1. Scope
This Policy explains how we process the personal data of: (a) visitors to paidio.app; (b) account holders and tenant administrators (our customers). When a customer uses Paidio to process the data of their end users, the customer is the controller and Paidio acts as processor; that processing is governed by the DPA.
2. What data we process
- Account data: name, email address, organization/tenant, credentials (stored encrypted/hashed).
- Usage and billing data: contracted plan, message/token history and associated cost, Stripe subscription identifiers. We do not store your card details (Stripe handles them).
- Billing tax data: tax name, address and VAT number (VAT ID).
- Content you upload: documents and texts for your assistants (may contain personal data for which you are the controller — see DPA).
- Technical data: IP address, security and anti-fraud data (rate limits, CAPTCHA verification), access logs.
3. Purposes and legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Providing the service and managing your account | Performance of the contract (art. 6.1.b) |
| Billing and tax compliance | Legal obligation / contract (art. 6.1.b and c) |
| Security, abuse prevention and moderation | Legitimate interest (art. 6.1.f) |
| Service communications (email verification, notices) | Performance of the contract |
| Marketing communications (if any) | Consent (art. 6.1.a) |
As regards legitimate interest (security/anti-abuse), we have weighed your interests and rights against ours; you may object on grounds relating to your particular situation and request information about that balancing test by writing to tiho@theorangecat.dev.
4. Providers (subprocessors) and international transfers
To provide the service we use providers that may process data on our behalf: OpenAI (AI models, embeddings, moderation), Stripe (payments and tax data), Resend (transactional email), Cloudflare (anti-fraud/Turnstile), Railway (hosting of backend and database) and Netlify (hosting of the frontend). The canonical list is set out in the DPA.
Some providers are located outside the European Economic Area (e.g. the USA). In those cases, transfers are covered by adequate safeguards in accordance with Chapter V of the GDPR (Standard Contractual Clauses and/or adequacy frameworks such as the EU-US Data Privacy Framework where applicable). You may request a copy of those safeguards by writing to tiho@theorangecat.dev.
5. Retention periods
| Category | Period |
|---|---|
| Account data and Customer Content | While the account is active; deleted or anonymized 30 days after cancellation, unless a legal obligation applies |
| Accounting/billing records and information | 10 years (Bulgarian Accountancy Act) |
| Technical and security records (logs) | 12 months |
| Anti-fraud/CAPTCHA data | 6 months |
| Marketing accounts (consent) | Until you withdraw consent |
6. Automated decisions
We do not make decisions based solely on automated processing that produce legal effects or significantly affect you (art. 22 GDPR). The AI assistant generates text responses, but does not profile or make decisions about individuals.
7. Your rights
You may exercise the rights of access, rectification, erasure, objection, restriction and portability, as well as withdraw consent where it is the basis of processing (e.g. unsubscribe from marketing in each message or by writing to us). Write to us at tiho@theorangecat.dev; we will respond within one month, extendable by two months in complex cases. You have the right to lodge a complaint with a supervisory authority (in Bulgaria, the CPDP; in Spain, the AEPD; or that of your country of residence).
8. Security
We apply reasonable technical and organizational measures: encryption in transit, hashing of credentials, logical isolation per tenant, access control, rate limits and security logs. No system is infallible; we will notify you of breaches that require it in accordance with the law.
9. Minors
Paidio is not directed at minors. We do not knowingly collect data from minors for their own accounts.
10. Cookies
The use of cookies and similar technologies is described in the Cookie Policy.
11. Changes
We may update this Policy. We will publish the current version with its date and, if the change is material, we will notify you by reasonable means.
12. Contact
Controller: The Orange Cat EOOD. Privacy: tiho@theorangecat.dev.