DATA PROTECTION · GDPR + LOPDGDD

Privacy policy

Last updated: 13 May 2026

1. Data controller

Zero to One Studio SL is the controller of your personal data under European and Spanish regulation.

  • Identity: Zero to One Studio SL
  • NIF: B22683072
  • Address: Calle Salvador Espriu 89, planta 7, puerta 1, 08005 Barcelona, Spain
  • DPO: dpo@clausula.io
  • AEPD registry: Registered under the relevant legal protocol.

2. Data we process

We collect and process only the data strictly required to operate the service:

Identifying

Name, surname, ID number for legal validation.

Contact

Email, phone and postal address.

Usage & technical

IP address, access logs and platform telemetry.

Contractual & payment

Billing data, generated contracts and payment methods.

3. Purposes of processing

Your data is used exclusively for:

  • check_circleService delivery: running the legal management software.
  • check_circleAdministration: billing, accounting and collections.
  • check_circleCommunications: notices about service changes or support.
  • check_circleCommercial: sending offers if prior consent exists.
  • check_circleLegal obligation: compliance with tax and security regulations.
  • check_circleImprovement: aggregated analysis to optimise user experience.

4. Legal basis

Contract performance

Required to use the platform and contracted services.

Consent

For sending optional newsletters and commercial communications.

Legal obligation

Required by AEAT regulations and anti-money-laundering rules.

Legitimate interest

Ensuring network security and internal product improvement.

5. Retention period

CATEGORYPERIOD
Tax documentation6 years
Contractual files5 years after end
Usage logs12 months
Commercial communicationsUntil consent is withdrawn

6. Recipients and international transfers

We do not share your data with third parties except with Public Administrations by legal mandate and with our strictly necessary processors (hosting and payment gateway).

Transfers outside the EEA

We prioritise storing data within the European Union. The use of specific infrastructures (such as Bedrock) takes place exclusively in certified European regions to ensure GDPR compliance. See the full list on the security page.

7. Your rights

You can exercise your rights at any time by emailing dpo@clausula.io or by postal mail.

keyAccess & rectification
deleteErasure & right to be forgotten
blockObjection & restriction
sync_altData portability

If you believe we have not properly addressed your rights, you can file a complaint with the Spanish Data Protection Agency (AEPD).

8. Security

We implement state-of-the-art technical measures to protect your information:

  • Data at rest encrypted with AES-256.
  • Communications protected under TLS 1.3.
  • Role-based access control (RBAC).
  • Regular security and penetration audits.

9. Changes to this policy

We reserve the right to amend this policy to adapt to regulatory changes. We will notify any substantial change at least 30 days in advance of its entry into force.