Privacy Policy

Last updated: March 29, 2026

1. Introduction

KONFIGEAR SP, a company incorporated and registered in Spain under VAT number ESB56143282, with its registered office at Calle Profesor Potter 72, Parque Científico Tecnológico, 33203 Gijón, Asturias, España ("KONFIGEAR SP", "we", "our", or "us"), operates the Konfigear platform (the "Platform"), a multi-tenant business-to-business software-as-a-service solution for custom apparel and sportswear customization, accessible at konfigear.com and related domains.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you access or use our Platform, whether as a tenant administrator ("Tenant"), an end-customer using a Tenant's customizer ("End-Customer"), or a website visitor ("Visitor"). This policy applies to all services provided through the Platform, including the product customizer, dashboard, quote submission system, and any related APIs.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights ("LOPDGDD"), and all other applicable European Union and Spanish data protection legislation.

2. Data Controller

For the purposes of the GDPR, the data controller is:

KONFIGEAR SP
Calle Profesor Potter 72
Parque Científico Tecnológico
33203 Gijón, Asturias, España
Email: contact@konfigear.com
Phone: +34 602 637 464
VAT: ESB56143282

Where a Tenant uses the Platform to collect personal data from their End-Customers through their white-label customizer instance, the Tenant is the data controller and KONFIGEAR SP acts as a data processoron the Tenant's behalf. A Data Processing Agreement ("DPA") governs this relationship and is available upon request or as part of the Tenant's service agreement.

3. Categories of Personal Data We Collect

3.1 Tenant Account Data

When you register for a Konfigear account and manage your workspace, we collect:

Full name and email address
Company or organization name
Account credentials (authentication managed by Supabase Auth)
Brand assets uploaded to the Platform (logos, design files)
Billing and payment information (processed by Stripe; we do not store full payment card details)
Communication preferences and support interactions

3.2 End-Customer Data

When End-Customers use a Tenant's customizer to submit quote requests, we process on the Tenant's behalf:

Contact information (name, email, phone number) provided in the quote form
Product customization selections (colors, designs, sizes, quantities)
Uploaded graphic files submitted for customization
Screenshots and configuration data generated during the customization session

3.3 Technical and Usage Data

We automatically collect certain technical information when you access the Platform:

IP address (anonymized for analytics purposes)
Browser type and version, device type, operating system
Pages visited, time spent, referral source
Session identifiers and authentication tokens

Our analytics solution (self-hosted Plausible Community Edition) is cookie-free and does not collect personally identifiable information. No individual user profiles are created from analytics data.

4. Legal Bases for Processing

We process your personal data under the following legal bases as defined in Article 6(1) of the GDPR:

Legal Basis	Purpose	Data Categories
Contract Performance (Art. 6(1)(b))	Account creation, service delivery, billing, subscription management, quote processing	Account data, billing data, customization data
Legitimate Interest (Art. 6(1)(f))	Platform security, fraud prevention, analytics for service improvement, technical support	Technical data, usage data, support interactions
Legal Obligation (Art. 6(1)(c))	Tax compliance, invoicing records, response to lawful requests	Billing records, transaction data
Consent (Art. 6(1)(a))	Marketing communications, optional cookies, third-party AI features	Email address, cookie identifiers

5. How We Use Your Data

We use the personal data we collect for the following purposes:

To create, maintain, and secure your account and workspace
To process subscriptions and payments through Stripe
To deliver the product customizer and quote submission pipeline to Tenants and their End-Customers
To generate technical production documents (techpacks) from quote submissions
To provide customer support through our integrated support channels
To send transactional emails (account confirmations, billing notifications, trial reminders)
To analyze aggregated, anonymized usage patterns to improve the Platform
To detect, prevent, and address fraud, security incidents, and technical issues
To comply with legal obligations, including tax and accounting requirements under Spanish and EU law

6. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal data. We share personal data only with the following categories of recipients, each bound by contractual data protection obligations:

6.1 Sub-Processors

Provider	Purpose	Data Processed	Location
Supabase	Database hosting, authentication, row-level security	Account data, auth tokens	EU (Frankfurt)
Stripe	Payment processing, subscription management, invoicing	Billing data, transaction records	USA (EU SCCs)
Amazon Web Services (S3)	Asset storage (uploaded graphics, screenshots, techpack PDFs, configuration files)	Uploaded files, generated documents	EU (configurable)
Hetzner Online GmbH	Application hosting, document generation service	All Platform data (encrypted at rest)	Germany (EU)
Brevo (Sendinblue)	Transactional and marketing email delivery	Email address, name	France (EU)
Intercom	Customer support messaging	Name, email, support conversations	USA (EU SCCs)
Ideogram (optional)	AI-powered design generation (Tenant opt-in only)	Design prompts	USA (EU SCCs)

Note on Plausible Analytics: We self-host Plausible Community Edition on our own EU-based infrastructure (Hetzner, Germany). No personal data is transmitted to any third party for analytics purposes. Plausible does not use cookies and does not collect any personally identifiable information.

6.2 Other Disclosures

We may disclose personal data where required by law, regulation, or legal process, or where necessary to protect the rights, property, or safety of KONFIGEAR SP, our users, or the public. In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity, subject to the same privacy commitments.

7. International Data Transfers

The majority of personal data processing occurs within the European Economic Area (EEA). Where we transfer personal data to sub-processors located outside the EEA (such as Stripe and Intercom in the United States), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-U.S. Data Privacy Framework, where applicable
Supplementary technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization)

You may request a copy of the safeguards in place by contacting us at contact@konfigear.com.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable law:

Data Category	Retention Period	Justification
Tenant account data	Duration of the service agreement plus 30 days after account deletion	Contract performance
End-Customer quote data	As determined by the Tenant (data controller); default 24 months from submission	Tenant's contractual obligations
Billing and invoice records	6 years from the end of the fiscal year	Spanish tax law (Ley General Tributaria)
Technical logs	90 days	Security and debugging
Analytics data	Aggregated indefinitely (no PII)	Legitimate interest
Uploaded assets (S3)	Duration of account plus 30-day grace period; temporary cart assets: 30 days auto-delete	Contract performance

Upon expiration of the retention period, personal data is securely deleted or irreversibly anonymized.

9. Your Rights Under GDPR

Under the GDPR and LOPDGDD, you have the following rights with respect to your personal data:

Right of Access (Art. 15): Obtain confirmation of whether we process your data and request a copy.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17): Request deletion of your personal data where no overriding legal basis for retention exists.
Right to Restriction (Art. 18): Request that we limit the processing of your data in certain circumstances.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
Right to Lodge a Complaint: File a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at www.aepd.es, or your local supervisory authority.

To exercise any of these rights, contact us at contact@konfigear.com. We will respond within 30 days, as required by law. We may request verification of your identity before processing your request.

End-Customers:If you are an End-Customer who submitted data through a Tenant's customizer, please direct your data rights requests to the relevant Tenant (the data controller). We will assist the Tenant in fulfilling such requests in our capacity as data processor.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit (TLS 1.2+) and at rest
Row-level security (RLS) at the database level ensuring strict multi-tenant data isolation
Authentication via secure token-based mechanisms with JWT verification
Role-based access controls with per-account permission enforcement
Regular security monitoring via infrastructure monitoring tools
Webhook signature verification for all payment processing communications
HMAC identity verification for customer support integrations
Presigned, time-limited URLs for asset access

11. Children's Privacy

The Platform is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at contact@konfigear.com.

12. Third-Party Links and Services

The Platform may contain links to third-party websites or services that are not operated by KONFIGEAR SP. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policies of any third-party services you access through the Platform, including those of our Tenants' own websites.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify Tenants of material changes by email or through the Platform dashboard at least 30 days before the changes take effect. The "Last updated" date at the top of this document indicates the most recent revision.

Continued use of the Platform after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:

KONFIGEAR SP
Calle Profesor Potter 72
Parque Científico Tecnológico
33203 Gijón, Asturias, España
Email: contact@konfigear.com
Phone: +34 602 637 464

You also have the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos) at www.aepd.es if you believe your data protection rights have been violated.