Data Controller and Contact Information
The Data Controller responsible for the processing of Personal Data collected in connection with account registration, billing, and general platform operations is the Spanish Autónomo (Hundred Docs, Legal Name/Business Name, Address, and hello@hundredocs.com).
For the purpose of exercising Data Subject Rights (DSRs) under GDPR (e.g., access, rectification, erasure, or portability), users must contact the Data Protection Contact at hello@hundredocs.com.
Categories of Personal Data and Legal Basis
Data Collected as Controller (Account, Billing, Usage)
| Data Category | Purpose of Processing | Legal Basis (GDPR) |
|---|---|---|
| Account PII (Name, Email, Username, Contact) | Account creation, service access, customer support. | Contractual Necessity |
| Transactional Data (Billing contact, Subscription status) | Invoicing and fee collection via Stripe. | Contractual Necessity |
| Infrastructure Usage Logs (IP address, Vercel/Supabase logs) | Security, debugging, performance monitoring. | Legitimate Interest (System integrity and security) |
| Behavioral Analytics (Clarity Tracking, Session Details) | Website improvement, user experience analysis. | Explicit Consent (Mandatory, see Section III.13) |
Data collected automatically includes Usage Information (clicks, pages viewed, request speeds) and Device Information (browser type, OS, screen resolution), which are often collected by the hosting provider, Vercel.
Special Disclosure: API Payload Data (Processing as Processor)
The content submitted by the Customer through the API for document generation and template design (referred to as Customer Data) is processed solely by Hundred Docs acting as a Data Processor.
The purpose of this processing is strictly limited to executing the function requested by the Customer (Controller). Hundred Docs does not determine the purpose or means of processing this data, nor does it access the content except as necessary to provide the contracted service, debug issues, or comply with explicit legal obligations. This relationship is entirely governed by the Data Processing Addendum (DPA) agreed upon with the Customer.
Data Retention Policy and Security Measures
Crucial Clause: API Payload Retention and Deletion
Adherence to the GDPR principle of storage limitation (Art. 5(1)(e)) is critical for B2B SaaS where large volumes of potentially sensitive customer content are processed.
A. Processor Retention Schedule
The maximum default retention period for Customer Data (API Payloads, generated documents, and template content) is limited to thirty (30) days after the processing request is executed or the document is generated. This aggressive retention schedule minimizes liability exposure. Data is retained only long enough to allow for transactional validation, short-term debugging, and access during the active session. Upon termination of the subscription or explicit deletion instruction from the Customer, this data is securely and permanently deleted.
B. Controller Retention Schedule
Account PII necessary for service provision is retained for the duration of the active subscription plus a grace period of sixty (60) days following account closure, allowing for account recovery. Financial records (invoices, transaction history) are subject to Spanish statutory retention requirements, typically seven (7) years for tax and audit purposes.
Security Measures and Reliance on Infrastructure
Hundred Docs implements appropriate technical and organizational measures (TOMs) designed to ensure a level of security appropriate to the risk. These measures include encryption of data in transit and at rest, access controls, and regular vulnerability testing.
The core infrastructure security is managed by our key Subprocessors. For instance, Customer Data and Account PII are stored on secure servers managed by Supabase, which maintains robust security protocols, including SOC2 Type 2 certification.
Third-Party Disclosures and Subprocessors
In line with GDPR Article 28, Hundred Docs discloses its essential Subprocessors and their specific functions, accepting full liability for their compliance.
Subprocessor Mapping and International Transfers
Personal data may be transferred to and processed in countries outside of the European Economic Area (EEA), primarily the United States, where core infrastructure providers are headquartered. These transfers are subject to appropriate safeguards, such as the implementation of Standard Contractual Clauses (SCCs) and adherence to Data Privacy Frameworks, ensuring compliance with GDPR.
| Subprocessor | Primary Function | Hundred Docs' Role | Data Type Handled | GDPR Safeguard/Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Database Persistence, User Authentication | Processor (for Customer Data); Controller (for Account Data) | Customer Data (API Payloads), Account PII (Email, Auth) | DPA with SCCs (due to potential US transfer) |
| Vercel | Frontend Hosting, Application Deployment | Processor | Usage Logs, IP Addresses, Deployment Metadata | DPA with SCCs (due to US operation) |
| Stripe | Payment Gateway, Billing Automation | Controller (Billing PII) | Hashed Payment Card Data, Billing Contact Information | Stripe SSA and Privacy Policy disclosure |
| Microsoft Clarity | Behavioral Analytics, Session Recording | Controller (Visitor PII) | Mouse movements, Device details, Anonymized Geo-location | Requires explicit, opt-in consent (ePrivacy/GDPR) |
| Discord | Community & Non-Critical Support | Controller (PII in support messages) | Name, Discord ID, Content of Support/Community Messages | Disclosure of risk and advice against sharing sensitive PII |
Specific Use Case Disclosure: Discord
Discord is utilized for community engagement and optional customer support. Discord Inc. (or Discord Netherlands BV for EEA/UK users) acts as a Data Controller for the data submitted through its platform. While Discord has taken steps to address GDPR compliance, it has faced public regulatory actions (such as the CNIL fine in France) related to data retention and deletion policies.
Users should be aware that data submitted to Discord, including support tickets, is subject to Discord's independent processing terms. Due to the historical challenges regarding deletion workflows, Hundred Docs strongly advises customers not to share sensitive personal data or critical Customer Data via Discord channels.
Behavioral Tracking and Consent Management
Microsoft Clarity Disclosure and Consent Requirement
Hundred Docs utilizes Microsoft Clarity to analyze user behavior, including mouse movements, scrolling behavior, click paths, device data, and session details. Although Clarity attempts to mask sensitive data, this processing still involves collecting technical and behavioral data considered personal data under GDPR.
Since the use of Microsoft Clarity is not strictly essential for the core functionality of the PDF generation API service, the legal basis for this processing must be the data subject’s explicit, freely given, specific, informed, and unambiguous consent. Furthermore, because Clarity involves accessing the user's terminal device (browser/hard drive), prior consent is also required under the EU ePrivacy Directive. Legitimate interest cannot substitute for consent in this context.
Evolving Consent Requirements (ePrivacy Beyond Cookies)
The requirement for explicit consent extends beyond traditional HTTP cookies. Browser storage mechanisms, such as Local Storage and Session Storage, function similarly to persistent cookies by storing data on the user’s device. If Hundred Docs utilizes these mechanisms for non-essential functions (e.g., storing UI themes, non-critical user preferences linked to identity), these storage mechanisms must also be managed by the Consent Management Platform (CMP) and blocked until the user provides opt-in consent. This rigorous application of the ePrivacy rules ensures complete compliance for all tracking technologies used on the Service frontend.