● LEGAL THINGS
Privacy Policy
This Privacy Policy explains how we collect, use, store and protect your personal data when you visit validgraph.com (the “Website”) or use the ValidGraph service (the “Service”). We are committed to processing your personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”), Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) and Law 34/2002 on Information Society Services and Electronic Commerce (“LSSI-CE”).
Last updated: 31 May 2026
1. Data Controller
1. Data Controller
- Owner: Paulo Carvajal (sole trader / autónomo), operator of the ValidGraph service, trading as “Codedication”
- Tax ID (NIF): 30633854Q — EU VAT: ES30633854Q
- Registered address: Alameda San Mamés 23, 48010 Bilbao, Bizkaia, Spain
- Contact / Data protection email: [email protected]
We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so. You may direct any data protection query to the email address above.
2. Scope
The Service is intended exclusively for businesses and professionals (B2B) and for users aged 18 or over. It is not directed at consumers or minors. By using the Service you confirm that you act in a professional or business capacity.
3. Personal Data We Collect
- Account data: name, email address, password (stored encrypted), company details and your assigned plan/role.
- Billing data: billing name, address, VAT number, plan, invoices and payment status. Card details are processed directly by Stripe and are never stored on our servers.
- Service usage data: URLs, structured data (JSON-LD) and websites you submit for validation, validation history, scores, projects, monitored URLs and reports you generate.
- Integration data: if you connect Google Search Console, we process the data made available through your authorised Google account solely to provide the related features.
- Technical data: IP address, browser type, device data, log files and cookie identifiers (see our Cookie Policy).
- Communications: messages, support requests and email-interaction data.
4. Purposes and Legal Bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account and providing the Service | Performance of a contract — Art. 6(1)(b) |
| Processing payments, subscriptions and invoicing | Performance of a contract — Art. 6(1)(b); legal obligation (tax/accounting) — Art. 6(1)(c) |
| Sending service, security and transactional emails | Performance of a contract — Art. 6(1)(b) |
| Analytics and non-essential cookies | Consent — Art. 6(1)(a) |
| Marketing and lifecycle emails to existing customers | Legitimate interest / consent — Art. 6(1)(f) / (a) |
| Security, fraud prevention and service improvement | Legitimate interest — Art. 6(1)(f) |
| Complying with legal obligations and defending legal claims | Legal obligation — Art. 6(1)(c); legitimate interest — Art. 6(1)(f) |
5. Cookies and Analytics
We use cookies and similar technologies, including Google Analytics and Google Tag Manager. Non-essential cookies are only set after you give your consent through our cookie banner. For full details please read our Cookie Policy.
5.1 Consent Management (“Real Cookie Banner”)
To manage the cookies and similar technologies used (tracking pixels, web beacons, etc.) and related consents, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found at https://devowl.io/rcb/data-processing/.
The legal basis for the processing of personal data in this context are Art. 6 (1) (c) GDPR and Art. 6 (1) (f) GDPR. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.
The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we will not be able to manage your consents.
6. Recipients and Processors
We do not sell your personal data. We share it only with the service providers (processors or, where applicable, independent controllers) strictly necessary to operate the Service:
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Contabo GmbH | Hosting and infrastructure | Germany (EEA) | Within the EEA |
| Cloudflare, Inc. | CDN, DNS and security | USA / global | SCCs + EU–U.S. DPF |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Payment processing (acts as independent controller for fraud prevention and regulatory compliance) | Ireland (EEA) / USA | SCCs + EU–U.S. DPF |
| DreamHost, LLC | Transactional and lifecycle email delivery | USA | SCCs + EU–U.S. DPF |
| Google Ireland Ltd. / Google LLC | Analytics, Tag Manager and Search Console integration | Ireland (EEA) / USA | SCCs + EU–U.S. DPF |
We may also disclose data to public authorities, courts or law enforcement where required by law.
7. International Data Transfers
Some of our providers are located outside the European Economic Area (notably in the United States). In those cases, transfers are protected by appropriate safeguards under GDPR Chapter V, namely the European Commission’s Standard Contractual Clauses (SCCs) and, where the provider is certified, the EU–U.S. Data Privacy Framework. You may request a copy of the relevant safeguards by contacting us.
8. Data Retention
- Account and usage data: for as long as your account is active, and deleted or anonymised within a reasonable period after closure.
- Billing and tax records: retained for the periods required by Spanish tax and commercial law (generally up to 6 years).
- Logs and technical data: retained for a limited period for security and troubleshooting.
- Consent records and cookies: for the period stated in our Cookie Policy (no longer than 24 months for consent).
9. Your Rights
You have the right to access, rectify, erase, restrict and object to the processing of your personal data, to data portability, and to withdraw your consent at any time without affecting the lawfulness of prior processing. To exercise these rights, email [email protected]; we may ask you to verify your identity.
If you believe your rights have not been respected, you may lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.
10. Security
We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or alteration, including encryption in transit, access controls and regular backups. No method of transmission over the Internet is, however, completely secure.
11. Minors
The Service is restricted to users aged 18 or over acting in a business capacity. We do not knowingly collect data from minors.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date reflects the latest version, and material changes will be notified through the Website or by email.
13. Contact
For any question about this Privacy Policy or the processing of your personal data, contact us at [email protected].