GDPR: what Clozo stores about you, why, and for how long

Clozo is the data controller for your account (you, the freelancer). For data about your clients — names, email addresses, billing details on the invoices you issue — you are the controller and Clozo is the processor. That distinction matters because client-data subject requests (export, erasure) come to you first and you decide how to respond; Clozo gives you the tooling to fulfil them but doesn't own the relationship. See article 11.7 for the practical workflow.

From 2026-05-19 (production launch trigger), Clozo also implements the legal retention foundation per [A-021..A-027]: a multi-step Celery saga for GDPR cascade erasure (DB-only steps first, then external Stripe / R2 side-effects), Stripe Connect deactivation (not deletion) at erasure time so AEAT requerimientos in years 6–10 can still be answered via stripe_account_id, pseudonymisation that retains vat_number and company_name (EU VAT Directive Art. 226(10) + Art. 244 require these on retained invoices), HMAC-SHA-256 lookup User.email_hmac so a former user can be matched to their row years after anonymisation, and a public /recover-invoice endpoint with strong anti-enumeration for third-party clients to retrieve their own legally-retained invoices in 2031+.

The 13 active processing activities, grouped by lawful basis under Art. 6(1):

Art. 6(1)(b) Contract — the data we must process to deliver the service: 1. User account creation — email, name, country, locale, password hash. Retained until account deletion + 30-day grace. 2. Invoice generation — your business identity + your client's billing data + line items. Retained 10 years under EU VAT Directive 2006/112/EC Art. 244. 3. Subscription billing — Stripe customer ID, plan, billing email, billing address. Retained 10 years under Spanish LGT 58/2003 + EU VAT Directive (we are Spain-controlled). 4. Payment processing (Stripe Connect) — payer name, billing address, payment method token, transaction amount. Clozo holds only the PaymentIntent ID and status; Stripe holds card data per their PCI-DSS scope (~7 years per their policy). 5. Transactional email (Resend) — recipient email + name + message body. Delivery logs 1 year; email bodies not retained beyond the send queue.

Art. 6(1)(c) Legal Obligation — the data the law requires us to keep: 6. VAT validation (VIES) — VAT number + country code, validated against the European Commission's VIES SOAP service. Cached 24 hours. 7. GDPR self-service endpoints — identification + contact + billing + operational data needed to fulfil Art. 15 / 17 / 20 requests. Tokens cleared on first use or after 14 days. 8. R2 file ledger — every PDF or e-invoice XML object the system stores. Required by GoBD §147 AO (Germany, 10 years), eIDAS Art. 34 (10-year signature audit), and EU VAT Directive Art. 244. Ledger row outlives the blob. 9. Admin audit log — every state-mutating admin action on user data. Required by Art. 5(2) accountability. Retained for the lifetime of the affected data subject's account.

Art. 6(1)(a) Consent — strictly opt-in, can be revoked any time: 10. Marketing attribution (Google Ads + GA4) — click IDs, SHA-256-hashed email/phone for Enhanced Conversions, GA4 client_id, transaction value. Retained 13 months on GA4 (project setting). High-risk processing — we maintain a DPIA at _scratch/DPIA_marketing_attribution.md (pending counsel review). 11. Product analytics (PostHog) — pseudonymous distinct_id, page views, feature events, country (city resolution disabled). Retained 13 months. Ingest is on EU servers (eu.i.posthog.com).

Art. 6(1)(f) Legitimate Interest — balanced against your rights: 12. Security logs — source IP, user-agent, request path, response code, auth outcome. Retained 14 days (Railway log retention). 13. Customer support chat (Crisp) — email, name, chat content. Retained 2 years from last message; deleted on customer request. Crisp is hosted in France (EU jurisdiction).