Privacy Policy — RotaFlux

Last updated: May 1, 2026

Data controller

• Entity: de Prados y Bodega Ingenieros S.L.
• VAT/CIF: B86106705
• Address: Ciudalcampo, 28707 San Sebastián de los Reyes, Madrid (Spain).
• Privacy contact: [email protected]

Quick summary

• RotaFlux is a B2B SaaS. The contracting organization is the Data Controller for its employees’ data; we act as Data Processor for that data.
• This policy covers your account data (the admin or planner who registers and operates the platform).
• For employee data managed from your account, see the Data Processing Agreement (DPA) and the subprocessor list.
• All infrastructure is hosted in the European Union.

Data we process as Controller

Account data

When you register and use RotaFlux, we process:

• Identity: first name, last name, email address.
• Credentials: password stored as a cryptographic hash (never in plain text).
• Billing data: legal name, VAT/CIF and tax address of your organization.
• Usage data: contracted credits, consumed credits, date/time of computed runs, source IP for technical logging.

Payment data

Transactions are processed through Stripe or an equivalent payment provider. We do not store card numbers or banking data on our systems: the provider handles the payment and only returns an opaque transaction ID and outcome to us.

Managed employee data

The data your organization uploads to RotaFlux to compute schedules (employee identifiers, working hours, preferences, incompatibilities, planned holidays) is processed under your instruction as Controller. The conditions of that processing are governed by our DPA.

RotaFlux does not request or store: health data, absence reasons, union membership, religion, sexual orientation, salary, or any other special category under Article 9 GDPR.

Legal basis

• Account and service use: performance of a contract (Article 6.1.b GDPR).
• Billing and accounting obligations: compliance with a legal obligation (Article 6.1.c GDPR).
• Technical security data (access logs, failed attempts): legitimate interest in keeping the service secure (Article 6.1.f GDPR).
• Employee data (as Processor): contract with your organization under Article 28 GDPR, formalized in the DPA.

Retention

Disclosure and subprocessors

We do not share personal data with third parties for commercial purposes. The subprocessors that support RotaFlux operations (hosting, transactional email, monitoring, payments) are listed publicly at Subprocessors.

International transfers

The main infrastructure is in the European Union. Some subprocessors operate from outside the European Economic Area (mainly the United States); those transfers rely on the Standard Contractual Clauses adopted by the European Commission.

Cookies and web tracking

The RotaFlux application (https://rotaflux.enredando.me) uses only strictly necessary functional cookies to keep your session active. We do not use tracking, analytics or advertising cookies inside the application.

The public marketing site may use aggregate, cookieless measurement tools (e.g., Cloudflare Web Analytics), described in the site-wide privacy policy.

Security

• Encryption in transit: TLS for all communications.
• Encryption at rest: database encrypted at disk level.
• Access control: principle of least privilege for operational access.
• Backups: encrypted, with documented retention and rotation.
• Breach notification: notice to the Controller without undue delay in case of an incident affecting personal data.

Your rights

You can exercise your rights of access, rectification, erasure, objection, restriction, and portability at any time by writing to [email protected].

If you believe your rights have not been respected, you can file a complaint with the Spanish Data Protection Agency (https://www.aepd.es) or your local supervisory authority within the EU.

Changes

Any material change to this policy will be posted on this page with the updated date at the top. If a change materially affects how we process your data, we will email you before it takes effect.