Privacy Policy
Last updated: 13 April 2026
1. Data Controller
maqia ai ("MAQIA", "we", "us") is the data controller responsible for the personal data processed through our procurement platform and public website. If anything in this policy is unclear — or you want to exercise one of your GDPR rights — just email us and a real human will get back to you.
maqia ai
Email: privacy@maqia.eu
2. What Personal Data We Collect
We collect only what we need to run the service, bill you, and keep the platform secure:
- Account data — your name, work email, company, and role.
- Billing data — company name, VAT/tax ID, billing address, and payment instrument details (handled by Stripe; see Section 4).
- Usage data — tenant activity, procurement documents you create, and feature interactions inside the platform.
- Technical data — IP address, user agent, and session cookies required to keep you logged in and to protect the platform from abuse.
- Communications — anything you send us via support, feedback forms, or email.
3. Legal Bases for Processing
Under GDPR Art. 6, here is the specific legal basis we rely on for each category:
- Account data — performance of the contract with you (Art. 6(1)(b)).
- Billing data — performance of the contract (Art. 6(1)(b)) combined with our legal obligation to keep tax records (Art. 6(1)(c)).
- Usage data — our legitimate interest in operating, securing, and improving the platform (Art. 6(1)(f)).
- Marketing communications (if any) — your consent, which you can withdraw at any time (Art. 6(1)(a)).
4. Payment Processing & Stripe
When you upgrade to a paid plan, we use Stripe Payments Europe, Limited (Ireland) as our payment processor. Stripe collects and processes your name, billing email, billing address, VAT number, and payment instrument details on our behalf to perform our contract with you (GDPR Art. 6(1)(b)) and to comply with our tax obligations (Art. 6(1)(c)).
MAQIA never receives or stores your full card number or CVV. All payment details are tokenised by Stripe.
Stripe may transfer limited personal data to Stripe, Inc. in the United States under the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses. Stripe is self-certified under the Data Privacy Framework.
Stripe uses automated fraud-prevention technology (Stripe Radar). If a payment is declined and you believe this is an error, please contact billing@maqia.eu for human review (GDPR Art. 22(2)(a) & (3)).
Stripe's privacy policy: stripe.com/privacy
5. Sub-processors
These are the third parties that process personal data on our behalf. We keep this list short on purpose — and we'll update it here before adding a new sub-processor.
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe, Ltd | Payment processing | Ireland (+ US for some data) | SCCs + Data Privacy Framework |
| Supabase | Database, authentication, storage | EU (Frankfurt) | Within EU — no mechanism needed |
| Google Cloud (Cloud Run) | Application hosting | EU (Belgium — europe-west1) | Within EU — no mechanism needed |
| InvoiceXpress | Portuguese-certified invoicing (AT compliance) | Portugal | Within EU — no mechanism needed |
6. How Long We Keep Your Data
We keep data only as long as we need it, or as long as the law tells us to:
- Account data — deleted within 30 days of account closure, except where we're required to keep it for legal obligations.
- Billing records — retained for 10 years as required by Portuguese CIVA Art. 52 and Spanish LGT Art. 66 (tax law), then permanently deleted.
- Usage logs — 90 days on a rolling basis.
- Audit logs — 2 years, to meet our security obligations under GDPR Art. 32.
- Marketing consent records — until you withdraw consent.
7. Your Rights Under GDPR
If you're in the EEA or the UK, you have the following rights with respect to your personal data:
- Right of access (Art. 15) — ask us what we hold about you.
- Right to rectification (Art. 16) — correct anything that's wrong.
- Right to erasure (Art. 17) — delete your data, subject to the tax retention period described above.
- Right to restriction (Art. 18) — pause processing while we investigate a complaint.
- Right to data portability (Art. 20) — get your data in a machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, email privacy@maqia.eu and we'll respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In Portugal, that's the Comissão Nacional de Proteção de Dados — cnpd.pt. In Spain, it's the Agencia Española de Protección de Datos — aepd.es.
8. International Data Transfers
By default, your data stays inside the European Union. The main exception is Stripe, which may transfer limited billing data to the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses, as described in Section 4 above. We don't transfer personal data anywhere else without disclosing it here first.
9. Security
We take GDPR Art. 32 seriously. Our baseline includes:
- Encryption in transit (TLS 1.2+) and at rest.
- Two-factor authentication and optional organisation-wide MFA enforcement.
- Audit logging for sensitive administrative actions.
- Least-privilege access controls and row-level tenant isolation.
- A documented incident response plan and 72-hour breach notification to CNPD / AEPD under Art. 33.
10. Cookies
We use cookies for authentication, payments, fraud prevention, and (with your consent) analytics. See the cookie consent banner at the bottom of the page to manage your preferences, or the Cookie section of our consent panel for the full list of categories.
11. Children
MAQIA is a B2B service and is not intended for anyone under the age of 16. If you believe we've inadvertently collected data about a child, email privacy@maqia.eu and we'll delete it.
12. Changes to This Policy
If we make material changes to this policy, we'll notify you by email and/or inside the platform at least 30 days before they take effect. Non-material clarifications (typos, formatting) may be made at any time.
13. Contact
For anything privacy-related, reach us at one of these addresses:
Data subject requests: privacy@maqia.eu
Billing & Stripe queries: billing@maqia.eu
Data Protection Officer: dpo@maqia.eu
Note: MAQIA may not be formally required to appoint a DPO under GDPR Art. 37. If appointment is not required, this address is monitored by our privacy team.