Back to home

Privacy Policy

Last updated: January 2026

1. Introduction

At PUNTOAL, we work to offer users the best possible experience through our products and services. To do so, in certain cases, it is necessary to collect and process personal data.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data, as well as Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI), NUEVE LABS, S.L. informs users that any personal data provided will be incorporated into automated processing systems under its responsibility.

2. Data Controller

  • Identity: NUEVE LABS, S.L.
  • Trade name: PUNTOAL
  • Address: Calle Miguel de Unamuno, 30, 03202 Elche, Spain
  • Tax ID: B23977804
  • Email: dpo@puntoal.com

NUEVE LABS, S.L. has appointed a Data Protection Officer (DPO). For any queries related to the processing of personal data, you can contact us at the email address indicated above.

3. Collection of Personal Data and Processing Purposes

PUNTOAL may process the following personal data, depending on the user's use of the website:

a) "Contact Us" form

The following data may be processed:

  • First and last name
  • Email address
  • Phone number
  • Message content (optional)

Purpose: to respond to queries, requests for information or contact.

b) Registration and authentication via third parties

Users may register or sign in through external providers such as Google or Facebook. These providers will process data in accordance with their own privacy policies.

c) Commercial communications and newsletters

Email addresses and, where applicable, other necessary data will be processed for sending commercial information about PUNTOAL products, services, promotions or events.

Users may unsubscribe at any time using the link included in each communication.

d) Customer support via chat or messaging

The following data may be processed:

  • Email address
  • Information voluntarily provided by the user

Purpose: to provide support, resolve incidents or queries.

e) "Work with Us" form

For managing applications, the following data may be processed:

  • First and last name
  • Email address
  • Phone number
  • Curriculum vitae
  • Photograph (optional)

Applications may also be managed through LinkedIn or Indeed, which act as independent data controllers.

f) Registration for webinars and online events

Primarily email addresses will be processed to manage registration and participation. In some cases, this may be done through external platforms (e.g., Livestorm), which process data in accordance with their own policies.

4. Legal Basis for Processing

The legal bases that legitimize the processing of personal data are:

  • Consent of the data subject, given when completing forms, subscribing to communications, participating in webinars or accepting optional cookies.
  • Performance of a pre-contractual or contractual relationship, where processing is necessary to provide a requested service.
  • Compliance with legal obligations, including fraud prevention, responding to requests from public authorities or managing claims.

5. Retention of Personal Data

Personal data will only be retained for as long as necessary to fulfill the purpose for which it was collected or while a legal obligation requires it.

General retention criteria:

  • Contact data: until the query is resolved.
  • Data for commercial communications: until the user withdraws consent.
  • Application data: during the selection process and, subsequently, for a reasonable period for future vacancies, unless deletion is requested.
  • Data required for legal obligations: for the periods required by applicable legislation.

Once the retention periods have expired, data will be securely deleted or anonymized.

6. Data Recipients

PUNTOAL does not sell personal data to third parties.

Certain service providers acting as data processors (hosting, email, customer support tools, webinar platforms, etc.) may access data, always under contract and following PUNTOAL's instructions, in accordance with Article 28 of the GDPR.

Data may be communicated to public authorities where a legal obligation exists.

For more information about providers who access personal data, you can write to: dpo@puntoal.com

7. International Data Transfers

As a general rule, data is stored within the European Economic Area (EEA). In the event of international transfers, PUNTOAL guarantees that appropriate security measures and safeguards will be applied, such as:

  • European Commission Standard Contractual Clauses
  • Binding Corporate Rules (BCR), where applicable

8. Exercise of Rights

Users may exercise their rights by sending a request to: dpo@puntoal.com

Rights recognized by the GDPR:

  • Access
  • Rectification
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Data portability
  • Objection

9. Accuracy of Data

Users guarantee that the data provided is truthful, accurate and up to date, being solely responsible for any damage or harm arising from failure to comply with this obligation. PUNTOAL reserves the right to suspend or cancel services when the data provided is false, incomplete or inaccurate.

10. Security Measures

PUNTOAL has adopted the necessary technical and organizational measures to ensure the security of personal data and prevent its alteration, loss, unauthorized processing or access. The website uses TLS encryption (HTTPS), ensuring that transmitted information travels securely.

However, users should be aware that no security measure on the Internet is absolutely infallible.

11. Google API Integration (Google Drive)

Puntoal offers its users the option to voluntarily connect their Google Drive account to store copies of their received invoices. This section specifically describes how Puntoal uses data obtained through Google APIs, in compliance with the Google API Services User Data Policy.

a) Data accessed by Puntoal

When the user authorizes the integration with Google Drive, Puntoal exclusively accesses:

  • Name and email address of the Google account (to identify the connected account).
  • Permission to create, read and delete files generated by the Puntoal application itself within the user's Google Drive (scope drive.file). Puntoal does not access any other file on the user's Drive that was not created by Puntoal.

b) Use of data

Data and permissions obtained through Google APIs are used exclusively to:

  • Upload received invoice documents (PDF, images) to the user's own Google Drive, organized in automatic folders by year and month.
  • Allow downloading of those documents from the Puntoal platform.
  • Identify the connected Google account and display it in the company settings.

Puntoal does not use Google data for advertising, profiling, statistical analysis or any other purpose other than those described. The use of information obtained through Google APIs is strictly limited to the purposes described in this policy and complies with the Google APIs Limited Use Policy.

c) Sharing data with third parties

Puntoal does not share, sell, transfer or disclose Google access tokens or any data obtained through Google APIs to any third party, except when strictly necessary to provide the technical service (for example, the AWS hosting provider in the EU-West region that hosts the application), who are subject to confidentiality agreements and only process data following Puntoal's instructions.

d) Storage and protection of OAuth tokens

Google access and refresh tokens are stored in Puntoal's database encrypted using ASP.NET Core Data Protection (AES-256 encryption). Access to these tokens is restricted to the company that owns the account and they are never exposed in plain text outside the server.

e) Retention and deletion of Google data

Google access tokens are retained as long as the user maintains an active connection to Google Drive in Puntoal. The user can revoke access at any time from the Purchases → Received Invoices → Cloud section of the application, or directly from their Google account at myaccount.google.com/permissions. Upon revocation, the tokens are immediately deleted from Puntoal's database.

Documents uploaded to the user's Google Drive remain on their Drive and are the user's responsibility. Puntoal does not delete files from the user's Drive unless expressly instructed to do so.

To request the deletion of all data associated with your Google account in Puntoal, write to privacidad@puntoal.com.

12. Amendments to the Privacy Policy

This Privacy Policy may be amended to adapt to legal or technical changes. We recommend reviewing it periodically.

Date of last revision: March 2026