Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for your personal data is Delta Fuji Technology S.L. ("Delta Fuji", "we", "us"), registered in Madrid, Spain.

Privacy contact email: hello@deltafuji.com

This policy complies with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and Spain's Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPD-GDD).

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, company name and role, required to create and manage your account.
  • Billing data: processed entirely by Stripe, Inc. as our PCI-DSS Level 1 payment provider. Delta Fuji does not store or have access to full card numbers, CVVs or bank details.
  • Business documents: invoices, delivery notes and supplier agreements you upload to the platform for processing. These documents may contain data such as supplier names, addresses, amounts, tax IDs and product descriptions.
  • Usage data: IP address (anonymised), browser type, pages visited and actions taken within the platform, collected to improve the service and maintain security.
  • Communication data: content of emails or WhatsApp messages sent to our support channels.

3. Purpose of Processing

We process your data for the following purposes:

  • Service delivery: document data extraction, invoice matching against delivery notes and agreements, discrepancy detection and report generation.
  • Account and billing management: account creation, authentication, payment processing and tax compliance.
  • Service communications: notifications about document processing status, discrepancy alerts, service updates and security notices.
  • Service improvement: aggregated, anonymised analysis of platform usage to improve extraction accuracy, user experience and performance.
  • Legal compliance: fulfilment of tax, accounting and regulatory obligations.

4. Legal Basis

  • Contract performance (Art. 6.1.b GDPR): necessary to provide the invoice matching service you have contracted.
  • Consent (Art. 6.1.a GDPR): for marketing communications and newsletters. You may withdraw your consent at any time.
  • Legitimate interest (Art. 6.1.f GDPR): for service improvement based on aggregated analysis, fraud prevention and platform security.
  • Legal obligation (Art. 6.1.c GDPR): for compliance with tax and accounting requirements.

5. Data Retention

  • Account data: retained while your account is active. After account closure, deleted within 30 days except where legal retention obligations apply.
  • Processed documents: retained for 90 days after processing to allow report queries and downloads. After this period, they are securely deleted.
  • Billing data: retained for the legally required period (minimum 5 years under Spanish commercial and tax law).
  • Usage data: retained in anonymised form for 24 months, then deleted.

6. Recipients and Transfers

We may share your data with:

  • Stripe, Inc.: payment processing (PCI-DSS Level 1, based in the US with European Commission-approved Standard Contractual Clauses).
  • Cloud infrastructure providers: data hosted on servers within the European Economic Area (EEA).
  • Public authorities: where required by law, court order or legal process.

We do not sell, rent or share your personal data with third parties for commercial purposes.

7. Your Rights

Under the GDPR and LOPD-GDD, you have the right to:

  • Access: obtain confirmation of whether we process your data and access it.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data when it is no longer necessary.
  • Portability: receive your data in a structured, commonly used format.
  • Restriction: request limitation of processing in certain circumstances.
  • Objection: object to processing based on legitimate interest.

To exercise any of these rights, contact hello@deltafuji.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

8. Security

We implement the following technical and organisational measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Restricted access through role-based controls and secure authentication.
  • Automatic encrypted backups.
  • Continuous monitoring and periodic security audits.
  • Logical data separation between customers.

9. Cookies

We use the following categories of cookies:

  • Essential technical cookies: required for platform functionality (authentication, language preferences). These cannot be disabled.
  • Analytical cookies: collect anonymised information about website usage to improve our services. You may reject these without affecting functionality.

We do not use advertising or third-party tracking cookies.

10. Changes to This Policy

We reserve the right to update this privacy policy. Changes will be published on this page with an updated revision date. For material changes, we will notify you by email.