This Privacy Policy governs the processing of personal data carried out by SumaKey through the platform www.sumakey.com and its associated services, in accordance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPD-GDD).

1. Identification of the Data Controller

Controller	PADA Marketing S.L.
Tax ID	B26872754
Registered office	Calle Cánovas del Castillo, 36, 28807, Alcalá de Henares, Madrid, Spain
Email address	privacidad@sumakey.com
Website	www.sumakey.com

2. Purpose and Scope

SumaKey is a SaaS customer loyalty platform that allows businesses to create and manage points programs with digital wallet integration (Apple Wallet and Google Wallet). In carrying out its activity, SumaKey acts in a dual role:

Data controller with respect to the data of businesses (registered users) that contract our services.
Data processor with respect to the data of end customers that businesses manage through our platform, acting on behalf of and under the instructions of the business (controller).

This policy applies to all personal data collected through the website, the application, the APIs, and the integrated services of SumaKey.

3. Personal Data Collected

Below are the categories of personal data we process, organized by type:

3.1. Business registration data

Business name
Email address
Password (stored exclusively as an irreversible cryptographic hash using bcrypt)
Google OAuth authentication data (in case of registration via Google)

3.2. End customer data

Full name
Email address
Phone number (optional)
Date of birth (optional)
Loyalty program data: accumulated points, activity history, redeemed rewards

3.3. Device and digital wallet data

Apple push notification tokens (APNs push token)
Device identifiers registered in Apple Wallet (device library identifier)
Technical data necessary for generating and updating passes in Google Wallet and Apple Wallet

3.4. Payment and subscription data

Stripe customer identifier (we do not store bank card data; these are managed entirely by Stripe in accordance with PCI DSS)
Contracted subscription plan and its status
Stripe subscription identifier

3.5. Business location data (optional)

GPS coordinates (latitude and longitude) of the establishment, voluntarily provided to enable geolocation features in digital wallets

3.6. Browsing data and cookies

Essential cookies for service operation (authentication and session)
Analytics cookies via Google Analytics (with anonymized IP address)
Authentication token stored in the browser's localStorage
Marketing cookies from Meta Pixel (_fbp, _fbc), subject to prior consent

3.7. Device camera access

The platform's QR scanner functionality requires access to the device camera to read QR codes from customer loyalty cards. This access is requested through the browser's native permission and is only activated when the user voluntarily accesses the scanner function.
We do not record, store, or transmit images or video captured by the camera. The video stream is processed locally on the device in real time, solely to decode the QR code content. Once the code is read, the camera stream is immediately discarded.
The user can revoke camera permission at any time from their browser or device settings.

3.8. Security and access data

IP address and browser user agent, used exclusively for login notification emails. This data is included in the notification email but is not stored in our databases.

4. Legal Basis for Processing

In accordance with Article 6(1) of the GDPR, data processing is based on the following legal grounds:

Purpose	Legal basis
Provision of the loyalty SaaS service	Art. 6(1)(b) Performance of a contract
User account management and authentication	Art. 6(1)(b) Performance of a contract
Payment processing and subscription management	Art. 6(1)(b) Performance of a contract
Generation of passes in Google Wallet and Apple Wallet	Art. 6(1)(b) Performance of a contract
Sending push notifications to digital wallets	Art. 6(1)(b) Performance of a contract
Sending transactional emails (confirmations, points updates)	Art. 6(1)(b) Performance of a contract
Login security notifications	Art. 6(1)(f) Legitimate interest (account security)
Newsletter and commercial communications	Art. 6(1)(a) Consent of the data subject
Usage analysis and service improvement (Google Analytics)	Art. 6(1)(a) Consent of the data subject
Compliance with tax and legal obligations	Art. 6(1)(c) Legal obligation
Advertising conversion measurement and remarketing (Meta Pixel and Conversions API)	Art. 6(1)(a) Consent of the data subject

5. Purposes of Processing

The personal data collected is processed for the following purposes:

Create and manage the business account on the platform.
Provide the loyalty service: management of points programs, loyalty cards, and rewards.
Generate and update digital passes in Apple Wallet and Google Wallet, including sending push notifications when points or card details change.
Process payments and manage the business subscription through Stripe.
Send transactional communications related to the service (confirmations, updates, security alerts).
Send commercial communications and newsletters, with prior express consent.
Analyze platform usage to improve the user experience (via Google Analytics with anonymized IP).
Ensure platform security and prevent unauthorized access.
Comply with applicable legal and tax obligations.
Measure the effectiveness of advertising campaigns and perform remarketing via Meta Pixel and Conversions API, with prior consent.

6. Recipients and International Data Transfers

We do not sell, rent, or share your personal data or your customers' data with third parties. We only share data with service providers strictly necessary for the provision of our service:

Provider	Purpose	Location	Safeguard
Stripe	Payment processing and subscription management	USA	Standard Contractual Clauses (SCCs) of the European Commission
Google	Google Wallet (digital passes) and Google Analytics (web analytics)	USA	EU-U.S. Data Privacy Framework
Apple	Apple Wallet (PassKit passes) and Apple Push Notification service (APNs)	USA	EU-U.S. Data Privacy Framework
AWS (Amazon Web Services)	Infrastructure hosting and file storage (S3)	EU (eu-west-1) / USA	Standard Contractual Clauses (SCCs) / EU-U.S. Data Privacy Framework
Meta Platforms	Advertising conversion measurement and remarketing (Meta Pixel and Conversions API)	USA	EU-U.S. Data Privacy Framework
Resend	Sending transactional emails and newsletters	USA	Standard Contractual Clauses (SCCs)

All the above providers act as data processors and have signed the corresponding data processing agreements (DPAs). International data transfers outside the European Economic Area are covered by the mechanisms indicated, in accordance with Articles 46 and 47 of the GDPR.

Additionally, data may be communicated to competent public authorities when there is a legal obligation requiring it.

7. Data Retention Periods

Personal data will be retained for the time strictly necessary to fulfill the purpose for which it was collected:

Data type	Retention period
Business account data	While the account is active, plus 30 days after the cancellation request
End customer data	While the commercial relationship with the business is active, or until the business or customer requests its deletion
Billing and payment data	5 years from the last transaction (tax obligation, General Tax Law)
Device and digital wallet data	While the digital pass is active on the user's device
Browsing data and analytics cookies	According to the duration indicated in the Cookie Policy (maximum 13 months for analytics)
IP and user agent from login notifications	Not stored in the database; only included in the notification email

Once the retention period has ended, data will be deleted or irreversibly anonymized, unless there is a legal obligation requiring its further retention.

8. Data Subject Rights (ARSULIPO)

In accordance with the GDPR and the LOPD-GDD, you may exercise the following rights at any time:

Access (Art. 15 GDPR): Obtain confirmation of whether your data is being processed and access a copy of it.
Rectification (Art. 16 GDPR): Request the correction of inaccurate data or the completion of incomplete data.
Erasure (Art. 17 GDPR): Request the deletion of your data when, among other reasons, it is no longer necessary for the purpose for which it was collected.
Restriction of processing (Art. 18 GDPR): Request the restriction of processing of your data in certain circumstances.
Portability (Art. 20 GDPR): Receive your data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
Objection (Art. 21 GDPR): Object to the processing of your data in certain circumstances, including processing based on legitimate interest or for direct marketing purposes.

To exercise any of these rights, you can contact us at privacidad@sumakey.com, indicating your identity and the right you wish to exercise. We will respond within a maximum period of one month from receipt of the request, extendable by two further months in the case of complex or numerous requests (Art. 12(3) GDPR).

When processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.

9. Right to Lodge a Complaint with the Supervisory Authority

If you consider that the processing of your personal data infringes current regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

Address: C/ Jorge Juan, 6 - 28001 Madrid
Website: www.aepd.es
Phone: 912 663 517

However, we would appreciate it if you contact us before filing a formal complaint to try to resolve any issue.

10. Security Measures

In accordance with Article 32 of the GDPR, SumaKey has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption in transit: All communications are made via HTTPS protocol with SSL/TLS encryption.
Password encryption: Passwords are stored using the bcrypt hashing algorithm, making them irreversible.
Secure authentication: Authentication system based on JWT (JSON Web Tokens) with expiration.
Attack protection: Rate limiting, strict input validation, and CORS protection.
Secure infrastructure: Databases and services hosted on professional infrastructure with restricted access controls.
Digital certificates: Use of dedicated certificates for signing Apple Wallet passes.
Data separation: Multi-tenant architecture that ensures data isolation between businesses.
Access control: Restricted and monitored access to systems and data.

11. Cookie Policy

Our platform uses cookies and similar local storage technologies. For detailed information about the cookies we use, their purpose, duration, and how to manage them, please consult our Cookie Policy.

In summary, we use:

Essential cookies: Necessary for service operation (authentication, session). No consent required.
Analytics cookies: Google Analytics with anonymized IP, subject to your prior consent.
Marketing cookies: Meta Pixel (_fbp, _fbc) for conversion measurement and remarketing, subject to your prior consent.
localStorage: Storage of the authentication token to maintain the active session, essential for service operation.

12. SumaKey as Data Processor

When businesses registered on SumaKey manage the data of their end customers through our platform, the business acts as the data controller and SumaKey as the data processor of such data, in accordance with Article 28 of the GDPR.

In this context, SumaKey commits to:

Process end customer data solely following the documented instructions of the responsible business.
Ensure that persons authorized to process data have committed to confidentiality.
Adopt appropriate technical and organizational security measures.
Not subcontract without prior authorization from the controller (sub-processors detailed in section 6).
Assist the controller in fulfilling its obligations (responding to rights requests, breach notifications, impact assessments).
Delete or return personal data upon termination of the service.
Make available to the controller all information necessary to demonstrate compliance with the obligations of Article 28 of the GDPR.

13. Minors

SumaKey services are not directed at minors under 14 years of age, in accordance with Article 7 of the LOPD-GDD. We do not knowingly collect personal data from minors under 14 years of age. If we become aware that we have collected data from a minor without the consent of their parents or legal guardians, we will proceed to delete such information as soon as possible.

In the case of end customers of loyalty programs, it is the responsibility of the business (data controller) to verify that the data collected complies with the age requirements established by regulations.

14. Changes to this Policy

SumaKey reserves the right to modify this Privacy Policy to adapt it to legislative, jurisprudential, or business practice developments. In the event of introducing substantial changes that affect the processing of your data, we will notify you by:

A prominent notice on the platform when you log in.
An email communication to the address associated with your account.

We recommend that you periodically review this policy. The date of the last update is indicated at the beginning of this document.

15. Contact

For any inquiries related to the protection of personal data, the exercise of your rights, or this Privacy Policy, you can contact us through:

Email: privacidad@sumakey.com
Controller: PADA Marketing S.L.
Address: Calle Cánovas del Castillo, 36, 28807, Alcalá de Henares, Madrid, Spain