Provanza
Get started
Legal documentsLegal

Privacy policy

Information about personal data processed by Provanza.

Last updated: 2026-05-11EN

Quick summary

Controller
Alberto Cuervo Arias
Contact
[email protected]
GDPR rights contact
[email protected]
Purposes
Accounts, workspaces, POD requests, billing, transactional communications, security, support, and operational improvement.
Legal bases
Contract or pre-contract steps, legal obligations, legitimate interests, and consent where required.
Supervisory authority
Spanish Data Protection Agency (AEPD).

Data categories

  • Account data: name, email, password-auth or OAuth identifiers, verification state, and timestamps.
  • Session and security data: session identifiers, IP address, user agent, and timestamps.
  • Workspace data: organizations, memberships, invitations, roles, and operational preferences.
  • POD workflow data: carrier, tracking number, optional postal code, batch metadata, status, artifacts, failure reasons, and usage events.
  • Billing data: selected plan, Stripe customer/subscription identifiers, checkout, portal, invoices, and webhooks. Full card details are handled by Stripe.
  • Communications: email verification, password reset, invitations, welcome emails, and support messages.
  • Public-site technical data: language/theme preferences, analytics consent, page views, and aggregate funnel events when analytics is accepted.

Providers, processors, and necessary third parties

The final production setup may include hosting, database, object-storage, transactional email, payment, OAuth/authentication, support, and monitoring providers. Regions, data-processing agreements, and safeguards will be reviewed against the final configuration for each provider.

When a user requests delivery evidence, Provanza may send the minimum necessary data to carrier systems or equivalent technical request flows to retrieve the requested evidence.

  • Stripe for payments, checkout, subscriptions, customer portal, invoices, and webhooks.
  • Resend for transactional email when configured.
  • Better Auth for session/authentication handling; Google OAuth when configured and selected by the user.
  • Cloudflare R2 or S3-compatible storage for POD artifacts when enabled in production.
  • Google Analytics for aggregate page and conversion-event measurement when the user accepts analytics.
  • Microsoft Clarity for behavior analytics and masked session insights when the user accepts analytics.
  • DHL, FedEx, UPS, GLS, and other supported carriers when needed to obtain evidence.

International transfers

Some providers may process data outside the European Economic Area. Where relevant, Provanza will rely on the provider terms, DPA, standard contractual clauses, or other mechanisms offered by each provider and confirmed for the production setup.

Retention

  • POD artifacts: visible in the workspace according to the active plan's POD history window; older PODs are not auto-removed solely because they age out of that window and may be retained while needed for the service, billing, audit, disputes, or legal claims.
  • Logs: for a limited period appropriate to security, operations, troubleshooting, and abuse prevention.
  • Usage/events: as needed for billing, audit, support, and abuse-prevention needs.
  • Account and billing records: for contractual, tax/accounting, and legal-obligation periods.

Your rights

You can exercise access, rectification, erasure, objection, restriction, portability, and consent-withdrawal rights where applicable by contacting [email protected]. You may also complain to the AEPD if you believe processing does not comply with data-protection law.