1. Controller Identity
Controller: Hugo Barrio García (trading as Trevam Intelligence Systems)
Address: Camino Arroyo de Arnao, s/n, Chiclana de la Frontera, Cádiz 11330, Spain
Contact: hello@trevam.com
This policy describes how personal data is collected and processed in connection with the trevam.com website and the products sold through it.
2. Data Collected and Sources
| Data category | Examples | Source |
|---|---|---|
| Purchase and contact data | Name, email address, billing country | Buyer at checkout (via Gumroad) |
| Tax / VAT data | VAT number, billing address (where provided) | Buyer at checkout |
| Order data | Order ID, product version, purchase date, amount | Gumroad platform |
| Support communications | Email content relating to download issues, refunds, queries | Buyer by email |
| Payment data | Payment method, card type (last digits if available) | Processed by Gumroad / payment processors — the Controller does not receive or store full card data |
| Website analytics | Page views, referral source, device/browser type (aggregated or pseudonymous) | Landing page (if analytics are active — see note below) |
Website analytics (Plausible). This website uses Plausible Analytics to measure aggregated website usage (e.g., page views, referral source, country-level location, and device type). Plausible is configured in cookieless mode and does not use tracking cookies. The legal basis is legitimate interests (GDPR Art. 6(1)(f)) limited to basic website performance measurement.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Delivering the purchased digital product (download link, update emails for 90 days) | Art. 6(1)(b) — performance of contract |
| Issuing receipts and complying with tax/accounting obligations (Ley 37/1992; LIVA; Spanish fiscal law) | Art. 6(1)(c) — legal obligation |
| Responding to support requests and resolving conformity issues | Art. 6(1)(b) — performance of contract |
| Defending against chargebacks and legal disputes; maintaining transaction records | Art. 6(1)(f) — legitimate interests (evidence preservation; fraud prevention) |
| Sending direct marketing communications | Art. 6(1)(a) — consent (only if separately and expressly given; not collected at this time) |
No automated decision-making with significant legal or similarly significant effects is carried out based on the data collected.
4. Recipients and Processors
Personal data is shared only with third parties where necessary to operate the service:
- Gumroad (payment and delivery platform): processes payment, delivers the download link, and retains transaction records. Refer to Gumroad's own privacy policy for their processing. Gumroad acts as merchant of record and processes payment data as an independent controller. The Controller receives order confirmation data from Gumroad for delivery and record-keeping purposes.
- Email service provider: used to deliver product update emails. Provider details available on request.
- Accounting / tax software: used internally for record-keeping and fiscal obligations. No marketing use.
- Public authorities: where required by law (tax authorities, courts).
5. International Transfers
Some recipients (e.g. Gumroad, email providers) may process data outside the European Economic Area (EEA). Where this occurs, the Controller relies on the safeguards applicable to those providers under GDPR (Articles 44 et seq.), such as adequacy decisions or standard contractual clauses. Details of specific transfer mechanisms are available on request.
6. Retention Periods
| Data category | Retention period |
|---|---|
| Purchase / invoicing records | Minimum 5 years from the end of the fiscal year (Spanish accounting and tax law obligations) |
| Support communications | Until the matter is resolved plus a reasonable period for potential follow-up claims |
| Product update delivery emails | 90 days from purchase date (commercial update window) |
7. Data Subject Rights
Under GDPR Articles 15–22, data subjects have the right to:
- Access personal data held about them (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten"), where applicable (Art. 17)
- Restriction of processing, where applicable (Art. 18)
- Data portability, where applicable (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time where processing is consent-based (Art. 7(3))
Requests should be sent to hello@trevam.com with sufficient information to identify the data subject and the request. The Controller will respond within the statutory timeframe (generally one month).
Data subjects also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD): www.aepd.es.
8. Security
The Controller applies appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, or disclosure, in accordance with GDPR Article 32. These include access controls, minimal data collection, and use of established third-party platforms with their own security certifications.
9. Cookies and Tracking
The trevam.com landing page does not use tracking cookies. Website analytics, where enabled, is configured in cookieless mode (Plausible). Any cookies that may be set are limited to technical cookies required by the hosting infrastructure. If this changes, this policy will be updated and, where required by applicable law, consent will be obtained before any non-essential cookies are set.
10. Policy Updates
This policy may be updated to reflect changes in processing activities or applicable law. Material changes will be communicated where feasible. The version in force at the time of purchase shall apply to that transaction.