Zapable Privacy Policy

1. Introduction

Welcome to Zapable (“we”, “our”, “us”).
We are a digital marketplace that enables creators to sell digital products and accept payments through Bitcoin’s Lightning Network and card payments via Stripe.

This Privacy Policy explains how we collect, use, and protect your information when you use Zapable.

By accessing or using our platform, you agree to this Privacy Policy.

1b. Data Controller

The data controller responsible for your personal data is:

For all privacy-related inquiries, including exercising your data protection rights, please contact us at stephan@zapable.net.

2. Information We Collect

We collect the following types of information:

2.1. Information You Provide Directly

• Account information: name, email address, password.
• Creator information: profile details, product listings, files you upload.
• Payment setup information:
  • Stripe creator configuration (e.g., Stripe account ID).
    We do not receive your full personal financial data—Stripe handles this directly.
  • Lightning payment details (e.g., wallet connection info such as LNURL or invoice parameters).
    We never have access to your wallet’s private keys or funds.

2.2. Automatically Collected Information

• Device information (browser type, operating system)
• IP address (for security and anti-fraud)
• Usage data (pages visited, actions taken, time on page)
• Cookies and similar technologies

2.3. Marketplace Transaction Data

We retain limited information about transactions, such as:

• Product purchased
• Amount
• Timestamp
• Payment method (Bitcoin or card)

We never store card numbers, full payment details, or Bitcoin private keys. Stripe and your Lightning wallet process that information directly.

3. How We Use Your Information

We use collected information to:

• Provide and maintain the Zapable platform
• Enable users to buy and sell digital products
• Handle account registration, authentication, and security
• Process payments via Stripe or Lightning integrations
• Deliver purchased digital products to buyers
• Communicate updates, support messages, or important notifications
• Improve platform performance, features, and user experience
• Detect, investigate, and prevent fraud, abuse, or security issues

We do not sell your data to third parties.

3b. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases under the EU General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b)): Account creation, payment processing, order fulfilment, delivering purchased products, and providing the marketplace platform.
• Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics, Vercel Analytics), newsletter subscriptions, and sharing your email with creators when downloading free products. You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): Fraud prevention, platform security, abuse detection, improving the user experience, and internal analytics. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Retaining financial and transaction records as required by Spanish tax law (Ley General Tributaria — 4 years) and commercial law (Código de Comercio — 6 years), and responding to lawful requests from authorities.

4. How Payments Work

4.1. Card Payments (Stripe)

If you choose to accept card payments or purchase with a card:

• Stripe processes the card details securely.
• We do not see or store full card information.
• Creators must connect their own Stripe accounts to receive fiat payouts.

Stripe’s own privacy policy governs how Stripe handles your payment data.

4.2. Bitcoin Lightning Payments

If you use Lightning:

• Payments are processed directly between the buyer’s wallet and the creator’s wallet.
• We may generate or relay payment requests (e.g., invoices or LNURLs) but we do not control funds.
• We do not store private keys, seed phrases, or wallet balances.
• Transactions are peer-to-peer and irreversible once completed.

5. How We Share Information

We only share information when necessary to operate the platform, or when legally required.

5.1. Service Providers

We may share data with service providers who help us run Zapable, such as:

• Stripe (payment processing)
• Supabase or equivalent (database/auth/storage)
• Cloud hosting providers
• Analytics providers

These providers only access data needed to perform their services and are expected to protect it.

5.2. Legal Requirements

We may disclose information if required to:

• Comply with applicable laws, regulations, or legal process
• Respond to valid law enforcement requests
• Protect the rights, property, or safety of Zapable, our users, or others

We do not share your personal information with advertisers or sell data to third parties.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential cookies: Keep you logged in, maintain session state, and remember preferences. These are strictly necessary and do not require consent.
• Analytics cookies: Understand how visitors use the platform (Google Analytics, Vercel Analytics). These are only loaded after you give consent via our cookie banner.

When you first visit Zapable, a cookie consent banner allows you to accept or decline analytics cookies. You can change your preference at any time by clearing your browser's local storage.

For a detailed list of cookies, see our Cookie Policy.

7. Data Retention

We retain your information only as long as necessary to provide our services and comply with legal obligations. Specific retention periods:

• Account data: Retained while your account is active and for 30 days after deletion to allow recovery.
• Transaction and financial records: 6 years, as required by Spanish commercial law (Código de Comercio, Art. 30) and tax law (Ley General Tributaria — 4 years).
• Support tickets: 2 years after resolution.
• Analytics data: Governed by the retention settings of the respective third-party service (Google Analytics: up to 26 months).
• Newsletter subscriptions: Until you unsubscribe.

If you delete your account, we will erase your personal data except where retention is required by law (e.g., financial records for tax compliance).

8. Security

We take the security of your data seriously and use measures such as:

• Encrypted connections (HTTPS)
• Secure password hashing
• Access controls and role-based permissions
• Minimizing the data we store related to sensitive operations

However, no system is completely secure. You are responsible for:

• Using a strong, unique password
• Protecting access to your account and devices
• Safeguarding your Lightning wallet credentials and Stripe login details

9. Your Rights Under GDPR

Under the EU General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
• Right to restriction (Art. 18): Restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest, including profiling.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at stephan@zapable.net. We will respond within 30 days, as required by GDPR. We may need to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the AEPD (see Section 11b).

10. Children’s Privacy

Zapable is not intended for individuals under the age of 18.
We do not knowingly collect personal information from children.

If you believe a child has created an account or provided information, please contact us and we will take appropriate steps to remove the account and related data.

11. International Data Transfers

Some of our service providers are based outside the European Economic Area (EEA), including in the United States. When your data is transferred outside the EEA, we ensure it is protected by appropriate safeguards:

• Stripe, Inc. (USA) — Covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.
• Vercel, Inc. (USA) — Data Processing Agreement with Standard Contractual Clauses.
• Supabase, Inc. (USA) — Data Processing Agreement with Standard Contractual Clauses.
• Resend, Inc. (USA) — Data Processing Agreement with Standard Contractual Clauses.
• Google LLC (USA) — Covered by the EU-US Data Privacy Framework.

You may request a copy of the applicable safeguards by contacting us at stephan@zapable.net.

11b. Your Right to Complain

If you believe that your data protection rights have not been adequately addressed, you have the right to lodge a complaint with the competent supervisory authority.

As Zapable is operated from Spain, the lead supervisory authority is:

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our services
• Changes in applicable laws
• Operational or technical updates

When we make changes, we will update the “Last updated” date at the top of this page.
In some cases, we may also provide additional notice (e.g., via email or in-app notification).

13. Contact Us

If you have any questions or concerns about this Privacy Policy, or about how we handle your data, you can contact us at:

Email: stephan@zapable.net