Privacy Policy
This Privacy Policy explains how PayPam (hereinafter «PayPam» or «the Service») collects, uses, stores and protects personal data of its users and of the data that users process through the Service, in compliance with the EU General Data Protection Regulation (GDPR) 2016/679 and the Spanish Data Protection Act (LOPDGDD) 3/2018.
1. Data Controller
- Owner: Miguel Ángel Gelabert Tellado
- Tax ID (NIF): 37340298M
- Address: Calle Creu 2, 07250 Vilafranca de Bonany, Illes Balears, Spain
- Contact email for privacy matters: hello@pay-pam.com
To exercise any of the rights described in this Policy, or to raise any question regarding the processing of personal data, please contact the email above.
2. Two different roles of PayPam
PayPam acts as Data Controller in relation to the personal data of its own direct customers (the individuals or companies who purchase PayPam), and as Data Processor in relation to the personal data that its customers process through the Service (for example, the data of the customers’ end subscribers).
This distinction is important because obligations differ in each case.
3. Personal data processed
3.1 Data of PayPam’s direct customers (as Controller)
When you purchase PayPam, we collect and process the following personal data:
| Category | Examples |
|---|---|
| Identification data | Name, surname, email |
| Billing data | Company name, tax ID, billing address (collected via Stripe) |
| Technical credentials | API keys for Stripe and other services you connect to PayPam, always stored encrypted (AES-256-CBC) |
| Usage data | IP, login timestamps, actions performed on the dashboard |
| Payment data | Card details are handled directly by Stripe. PayPam does not receive or store them. |
3.2 Data processed on behalf of Customers (as Processor)
When the Customer activates certain modules of PayPam, the Service receives and processes personal data of third parties (for example, the Customer’s end subscribers). This data is not owned by PayPam, but by the Customer, who acts as Controller towards the affected individuals.
The specific categories depend on the active modules:
Stripe module (payment management and analytics):
- End subscriber email
- Amount, status and metadata of payments
- Stripe identifiers (customer, payment_intent, subscription)
Telegram module (private group access management):
- End subscriber email (for the access flow)
- Telegram identifier (telegram_id) and username
- Membership status and access/removal dates
PayPam only processes this data for the purposes indicated by the Customer and in accordance with the documented instructions set out in the Terms of Service, which include data processing clauses under Article 28 GDPR.
4. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Provision of the contracted service | Performance of contract (Art. 6.1.b GDPR) |
| Invoicing and compliance with tax obligations | Legal obligation (Art. 6.1.c GDPR) |
| Sending service-related communications (renewals, alerts, incidents) | Performance of contract (Art. 6.1.b GDPR) |
| Customer support and incident handling | Performance of contract (Art. 6.1.b GDPR) |
| Service improvement and internal usage analytics | Legitimate interest (Art. 6.1.f GDPR) |
| Security, fraud prevention and technical audit | Legitimate interest (Art. 6.1.f GDPR) |
| Compliance with applicable legal obligations | Legal obligation (Art. 6.1.c GDPR) |
PayPam does not send unsolicited commercial communications (marketing) unless the Customer has given explicit consent.
5. Retention periods
| Data type | Retention period |
|---|---|
| Active Customer account | For as long as the Customer maintains the Service subscription |
| Data after Customer termination | 30 additional days, unless a longer legal retention obligation applies |
| Issued invoices and tax data | 5 years (Spanish tax and commercial law) |
| Technical logs, dashboard activity records | 6 months |
| Payment records and transaction history (drwl_saas_log) | 6 months, except those required for tax invoicing |
| Encrypted API keys | Deleted when the account is terminated or when the Customer removes them |
| Marketing prospecting data | Not applicable (PayPam does not perform prospecting) |
After the applicable retention period, data will be deleted or irreversibly anonymized.
6. Recipients and sub-processors
PayPam engages third-party service providers (sub-processors) who may have access to personal data in order to provide their services. All providers are bound by contracts ensuring compliance with the GDPR.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Processing of Customer subscription payments to PayPam | Ireland (seat) / USA (parent) | Stripe is Controller of payment data. International transfers covered by Standard Contractual Clauses (SCC) |
| Telegram Messenger LLP | Bot API for group access management (only if the Telegram module is active) | United Kingdom / United Arab Emirates | International transfers covered by contractual safeguards |
| Anthropic PBC | Processing of queries sent by the Customer to the help chat in the dashboard (AI assistant) | USA | International transfers covered by SCC. Customers must refrain from entering sensitive personal data into this chat. PayPam does not store the content of conversations beyond the session context |
| BanaHosting | Web hosting and database server | Canada / EU (depending on the assigned server) | Canada has an EU Commission Adequacy Decision. Transfers are lawful without additional SCCs |
PayPam does not sell personal data to third parties for commercial purposes of those third parties, nor does it use the data for purposes other than those described in this Policy.
7. International data transfers
Some of the providers listed in section 6 may process data outside the European Economic Area (EEA). In all cases, such transfers are covered by:
- Adequacy Decisions issued by the European Commission (case of Canada)
- Standard Contractual Clauses (SCC) approved by the European Commission (case of USA)
8. Data subject rights
Under the GDPR, users may exercise the following rights at any time:
- Right of access: request information about the personal data PayPam processes
- Right to rectification: request correction of inaccurate or incomplete data
- Right to erasure (right to be forgotten): request deletion of personal data
- Right to object: object to processing for specific purposes
- Right to restriction: request the restriction of processing
- Right to data portability: receive personal data in a structured, commonly used, machine-readable format
- Right not to be subject to automated decision-making: including profiling
To exercise any of these rights, please write to hello@pay-pam.com clearly stating which right you wish to exercise. PayPam will respond within one month, extendable by two additional months in complex cases under the GDPR.
Additionally, users have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es) or with the supervisory authority of their country of residence if they consider that the processing of their personal data does not comply with applicable law.
9. Rights of Customer’s end subscribers
If you are an end subscriber of a PayPam Customer (for example, you paid a subscription to someone who uses PayPam), your personal data is processed by PayPam on behalf of that Customer.
In this case, the Data Controller is the Customer itself (not PayPam). To exercise your GDPR rights, you must contact them directly. If you do not know who they are, you may write to hello@pay-pam.com and we will help you identify them.
10. Security measures
PayPam implements reasonable technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of sensitive credentials in database (AES-256-CBC)
- Encrypted transmissions with TLS 1.2 or higher
- Access control to servers and database
- HMAC signature verification on incoming webhooks to prevent forged requests
- Rate limiting on public endpoints to prevent abuse
- Regular security updates of server software
- Regular system backups
Despite these measures, no transmission of data over the internet can be guaranteed 100% secure. In the event of a security breach affecting personal data, PayPam will notify the affected individuals and the relevant supervisory authority within the timeframes established by the GDPR (72 hours).
11. Cookies
The website https://pay-pam.com only uses strictly necessary technical cookies for the operation of the service:
- Session cookies: to keep the user authenticated after login
- Preference cookies: to remember dashboard settings (light/dark mode, language)
PayPam does not use analytics, advertising or third-party marketing cookies. No user behavior tracking is performed outside the dashboard.
Since only strictly necessary cookies are used, no prior consent is required under the Spanish Data Protection Agency guidelines on cookies. Users may configure their browser to reject cookies; doing so may affect the functionality of the dashboard.
12. Changes to this Policy
PayPam may update this Privacy Policy to reflect legal, technical or operational changes. The current version is always available at https://pay-pam.com/privacy and in the /legal/ folder of the Service’s public repository.
Substantive changes will be notified to the Customer at least 30 days in advance by email to the registered address before their entry into force.
13. Contact
For any question or inquiry related to this Privacy Policy:
- Email: hello@pay-pam.com
- Postal address: Miguel Ángel Gelabert Tellado — Calle Creu 2, 07250 Vilafranca de Bonany, Illes Balears, Spain
Last updated: 2026-04-12 This Privacy Policy has been drafted in English and is the official version.