PolÃtica de privacidade
This Policy describes how PAYMETER IBÉRICA, S.L. ("Paymeter") processes personal data of Users of the Paymeter application and website in Spain, in accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD).
Quick summary
- We process only the data we need: account, vehicle, location while parking, payments. Privacy by design (Art. 25 GDPR).
- We never sell your data to third parties.
- You can access, rectify, delete, export, or restrict your data. We respond within 1 month.
- Servers in the EU (AWS Madrid/Frankfurt). Payments by Stripe (SCCs + adequacy).
- Supervisory authority: Spanish Data Protection Agency (AEPD) — aepd.es.
Summary of your rights
- 14 days to withdraw from a distance contract.
- Refund of unused parking time.
- Free complaint before AEPD and Consumer Arbitration Board.
- Personal data protected by GDPR/LOPDGDD.
1. Data controller
Controller: PAYMETER IBÉRICA, S.L.
Tax ID (NIF): B56722028
Address: Calle de Manuel Tovar, 42, 2ª planta, 28034 Madrid, España
Email: sat@paymeter.io
DPO: dpo@paymeter.io
2. Data Protection Officer
We have appointed a Data Protection Officer. Contact the DPO at any time: dpo@paymeter.io.
3. What data we process and why
| Category | Data | Purpose |
|---|---|---|
| Identity | Name, surname, email, phone, hashed password | Create and maintain your account |
| Vehicle | License plate, type, make/model (optional) | Run parking sessions |
| Payment | Card token (PCI-DSS, we don't store PAN), transaction history | Charge and refund |
| Location | Coordinates at session start and end | Identify zone and validate fare |
| Usage | Technical logs, IP, device, language | Security, fraud prevention, service improvement |
| Communications | Support tickets, emails | Customer service |
4. Legal bases (GDPR Art. 6)
- Performance of the contract (Art. 6.1.b GDPR): account, parking sessions, payments.
- Compliance with legal obligation (Art. 6.1.c): invoicing, fraud prevention, requests by authorities.
- Legitimate interest (Art. 6.1.f): security, fraud prevention, service improvement — always subject to your interests and rights.
- Consent (Art. 6.1.a): marketing, analytics/marketing cookies, off-session location — freely given, specific, informed, unambiguous; revocable at any time.
5. Who we share data with
We share only strictly necessary data with processors / subprocessors with whom we have signed a Data Processing Agreement (DPA):
| Provider | Service | Server location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting / storage | EU (Madrid / Frankfurt) | DPA |
| Stripe | Payment processor | EU + US | SCC + adequacy |
| Twilio | SMS OTP / verification | EU / US | SCC |
| Sentry | Logs and technical errors | EU | DPA |
5.1 Data shared with parking operators and public administrations
When you start a parking session, we share with the parking operator and/or the relevant municipality: vehicle type, license plate, start and end time, zone and amount paid. In case of unlawful activity, we may communicate data to authorities where legally required.
6. International transfers
Some subprocessors may process data outside the EEA. We apply Standard Contractual Clauses (SCCs) from Commission Implementing Decision (EU) 2021/914, or other valid mechanisms (adequacy decisions, Art. 45 GDPR). Post-Schrems II transfers are documented with Transfer Impact Assessments (TIAs).
7. Retention periods
| Category | Period |
|---|---|
| Active account | While active |
| After closure: account data | 6 years (Spain) / 5 years (Andorra) |
| Transaction logs | 10 years |
| Tokenized cards | Until cancellation + 6 months |
| Location | 13 months max (AEPD guidance) |
| Marketing (consent) | Until consent withdrawn |
| Fines / sanctions | Statute of limitations + 1 year |
8. Your rights
We respond within 1 month (3 months for complex requests). Email dpo@paymeter.io with a copy of an ID document. Available rights:
- Access (Art. 15) — know which data we process.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your data where applicable.
- Restriction (Art. 18) — limit processing.
- Objection (Art. 21) — object to processing based on legitimate interest or direct marketing.
- Portability (Art. 20) — receive your data in JSON/CSV within 1 month.
- Human review (Art. 22) — contest exclusively automated decisions.
- Complaint before Spanish Data Protection Agency (AEPD) — aepd.es.
9. Cookies
We use strictly necessary cookies and, with your prior consent (ePrivacy Directive 2002/58/EC), analytics and marketing cookies. No cookie walls or dark patterns. You can withdraw consent at any time from the cookie banner.
| Cookie | Category | Purpose | Third party | Duration |
|---|---|---|---|---|
paymeter_session | Strictly necessary | Maintain user session | — | Session |
paymeter_lang | Strictly necessary | Selected language | — | 12 months |
paymeter_consent | Strictly necessary | Remember cookie consent | — | 6 months |
_ga, _ga_* | Analytics (opt-in) | Google Analytics — aggregate usage | 24 months | |
_fbp | Marketing (opt-in) | Meta Pixel — attribution | Meta | 90 days |
10. Security and privacy by design
We apply appropriate technical and organizational measures (GDPR Art. 32): TLS 1.3 encryption in transit, AES-256 at rest, role-based access control (RBAC), log pseudonymization, regular audits, staff training, and a breach-response plan (supervisory authority notification within 72 hours where required).
11. Minors
The Service is aimed at persons over 18. Minors aged 14-17 may only use Paymeter with the express written consent of their parents or legal guardians. We reserve the right to verify age and block unauthorized minor accounts.
12. Changes to this policy
We will notify any material changes by email at least 15 days in advance and publish the current version on this site.
Última atualização: abril de 2026
v2.1 · PAYMETER IBÉRICA, S.L. · Tax ID (NIF): B56722028