Last updated June 24, 2026 · Revision: 3f7c9f04-9c22-44ff-ba11-6136c2560165
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service. It governs the processing of personal data that Curried Software S.L.U. ("Curried Software", "we", the "Processor") carries out on behalf of the Customer ("you", the "Controller") in providing the uninvoice.app services (the "Services"), in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and Organic Law 3/2018 (LOPDGDD).
This DPA applies only to the personal data that the Customer enters into the Services and that Curried Software processes as a processor (for example, the data of the Customer's clients or recipients appearing in the Customer's invoices and records). It does not apply to data that Curried Software processes as a controller (account data, subscription billing, and analytics), which is governed by the Privacy Policy.
The terms "personal data", "processing", "controller", "processor", "data subject", "sub-processor", and "personal data breach" have the meaning given to them by the GDPR. With respect to the data to which this DPA applies, the Customer is the data controller and Curried Software is the data processor. Where the Customer in turn acts as a processor for a third-party controller, Curried Software will be a sub-processor and the Customer warrants that it has the necessary authorisation.
The subject matter, duration, nature, and purpose of the processing, as well as the type of personal data and the categories of data subjects, are detailed in Annex I. The processing is carried out during the term of the Terms of Service and for as long as Curried Software retains personal data on behalf of the Customer in accordance with clause 9.
Curried Software will process the personal data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by Union or Member State law, in which case it will inform the Customer before processing, unless legally prohibited. These Terms, this DPA, and the use of the Services' features (for example, generating invoice PDFs or reporting records to AEAT through VeriFactu when the Customer enables it) constitute the Customer's documented instructions. Curried Software will inform the Customer if, in its opinion, an instruction infringes data protection law.
Curried Software ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are under a legal obligation of confidentiality, and limits access to those who need it to provide the Services.
Taking into account the state of the art, the costs, and the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of data subjects, Curried Software implements appropriate technical and organisational measures, described in Annex III, to ensure a level of security appropriate to the risk.
The Customer grants Curried Software a general authorisation to use the sub-processors listed in Annex II. Curried Software imposes on each sub-processor, by contract, data protection obligations equivalent to those of this DPA. Curried Software will inform the Customer of any intended change concerning the addition or replacement of sub-processors, giving it the opportunity to object on reasonable data protection grounds within a reasonable period; if the objection cannot be resolved, the Customer may terminate the affected Services. Curried Software remains liable to the Customer for the performance of its sub-processors.
Taking into account the nature of the processing, Curried Software will assist the Customer, through appropriate technical and organisational measures and insofar as possible, in responding to requests by data subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection). If a data subject addresses a request directly to Curried Software, it will forward it to the Customer without undue delay. Curried Software will also assist the Customer in ensuring compliance with the obligations of Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, and prior consultations), taking into account the information available.
Curried Software will notify the Customer without undue delay and, insofar as possible, within 72 hours of becoming aware of a security breach affecting personal data processed on behalf of the Customer, providing the information reasonably available so that the Customer can comply with its own notification obligations. The notification will be addressed to the Customer's contact registered in the account. Curried Software is not obliged to notify the supervisory authority or the data subjects on behalf of the Customer, unless expressly agreed.
On termination of the provision of the Services, and at the Customer's choice, Curried Software will delete or return the personal data processed on behalf of the Customer and will delete existing copies, unless Union or Member State law requires their retention. The Customer can export its data at any time from the Services. Unless instructed otherwise, Curried Software will delete the data after a grace period of up to 30 days from termination. Curried Software does not assume the legal obligation to retain the Customer's invoices and tax records; that obligation rests with the Customer as the issuer.
Curried Software will make available to the Customer the information necessary to demonstrate compliance with the obligations of Article 28 of the GDPR and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor authorised by it. Audits will be carried out with reasonable prior notice, during business hours, with reasonable frequency (generally, no more than once a year unless required by a supervisory authority or following a security incident), without unduly disrupting Curried Software's operations and respecting the confidentiality and security of other customers. Curried Software may satisfy this obligation by providing certifications, third-party audit reports, or security questionnaires where available.
Curried Software will process personal data within the European Economic Area (EEA) wherever possible. Where a sub-processor processes data outside the EEA, such transfer will be covered by an adequacy decision or by appropriate safeguards under Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses, together with the supplementary measures that may be necessary. The Customer authorises these transfers and, where applicable, empowers Curried Software to enter into the Standard Contractual Clauses with the sub-processors on its behalf.
Each party's liability arising from this DPA is governed by the limits and exclusions of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding data protection, this DPA prevails. For matters not provided for here, the Terms of Service apply, including their governing-law and jurisdiction clauses.
| Subject matter | Provision of the uninvoice.app invoicing Services to the Customer. |
|---|---|
| Duration | While the Terms of Service are in force and in accordance with clause 9. |
| Nature and purpose | Hosting, storage, organisation, consultation, transmission, and deletion of personal data to create, issue, store, and manage invoices, expenses, clients, and entities; generate PDFs; and report invoice records to AEAT through VeriFactu, at the Customer's request or when the law requires it (for invoices issued by businesses or professionals established in Spain). |
| Types of personal data | Identifying and contact data of the Customer's clients/recipients (name or company name, address, tax identifier NIF/VAT, email), and economic information included in invoices, expenses, and records (line items, amounts, taxes). The Customer must not enter special categories of data (Art. 9 GDPR). |
| Categories of data subjects | The Customer's clients, invoice recipients, suppliers, and business contacts. |
| Sub-processor | Purpose | Location / safeguards |
|---|---|---|
| Cloudflare, Inc. | Application hosting and content delivery | EU/EEA with possible processing outside the EEA under Standard Contractual Clauses |
| Resend (Resend, Inc.) | Delivery of transactional emails (which may include Customer data, e.g. invoice PDFs) | USA under Standard Contractual Clauses |
The current list of sub-processors is kept up to date in this DPA. Google (authentication) and Revolut (payments) act as independent controllers and not as sub-processors with respect to the data to which this DPA applies; see the Privacy Policy. PostHog (analytics) processes data on behalf of Curried Software only with respect to data processed by Curried Software as a controller, not with respect to the Customer content covered by this DPA.