor — see §6);
• send transactional emails (sign-in, quote-accepted, quote-rejected) via Resend;
• bill you, enforce plan limits, and prevent abuse (Stripe);
• monitor errors and security incidents (Sentry).

4. Legal basis

We rely on the contract you enter into with us when signing up (GDPR art. 6(1)(b)) for service-essential processing, and our legitimate interest (art. 6(1)(f)) for fraud prevention and security monitoring. [LEGAL-NEEDED — confirm against AEPD guidance.]

5. Storage and retention

• Account and workspace data: kept while your account exists, plus 6 years post-cancellation for accounting compliance (Código de Comercio art. 30). [LEGAL-NEEDED — confirm period.]
• Voice memos: auto-deleted 90 days after upload. Photos: kept until you delete the parent quote.
• Audit logs: kept for the lifetime of the workspace.

6. Sub-processors

We share data with:

• Supabase (Frankfurt, eu-west-1) — Postgres database and object storage.
• Google Cloud / Vertex AI— voice transcription, photo extraction, and visual-similarity search using the Gemini model family. Voice and photo extraction run on Google'sglobal Vertex AI endpoint, which means individual requests may be processed in any Google Cloud region worldwide and Google does not guarantee in-EU processing for that endpoint. Categorisation, PII detection, rate-card extraction, and visual-similarity search run inside the EU oneurope-west1. (If a preview Gemini embedding model is enabled in the future, visual-search inference may run onus-central1 instead — that route is currently disabled.) The audio, image, and document content sent for inference is not retained by Google for training. All stored data (database, file storage, application hosting) stays inside the EU. [LEGAL-NEEDED — confirm whether this constitutes a Chapter V transfer requiring SCC reference and whether explicit consent is required at sign-up.]
• Resend — transactional email delivery.
• Stripe — payment processing.
• Vercel — application hosting and CDN.
• Sentry — error tracking.

Each sub-processor has signed a Data Processing Agreement (DPA) with us. [LEGAL-NEEDED — link DPAs once signed.]

7. Your rights

Under GDPR you have the right to access, rectify, erase, restrict, and port your data, as well as the right to object to certain processing. To exercise any of these, write to hola@presupuestero.com. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

8. Changes

We'll update this policy as the service evolves. Material changes will be notified by email and on this page. The “last reviewed” date below tracks revisions.

Last reviewed: 27 April 2026