ScriptorIA Legal Privacy Terms Cookies DPA GDPR Language
ES EN
← ScriptorIA
Privacy Policy applies to the app ScriptorIA (api_script) operated by
pibiCo Compañía de Inteligencia de Negocio y Control SL
CIF ES B52567831 · Avenida de La Costa, 35-6T, 33201 Gijón, Asturias, España
Support: soporte@pibico.es · DPO: soporte@pibico.es
Version: 1.1.0 · Effective from: 2026-06-15

Privacy Policy

This Privacy Policy ("Policy") explains how pibiCo Compañía de Inteligencia de Negocio y Control SL ("pibiCo", "we" or "our") collects, uses, discloses and protects personal data when you use the application ScriptorIA ("the Platform"), a SaaS solution by pibiCo enhanced with AI capabilities. pibiCo is a Spanish company incorporated under the laws of Spain and the European Union (EU), with VAT number ES B52567831 and registered office at Avenida de La Costa, 35-6T, 33201 Gijón, Asturias, Spain.

1. Scope of this Policy

1.1 Applicability

This Policy applies to personal data we collect from authorised Users and employees of contracting companies who access the Platform. There is no guest mode: all Users must register to obtain an account. Visitors of the public website may view general information without logging in; no personal data is collected from such visitors unless they voluntarily provide it through contact or subscription forms.

1.2 Data Protection Officer (DPO)

We have appointed our CTO as Data Protection Officer. For privacy-related inquiries, contact: privacy@pibico.es.

2. Personal data we collect

2.1 Types of personal data

While using ScriptorIA we may collect the following categories of data:

  • Identidad y contacto: email y nombre (vía SSO pibiCo)
  • Organización/tenant y rol del usuario
  • Plantillas y artículos generados (DOCX, PDF, PPTX, XLSX, CSV, JSON)
  • Los documentos ORIGINALES del cliente NO se almacenan (modelo connect-only); solo se cachean artefactos derivados
  • Metadatos de uso y consumo de créditos pibiCash
  • Registros de auditoría: acciones, dirección IP y marca temporal

2.2 No special categories

We do not collect health, biometric or sensitive financial data beyond what is strictly necessary for the subscription payment methods.

2.3 Web-only application (PWA)

ScriptorIA is delivered exclusively as a Progressive Web App (PWA) accessible from any modern browser. No native Android or iOS apps exist. Therefore no mobile operating-system permissions are requested (native microphone, push notifications, foreground services, wake lock). All interaction occurs inside the User's browser sandbox.

3. How we collect your data

3.1 Direct collection

Personal data is mainly collected when authorised Users or employees enter their information into Platform forms or complete the organisation onboarding.

3.2 System logs and local storage

We use local storage and logs to track User activity, ensure security, debug issues and keep accurate billing records.

3.3 No automated external collection

We do not collect personal data through external APIs or automated third-party integrations without prior agreement. Any additional integration is explicitly agreed with the contracting company.

4. Purposes of processing

4.1 Service delivery

We process personal data to provide and maintain ScriptorIA's features: generation and management of document artifacts, search and retrieval over connected libraries (RAG), and integration with other pibiCo services under the same SSO.

4.2 Support and billing

Personal data may be used to provide customer support, issue Verifactu invoices, manage subscriptions and payments, and handle incidents.

4.3 Communications

With your explicit consent, we may send newsletters or notifications about service updates. Service communications (incidents, changes, legal notices) are always sent on legitimate-interest basis even without marketing consent.

4.4 No profiling or automated decisions

We do not use personal data to build profiles or make automated decisions with legal or similarly significant effects.

5. Legal bases for processing

Legal basis (Art. 6 GDPR)Application
Contract performance (Art. 6.1.b)Service delivery, account management, authentication, subscription billing.
Legal obligation (Art. 6.1.c)Invoicing, accounting retention and Spanish tax law (incl. RD 1007/2023 Verifactu).
Legitimate interest (Art. 6.1.f)Security, anti-abuse, fraud prevention, service communications.
Consent (Art. 6.1.a)Marketing communications, analytics and marketing cookies.

6. Disclosure and data sharing

6.1 External processors

We share data with the following processors under a DPA contract pursuant to Art. 28 GDPR:

Third partyPurposeLocation
Talk2Doc (pibiCo)Búsqueda documental y recuperación RAG sobre las bibliotecas conectadasEspaña (UE) — infraestructura pibiCo
api_chat / Ollama (pibiCo)Generación de texto con modelos LLM en localEspaña (UE) — servidores propios
api_convert (pibiCo)Conversión de documentos a formato indexableEspaña (UE) — servidores propios
api_auth (pibiCo)Identidad, SSO y facturación de créditosEspaña (UE) — infraestructura pibiCo
MinIO (pibiCo)Almacenamiento de plantillas y artefactos derivadosEspaña (UE) — servidores propios
Anthropic / OpenAILLM text generation (only if the User explicitly selects one of these providers)USA — transfer under Standard Contractual Clauses

6.2 AI processing

By default, AI processing in ScriptorIA is local (pibiCo's own servers in Spain, local language models; data does not leave the EEA). If the User explicitly selects a model from an external provider (Anthropic, OpenAI), the content required for generation is transmitted to that provider acting as a processor, under a DPA and Standard Contractual Clauses, which may entail an international transfer (see §6.1 and §9). The provider choice is the User's and is logged.

6.3 No external transfers without agreement

We do not transfer personal data to external APIs, third-party software or services that are not explicitly agreed in your organisation's subscription contract.

7. Data retention

7.1 Retention periods

  • Active subscription: 365 días.
  • Free Basic or inactive account: after a period of prolonged inactivity or closure, the account enters read-only mode for 30 days before permanent deletion.
  • Billing data: 6 years (Spanish commercial and tax obligation).
  • Security logs: 12 months.

7.2 Post-subscription retention

After subscription termination we may retain personal data for up to 5 years to comply with accounting, legal and regulatory requirements, unless the law requires a different period. After that, data is deleted or anonymised.

8. Data security

8.1 Technical and organisational measures

We use role-based access control (RBAC), permission management, encryption in transit (TLS 1.2+) and at rest where applicable, passwordless authentication (email OTP, with optional TOTP 2FA), and complete activity logging. Only authorised personnel have access to personal data.

8.2 Data breaches

In case of a suspected breach we will investigate immediately, identify the scope, and where applicable notify affected data subjects and the AEPD within the 72-hour period set by Art. 33 GDPR.

9. International transfers

Where a processor is located outside the European Economic Area, transfers are made on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, or under an Adequacy Decision. By default, ScriptorIA data is stored on European infrastructure.

10. Data subject rights

10.1 Your rights (GDPR and LOPDGDD)

  • Access: obtain confirmation of which data we process and a copy of it.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data.
  • Objection: object to processing based on legitimate interest.
  • Restriction: request temporary restriction of processing.
  • Portability: receive your data in a structured, exportable format.
  • Withdraw consent: at any time without affecting the lawfulness of prior processing.

10.2 Exercising your rights

To exercise any right write to soporte@pibico.es or to the DPO at privacy@pibico.es indicating the affected app and providing identification. We will respond within one month.

10.3 Complaint to the AEPD

If you believe your rights have not been properly addressed, you may file a complaint with the Spanish Data Protection Agency at www.aepd.es.

11. Children's data

ScriptorIA is not directed at children under 16. We do not knowingly collect data from minors without proper authorisation from the contracting company or parents. If you detect that a minor has provided data without authorisation, contact soporte@pibico.es for immediate deletion.

12. Cookies

The use of cookies is governed by the Cookies Policy.

13. Updates to this Policy

Material changes (data collected, purposes, third parties, retention) will require fresh explicit consent and will be notified to subscribed Users by email before they take effect. Minor changes (corrections, formatting) are published with a new version and effective date without affecting prior consent.

14. Contact information

pibiCo Compañía de Inteligencia de Negocio y Control SL
Avenida de La Costa, 35-6T
33201 Gijón, Asturias, Spain
Email: soporte@pibico.es · DPO: privacy@pibico.es

Last updated: 2026-06-15 · Version 1.1.0

© 2026 pibiCo