Privacy Policy

This Privacy Policy explains how Krokanti Games SL ("we", "us", "our"), operating through its software division Krokanti Software, collects, uses, stores, and protects your personal data when you use k-factu, our electronic invoicing and accounting platform. Given the sensitive financial nature of the data processed by k-factu, we are especially committed to transparency and regulatory compliance. We process data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 on Data Protection (LOPDGDD), and applicable Spanish tax legislation.

Data Controller

Data We Collect

Account Information

• Name, email address, and profile picture (via Krokanti Account SSO)
• Subscription plan and billing status
• API tokens and integration preferences

Invoice and Financial Data

• Invoices: invoice numbers, amounts, IVA/IRPF calculations, issue/due dates, payment status
• Client data: business names, NIF/CIF/NIE tax identifiers, addresses, contact details
• Invoice series configuration and sequential numbering
• Credit notes (facturas rectificativas) and their references to original invoices
• Recurring invoice templates and scheduling configuration

Tax and Compliance Data

• Tax profile: NIF, IRPF regime (direct estimation/modules), new autonomo status
• Quarterly tax summaries: Modelo 303 (IVA) and 130/131 (IRPF) pre-filled data
• Verifactu compliance records: SHA-256 hash chains, QR code data, AEAT submission status
• EU VAT numbers and VIES validation results for intra-community transactions

OCR-Processed Documents

• Receipt and invoice images uploaded for OCR processing (JPEG, PNG, PDF)
• Extracted data: amounts, dates, supplier NIF, IVA breakdowns, line items, confidence scores

Bank Statement Data

• Norma 43 and CSV bank transaction imports: dates, amounts, descriptions, references
• Transaction matching rules and auto-categorization preferences

Automatically Collected Data

• Usage data: pages visited, features used, session duration
• Device information: browser type, operating system, screen resolution
• Cookies and similar technologies (see our Cookie Policy)

Legal Basis for Processing

• Contract performance: Processing your invoices, expenses, and tax data is necessary to provide the k-factu service you subscribed to.
• Legal obligation: Spanish tax law (Ley 58/2003 General Tributaria, RD 1619/2012 on invoicing, RD 1007/2023 on Verifactu) requires us to maintain invoice records, hash chains, and audit trails for a minimum of 4 years (6 years for accounting records per Codigo de Comercio Art. 30).
• Consent: For analytics cookies and marketing communications. You may withdraw consent at any time.
• Legitimate interest: For fraud prevention, service improvement, and security monitoring.

Verifactu Data Handling

k-factu implements Verifactu compliance per RD 1007/2023 and HAC/1177/2024. This involves specific data processing:

• Each invoice generates a SHA-256 cryptographic hash that chains to the previous invoice, creating a tamper-proof audit trail
• QR codes are generated containing AEAT verification URLs linked to your invoice data
• When AEAT submission is enabled, invoice data is transmitted to the Spanish Tax Agency via their official SOAP API
• Verifactu hash chain records and event logs are retained indefinitely as they form part of the legally required audit trail

Data Retention

We retain your data for the minimum period required by law or necessary for our legitimate business purposes. Spanish tax legislation imposes specific retention requirements:

Third-Party Service Providers

We share data with the following providers, all bound by data processing agreements:

Data Security

Given the financial sensitivity of the data we process, we implement robust security measures:

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication via Krokanti Account SSO with JWT tokens
• API tokens are stored as SHA-256 hashes, never in plaintext
• Database access restricted to application layer with connection pooling
• HMAC-signed internal API communications between Krokanti services

Your Rights

Under the GDPR and LOPDGDD, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you, including your invoices and financial records.
• Right of rectification: Correct inaccurate personal data. Note: issued invoices cannot be modified per Spanish law; corrections require a credit note.
• Right of erasure: Request deletion of your account and data. Important: invoice records, tax data, and Verifactu hash chains must be retained per legal requirements (minimum 6 years).
• Right of data portability: Export your data in structured, machine-readable format (JSON, CSV). Available in account settings.
• Right of restriction: Request that we limit processing of your data while a dispute is resolved.
• Right of objection: Object to processing based on legitimate interest. Cannot apply to legally required tax data retention.

You may also file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es if you believe your rights have been violated.

International Data Transfers

Some of our service providers process data outside the EU. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or the providers participate in recognized data protection frameworks. Your primary financial data (invoices, tax records) is stored in EU data centers (eu-central-1).

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

Contact Us

For questions about this Privacy Policy or to exercise your data rights: