ciflow

Privacy Policy

Last updated: 16 May 2026

At ciflow we protect personal data under the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and Spanish Organic Law 3/2018 (LOPDGDD).

1. Controller and processor

  • ciflowPlataforma SaaS de diagnóstico energético de edificios
  • Titular: Xavier Rins Lozano
  • NIF: 45787193N
  • Domicilio: Avenida de Olof Palme 10, Bajos, 08840 Viladecans, Barcelona, Spain
  • Email: hola@ciflow.net
  • Sitio web: www.ciflow.net

ciflow is a service aimed at professionals. Two roles apply:

  • Data controller: for the professional customer's account data (sign-up, billing, support, platform usage).
  • Data processor: for the data the professional customer enters about properties and their own end clients (including Datadis electricity consumption). The professional customer is the controller of that data; ciflow processes it solely to provide the service, under the processing agreement (Art. 28 GDPR).

2. Data we process

  • Professional account: name, email, hashed password, organisation and sub-organisations.
  • Billing: subscription data processed by Stripe. We never store card numbers.
  • Property data: cadastral reference, address, energy certificate, building inspection (ITE) and technical data uploaded by the customer or retrieved from official sources.
  • Electricity consumption (Datadis): CUPS and consumption curve, processed only with the supply holder's consent (DNI/CIF), obtained by the professional customer.
  • Browsing: technical cookies (see Cookie Policy).

3. Purpose

  • Generate energy diagnostics, simulations and reports.
  • Manage the account, subscription and support.
  • Enable the contracted API and integrations.
  • Improve the service via aggregated, anonymised data.

4. Legal basis

  • Contract performance (Art. 6.1.b): providing the contracted service.
  • Consent (Art. 6.1.a): Datadis consumption and marketing communications.
  • Legitimate interest (Art. 6.1.f): security and service improvement.
  • Legal obligation (Art. 6.1.c): tax and commercial law.

5. Recipients

We use providers that process data on behalf of ciflow: Stripe (payments), Resend (email), Anthropic (AI document processing), cloud storage on European infrastructure (S3 Mega S4), and official sources and Datadis for property and consumption data. No provider uses the data for its own purposes. We do not sell or transfer data for commercial purposes.

6. Retention

  • Account: while the subscription is active.
  • Property data and reports: while the customer keeps them; deleted on account closure unless legally required.
  • Billing: 5 years (tax obligation).
  • Documents uploaded for OCR: deleted after processing unless the customer chooses to keep them.

7. Your rights

You may exercise access, rectification, erasure, restriction, portability and objection rights by writing to privacidad@ciflow.net. Where a professional customer is the controller, we will forward your request to them. We respond within 30 days. You may lodge a complaint with the Spanish Data Protection Agency (AEPD).

8. Security

We apply encryption in transit (HTTPS/TLS), bcrypt-hashed passwords, encryption of credentials and consent tokens at rest (Fernet), per-organisation isolation (multi-tenant) and restricted database access.

9. International transfers

Some providers (Stripe, Anthropic, Resend) are based outside the EEA; they rely on EU Standard Contractual Clauses or equivalent safeguards.

10. Changes

We may update this policy; material changes will be notified by email or via a notice on the website.