Privacy Policy

1. Who We Are

Clozo is operated by Andrei Diachenko, sole proprietor (autónomo), trading as 'Clozo' (the 'Controller' within the meaning of Article 4(7) GDPR). Registered address: Calle Covera 19, 5A, 33012 Oviedo, Asturias, Spain. Spanish tax identifier (NIF/NIE): Z1579875X. EU VAT identifier: ESZ1579875X. We are a proposal and invoicing platform for independent freelancers and small businesses based in the European Union. This Privacy Policy explains how we collect, use, share, and protect your personal data in accordance with Regulation (EU) 2016/679 (GDPR), the ePrivacy Directive 2002/58/EC, the Spanish Ley Orgánica 3/2018 (LOPDGDD), and the Spanish Ley 34/2002 (LSSI-CE). We are not required to appoint a Data Protection Officer under Article 37(1) GDPR; for any privacy matter, contact privacy@useclozo.com. Previous versions of this Privacy Policy are available on request.

2. Personal Data We Collect

We collect the following categories of personal data, grouped by purpose:

• Account data: name, email address, hashed password, company name, VAT number, country of residence.
• Client data: names, email addresses, postal addresses, and VAT numbers of clients you enter into Clozo to invoice. You are the controller of this data; we process it as your data processor under Article 28 GDPR.
• Business data: proposals, invoices, line items, payment records, e-signature audit trails, and uploaded files (e.g., logos).
• Usage data: pages visited, actions taken (clicks, form submissions), browser type and version, operating system, device type, screen size, IP address. We process the full IP address only transiently — for rate limiting, fraud prevention, and TLS termination by Cloudflare. For analytics purposes, the country is derived from the IP at Cloudflare's edge (CF-IPCountry header) and the IP itself is not stored alongside the analytics event. Full IP addresses appear only in application security logs and are deleted after 14 days.
• Payment data: subscription billing handled by Stripe — we do not store credit-card numbers, CVV, or full PAN. We retain only the Stripe customer identifier and the invoice/subscription metadata.
• Marketing attribution data: UTM campaign parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term) are read from the URL of the page you arrived on as first-party data; advertising click identifiers (gclid for Google Ads, fbclid for Meta, msclkid for Microsoft Ads, ttclid for TikTok, li_fat_id for LinkedIn), referring URL and host, landing page URL, pseudonymous session identifier (PostHog distinct_id), and Google Analytics 4 client identifier (when set by the GA4 cookie) are collected and stored only after you give consent for the corresponding category via the cookie banner. For users who complete a payment we also compute a SHA-256 hash of your email address (and, if provided, your phone number in E.164 format) for advertising-platform identity matching; the hash is one-way and cannot be reversed to recover the original value.

3. Legal Basis for Processing (GDPR Article 6)

We rely on the following legal bases, depending on the purpose:

• Performance of a contract — Article 6(1)(b): to provide the Clozo service you signed up for, including account creation, authentication, generating proposals/invoices, processing your subscription payment, and delivering transactional emails (welcome, payment confirmation, e-signature notifications).
• Consent — Article 6(1)(a) GDPR + Article 5(3) ePrivacy Directive: for any reading or writing of identifiers in your terminal equipment beyond what is strictly necessary to provide the service. This covers all product analytics (PostHog) and all advertising attribution (clozo_first_gclid cookie, GA4 client_id, Google Ads conversion uploads). You give consent via our cookie banner on first visit and may withdraw it at any time without affecting the lawfulness of prior processing.
• Legitimate interest — Article 6(1)(f): for security (fraud prevention, rate limiting, login anomaly detection), service improvement (aggregate usage statistics that do not require terminal-equipment access under Article 5(3) ePrivacy Directive), and direct-marketing measurement (Recital 47 GDPR) of advertising campaigns we operate ourselves. We have conducted a documented Legitimate Interests Balancing Test (LIBT, available on request to privacy@useclozo.com) which concluded that (i) measuring the effectiveness of our own marketing is a real and necessary interest, (ii) we limit data to attribution identifiers and conversion events with no behavioural profiling, no cross-site tracking, and no audience-building beyond our own user base, (iii) you may object at any time without losing access to the service (see Section 8). Any direct-marketing measurement that requires reading or writing identifiers on your device — for example the clozo_first_gclid cookie or any GA4 cookie — is not based on legitimate interest but on your prior consent under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR.
• Legal obligation — Article 6(1)(c): for tax and accounting record retention. EU VAT Directive 2006/112/EC Article 247(1) requires invoice retention for the period set by each member state, typically 6 to 10 years. Spain (art. 30 Código de Comercio + art. 165 LIVA) requires 6 years for accounting and 4 years for VAT, but we apply the longest applicable retention across the EU.

4. How We Use Your Data

We process your data for the following purposes:

• Deliver, maintain, and improve the Clozo platform.
• Generate, sign, and deliver proposals and invoices on your behalf, including electronic invoice formats (Peppol BIS, Factur-X, FatturaPA, etc.) where you opt in.
• Process subscription payments via Stripe, manage upgrades and downgrades, issue refunds.
• Send transactional emails — welcome, password reset, payment confirmation, e-signature notification, automatic reminders if you have enabled them.
• Comply with legal and regulatory obligations (VAT validation via VIES, tax reporting, retention).
• Measure the effectiveness of advertising campaigns we operate (Google Ads, Google Analytics 4) by sharing conversion events — registration, first payment, plan change, refund — together with attribution identifiers (gclid, hashed email). We do not share your client data, business data, or the content of your proposals or invoices with advertising platforms. From your account data, only a one-way SHA-256 hash of your email (and, where you provided it, your phone number in E.164 format) is uploaded for identity matching, together with the conversion event metadata listed below. Conversion sharing only occurs after you have given consent for advertising cookies via the cookie banner.
• Detect and prevent fraud, account abuse, and security incidents (rate limiting, login anomaly detection via django-axes).

5. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, with the following category-specific periods:

• Account data: for the lifetime of your account. After account deletion we anonymise it within 30 days, except where retention is required by law (Section 5 item 3).
• Client and business data: for the lifetime of your account. You may delete individual clients and proposals at any time from within the platform.
• Invoices and payment records: in compliance with Article 247(1) of EU VAT Directive 2006/112/EC and national obligations: Spain (art. 165 LIVA) 4 years, France (art. L102B LPF) 6 years, Netherlands (art. 52 AWR) 7 years, Germany (§147 AO) 10 years, Poland (art. 86 §1 OP) 5 years. We apply the longest applicable retention period: 10 years from the end of the calendar year in which the invoice was issued.
• Marketing attribution and conversion data: anonymous touchpoints with no associated user are retained for up to 90 days (matching Google Ads' standard click attribution window); conversion records linked to your account are retained for the lifetime of the account, then anonymised.
• Backups: encrypted database backups are retained for 30 days for disaster-recovery purposes, then automatically deleted.
• Application security logs: full IP addresses and request metadata used for fraud and abuse detection are retained for 14 days, then deleted.

6. Recipients and Third-Party Processors

We share your personal data only with the following processors, each contractually bound by a Data Processing Agreement (Article 28 GDPR) and, where applicable, Standard Contractual Clauses for transfers outside the European Economic Area. We do not transfer personal data to third parties for their own marketing purposes.

• Stripe Payments Europe Ltd (Ireland) and Stripe Inc (USA): subscription payment processing. Data shared: your name, email, billing country, subscription status, payment events. Stripe's own privacy policy applies to credit-card data. Transfer mechanism: EU-US Data Privacy Framework adequacy decision (Stripe is DPF-certified — verifiable at dataprivacyframework.gov) + Standard Contractual Clauses. Privacy policy: stripe.com/privacy.
• Railway Corp (USA): cloud infrastructure hosting. Our database is provisioned in the europe-west4 region (Netherlands); Railway's control plane is in the United States. Transfer mechanism: Standard Contractual Clauses with supplementary technical measures (TLS 1.2+ in transit, AES-256-GCM at rest, scoped IAM roles). Production database physically resides in the Netherlands.
• Cloudflare Inc (USA): content delivery, DDoS protection, TLS termination, traffic routing, privacy-first web analytics (Cloudflare Web Analytics — no cookies, no tracking IDs). Cloudflare processes your full IP address transiently in transit. We use the CF-IPCountry header to derive your approximate country for analytics and rate limiting, after which the full IP is not retained alongside the analytics event. Transfer mechanism: Standard Contractual Clauses + EU-located edge nodes for European traffic. Cloudflare is DPF-certified.
• PostHog Inc (United Kingdom, EU instance hosted in Frankfurt, Germany): product analytics — pseudonymous session events, page navigation, button clicks, captured UTM parameters. Data is processed exclusively on the EU instance (eu.i.posthog.com). Loaded only after you have given consent for product-analytics cookies via the cookie banner. Transfer mechanism: UK adequacy decision (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021) + Standard Contractual Clauses to PostHog's UK headquarters.
• Google Ireland Limited and Google LLC (USA) — Google Ads: conversion measurement and Smart Bidding optimisation, only after you have given consent for advertising cookies. Data uploaded server-side: your Google click identifier (gclid) captured when you arrived from a Google ad, conversion type (registration, first payment, plan upgrade, refund), conversion value in EUR, currency code, anonymised order identifier. When the customer-data-terms feature is enabled, we additionally upload a SHA-256 hash of your email address for identity matching (the hash cannot be reversed). Transfer mechanism: EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023; Google LLC is DPF-certified — verifiable at dataprivacyframework.gov) + Standard Contractual Clauses.
• Google Ireland Limited and Google LLC (USA) — Google Analytics 4: cross-channel conversion measurement. Sent server-side via the GA4 Measurement Protocol only after you have given consent for advertising cookies. Data uploaded: pseudonymous session identifier (GA4 client_id from the _ga cookie when present, otherwise a PostHog distinct_id), conversion event type, value, currency, and your numeric Clozo user identifier (not your email). Transfer mechanism: EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) + Standard Contractual Clauses. Google LLC's DPF status is verifiable at dataprivacyframework.gov. We do not load the GA4 web tracker on our pages.
• Resend Inc (USA): transactional email delivery (welcome, password reset, e-signature, payment confirmation, automatic invoice reminders). Data shared: your email address, name, transactional content. Transfer mechanism: EU-US Data Privacy Framework adequacy decision (Resend Inc is DPF-certified — verifiable at dataprivacyframework.gov) + Standard Contractual Clauses.
• Gotenberg (self-hosted in europe-west4): PDF rendering for proposals and invoices. Runs on our own infrastructure within the EEA — no data transfer to external parties.
• Cloudflare R2 (object storage, EEA region): encrypted storage of generated PDF files and uploaded logos. Data location: EEA. Transfer mechanism: not applicable (no transfer outside EEA).

You can request a copy of any Data Processing Agreement, set of Standard Contractual Clauses, or our Transfer Impact Assessment summary by contacting us at privacy@useclozo.com. We notify customers in writing at least 30 days before adding or replacing a sub-processor; the current list above is updated in line with that commitment.

7. International Data Transfers

Your personal data is primarily stored within the European Economic Area, specifically in the Netherlands (Railway europe-west4) and Germany (PostHog Frankfurt). Some recipients listed in Section 6 are located outside the EEA, principally in the United States. For each such transfer we ensure appropriate safeguards under Articles 44–49 GDPR: the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) where the recipient is DPF-certified, supplemented by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) and supplementary technical measures (TLS 1.2+ in transit, AES-256-GCM at rest for sensitive fields, pseudonymisation of identifiers where feasible, access controls, audit logging) consistent with EDPB Recommendations 01/2020 following CJEU judgment C-311/18 (Schrems II). The validity of the EU-US Data Privacy Framework is currently subject to legal challenge before the General Court of the European Union (Case T-553/23 La Quadrature du Net & Others v Commission and follow-on referrals). Should the decision be invalidated we will rely solely on Standard Contractual Clauses with supplementary measures and may need to terminate certain transfers; we will update this Privacy Policy and notify users where appropriate. You may obtain a copy of the SCCs and our Transfer Impact Assessment summary by contacting privacy@useclozo.com.

8. Your Rights (GDPR Articles 15–22)

As a data subject located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

• Right of access (Art. 15): obtain confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17): have your data deleted ('right to be forgotten'), subject to retention obligations under Section 5.
• Right to restriction of processing (Art. 18): limit processing in specific circumstances (e.g., while we verify the accuracy of contested data).
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object (Art. 21): object at any time to processing based on legitimate interest (Article 6(1)(f)) — including direct-marketing measurement. Where you object, we will cease that processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)): withdraw consent for cookies and tracking at any time without affecting the lawfulness of prior processing. Click 'Manage cookie preferences' on this page or in the page footer to re-open the cookie banner.
• Right not to be subject to automated decision-making (Art. 22): we do not use solely-automated decision-making producing legal effects concerning you within the meaning of Article 22 GDPR. Two automated systems may temporarily affect access: (i) Stripe Radar, which scores transactions for fraud — declines can be appealed by emailing privacy@useclozo.com for human review; (ii) django-axes, which temporarily locks an account after repeated failed login attempts — locks expire automatically and may be lifted on request. In both cases you can request human intervention.

To exercise any right, email privacy@useclozo.com. We respond without undue delay and in any event within one month of receiving your request. Where a request is complex or where we receive a large number of requests, we may extend the response period by two further months. In that case we will inform you of the extension and the reasons for the delay within one month of receipt of the request (Article 12(3) GDPR). We do not charge a fee unless your request is manifestly unfounded or excessive (Article 12(5) GDPR), in which case we will explain the basis of the fee.

9. Cookies and Similar Technologies

We use cookies and similar technologies on app.useclozo.com and api.useclozo.com. Under Article 5(3) of the ePrivacy Directive (transposed in Spain by Article 22.2 of Ley 34/2002 LSSI-CE), only strictly necessary cookies may be set without your consent. All other categories are set only after you give granular consent via the cookie banner shown on your first visit. The 'Reject all', 'Customize', and 'Accept all' buttons are presented with equal visual prominence in line with EDPB Guidelines 03/2022 and AEPD Guía sobre el uso de las cookies (July 2023).

• Strictly necessary (no consent required): refresh_token (authentication, HttpOnly, Secure, SameSite=None, scoped to /api/v1/auth/), CSRF token; clozo_lang (interface language preference, 1 year); clozo_locale_set (marker that you made an explicit language choice, 1 year). These cannot be disabled.
• Product analytics — set only after consent (PostHog): ph_* cookies and localStorage entries set by PostHog for pseudonymous session tracking and product event capture. Loaded only after you click 'Accept all' or enable the analytics category in the cookie banner. We use them to understand which features deliver value. Data is processed exclusively on PostHog's EU instance (eu.i.posthog.com). Cookie lifetime: up to 1 year.
• Advertising attribution — set only after consent: clozo_first_gclid (90 days, HttpOnly, Secure, SameSite=Lax) — stores the Google click identifier from your first paid visit so we can attribute subsequent conversions back to the original ad campaign. The cookie is read only server-side and replayed only when you complete a conversion event (registration, payment) and only to Google Ads via the Enhanced Conversions API. The 90-day lifetime matches Google's default click-attribution window. No retargeting; no audience-building; no cross-site tracking. Purpose: marketing-attribution measurement under Recital 47 GDPR. Recipient on activation: Google Ireland Ltd / Google LLC. Lawful basis: consent (Article 6(1)(a) GDPR + Article 5(3) ePrivacy Directive).

You can manage your cookie preferences at any time by clicking 'Manage cookie preferences' below or in the footer of any Clozo page. Withdrawing consent for analytics or advertising cookies does not prevent you from using Clozo — only the corresponding processing stops.

10. Data Security

We implement technical and organisational measures appropriate to the risk in line with Article 32 GDPR: TLS 1.2+ for data in transit, AES-256-GCM for sensitive data at rest (IBAN, OAuth refresh tokens), bcrypt password hashing with per-user salts, JWT short-lived access tokens with HttpOnly refresh cookies, content-security policy, rate limiting per real client IP, automatic logout after inactivity, encrypted off-site backups, and access controls limiting who can view production data. We log all access to personal data and review logs regularly. In the event of a personal data breach we will notify the competent supervisory authority within 72 hours where required by Article 33 GDPR, and notify affected users without undue delay where required by Article 34 GDPR.

11. Contact and Right to Lodge a Complaint

For privacy questions, exercising your rights, or any concern about how we handle your data, contact us at privacy@useclozo.com. For billing or refund requests, contact support@useclozo.com (refund policy and cancellation timing are set out in our Terms of Service section 8). You also have the right to lodge a complaint with the data protection authority of your EU member state of residence, work, or where the alleged infringement occurred. Our lead supervisory authority under the one-stop-shop mechanism (Article 56 GDPR) is the Spanish Data Protection Agency: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid, Spain — www.aepd.es. A list of all national authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

12. Children's Data

Clozo is a business tool intended for users aged 18 or over, in line with Article 8 GDPR (default age of consent for information-society services is 16 in most EU member states; in Spain it is 14 under Article 7 of LOPDGDD 3/2018). We do not knowingly collect personal data from children below the applicable age threshold. If you become aware that a child has provided personal data to us, please contact privacy@useclozo.com and we will delete it without undue delay.