Vyrsea CMS Logo
Back to home
Security and Transparency

Privacy Policy

Last update: June 3, 2026

1. Identification of the Data Controller

In accordance with the provisions of the General Data Protection Regulation (GDPR) and Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD), we inform you that the controller of the data collected on this platform is:

  • Data Controller: Sergio Moreno García (Vyrsea)
  • Tax ID: 77757043T
  • Registered Office: Avenida Doctor Fleming, 25 1A. 30110 Churra Murcia
  • Contact Email: arco@vyrsea.com

2. Data Subject to Processing

For the provisioning of accounts for the website creator and SaaS booking engine, we process the following categories of data provided directly by you through our forms:

  • Contact/Identification Data: Personal or corporate email, name of the primary administrator, and commercial name of the establishment.
  • Technical and Domain Data: The chosen subdomain for your dedicated site (slug).
  • Payment Data (via Stripe): Billing data linked to the bank card. This data is processed directly and encrypted by Stripe, without the data controller storing your payment credentials.
  • Technical Navigation Data: Origin IP address, date and time of form submissions, with the sole purpose of mitigating bot attacks (Honeypot) and rate limiting (Spam).

3. Purpose of Processing

We process your data for the following legitimate business purposes:

  1. Account Management and Infrastructure: Provisioning the dedicated Docker container instance, Postgres database, and R2 storage for your business in an isolated manner.
  2. Billing and Taxes Management: Managing recurring payment gateways in Stripe related to the contracted SaaS subscription.
  3. Technical Notifications: Sending by email the administrator access keys of the deployed system, server status notifications, capacity alerts, and critical technical incidents.
  4. Waitlist: For users registered in the waitlist, notifying preferentially the day of the commercial launch of the software.

4. Legal Basis for Processing

The legal basis that legitimizes the treatment of your data is:

  • Execution of a Contract (Article 6.1.b of the GDPR): Necessary for signing up for the SaaS service, provisioning the booking database of the tenant, and monthly billing.
  • Express Consent (Article 6.1.a of the GDPR): By checking the acceptance box for waitlist registration or commercial contact.
  • Legitimate Interest (Article 6.1.f of the GDPR): To prevent abuse, SPAM, and cyberattacks against the platform's servers.

5. Recipients of Disclosures and Transfers

We do not sell or disclose your data to third parties for commercial purposes. For the operation of Vyrsea CMS, we contract the services of essential providers as Data Processors who strictly comply with European regulations:

  • Payment Gateway: Stripe Inc. (guaranteeing secure international transfers through Standard Contractual Clauses).
  • Infrastructure Servers: IONOS Cloud (hosting of the dedicated Docker container instances within the European Union).
  • Core Data Management: Supabase / PostgreSQL (with servers located in secure EU zones).
  • Storage and Images: Cloudflare Inc. (R2 Storage located in the EU).

6. Data Retention Period

Billing and infrastructure data will be kept as long as the commercial relationship/subscription is active. Once account cancellation is requested, containers and instances will be automatically destroyed. Billing data will be kept blocked for the periods provided by Spanish tax regulations (5 years). Waitlist emails will be kept until the user requests removal from the list.

7. ARCO-POL Rights

As an interested party, you have full rights over your personal data and can exercise them free of charge by sending an email to the Data Controller at arco@vyrsea.com, attaching a photocopy of your ID or equivalent document and indicating the right you wish to exercise:

  • Access: Knowing what data of yours we are processing and for what purpose.
  • Rectification: Modifying or correcting inaccurate or incomplete data.
  • Erasure (Right to be forgotten): Requesting the complete deletion of your data when it is no longer necessary for the contractual relationship.
  • Objection: Objecting to the sending of informative or promotional notifications.
  • Restriction of Processing: Temporarily limiting the use of your data in legally established cases.
  • Portability: Requesting the delivery of your data in a structured standard format to send to another provider.

Likewise, you have the right to withdraw your consent at any time and to file a complaint with the Spanish Data Protection Agency (AEPD) through its electronic office if you consider that your rights have not been properly addressed.

8. Security Measures

We have implemented all necessary technical and institutional security measures to protect the confidentiality, integrity, and availability of your personal data, including the encryption of VPS passwords (via symmetric AES-256 encryption), use of HTTPS/TLS encryption managed by Nginx Proxy Manager, network firewalls, and absolute database and storage isolation for each tenant of the platform.