Tiny IDP
← Trust & Compliance Center

Privacy Policy

Last updated: January 22, 2026

1. Identity of the Data Controller

In compliance with the Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE) and the General Data Protection Regulation (GDPR), the details of the party responsible for the processing of your data are:

  • Commercial Name: Tiny IDP
  • Legal Name: Albert Vazquez Mendez
  • Tax ID (NIF): 45153937S
  • Registered Address: C/ Mirada del Toro, 12, 07740, Es Mercadal (Illes Balears), Spain.
  • Activity: SaaS API for Image Processing and Data Extraction.
  • Contact Email: hello@tiny-idp.com

2. Roles in Data Processing

To understand how your data is handled, it is important to distinguish between two types of data processing roles:

  1. Tiny IDP as Data Controller: For your Account Data (registration, billing, login credentials). We decide how and why this data is processed.
  2. Tiny IDP as Data Processor: For the API Data (the images of documents you send us). You act as the Controller, and we process this data strictly on your behalf to provide the service. The specific terms of this relationship are governed by the Data Processing Agreement (DPA) included in our Terms of Service.

3. Data We Collect and How We Use It

A. Account & Registration Data

  • Data Collected: Username, email address, password (encrypted), and billing details (name/address).
  • Purpose: To manage your account, provide API keys, customer support, and invoicing.
  • Legal Basis: Performance of a contract (Terms of Service).
  • Retention: Maintained as long as you have an active account. After cancellation, data is blocked for the statutory period required by tax and legal regulations (up to 5 years).

B. Payment Data

  • Data Processing: We use Stripe to process all payments.
  • Details: Tiny IDP does not view, store, or handle your credit card numbers or sensitive payment authentication data. These are handled directly by Stripe.
  • Privacy Policy: Please refer to Stripe's Privacy Policy.

C. Technical Usage Logs (Metadata)

  • Data Collected: API request timestamps, HTTP status codes, volume of requests, and error logs.
  • Purpose: To calculate billing (usage-based), monitor system stability, and ensure security.
  • Privacy: These logs do not contain personal information, the content of the uploaded images, or the extracted JSON data. They are strictly technical metadata.

D. API Data (Document Processing)

  • Data Collected: Images and documents uploaded via API (DNIs, passports, vehicle documentation, etc.) and the extracted JSON data.
  • Purpose: To perform Optical Character Recognition (OCR) and data extraction using Artificial Intelligence.
  • Infrastructure & Security:
    • Provider: Google Cloud Platform (GCP).
    • Location: Madrid, Spain (europe-southwest1). All data resides within the European Union.
  • Retention (Ephemeral Storage):
    • Images and documents sent to the API are stored in temporary buckets solely for the seconds required to process the request (typically 5-10 seconds).
    • Immediate Deletion: Once the JSON response is generated and returned to you, the image and the extracted data are immediately deleted from our processing storage.

4. Use of Artificial Intelligence & Disclaimer

  • No Training on Customer Data: Your document data is not used to train the AI models used by Tiny IDP or other AI providers. Your data remains your property and is processed in isolation.
  • Accuracy Disclaimer: While our AI is highly advanced, outputs are probabilistic predictions. The User acknowledges that results must be verified by a human. Tiny IDP is not liable for errors in data extraction (e.g., a misread ID number).

5. Data Sharing and International Transfers

We do not sell your data. We only share data with service providers necessary to operate the business (see complete list in our Trust & Compliance Center):

  • Hosting & AI: Google Cloud Platform (Google Ireland Limited). Data is stored in the Madrid region.
  • Payments: Stripe Payments Europe, Ltd.

International Transfers: There are no international transfers of data outside the European Economic Area (EEA). All our infrastructure is located within the EU (Madrid region), ensuring full protection under GDPR.

6. Security Measures

We implement technical and organizational measures to protect your data (detailed architecture in our Technical Overview):

  • Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest (within GCP databases).
  • Access Control: Strict IAM (Identity and Access Management) policies restrict access to the infrastructure.
  • Ephemeral Processing: The architecture ensures that sensitive document data is deleted immediately after processing.

7. Your Rights (ARCO+ Rights)

Under the GDPR and LOPDGDD 3/2018, you have the following rights:

  • Access: Request a copy of the account data we hold about you.
  • Rectification: Correct inaccurate account data.
  • Deletion (Right to be Forgotten): Request that we delete your account and associated data.
  • Limitation: Limit how we process your data.
  • Portability: Receive your data in a structured format.
  • Opposition: Object to the processing of your data.

To exercise these rights, please send an email to hello@tiny-idp.com attaching a copy of your ID (to verify your identity).

8. LSSI-CE Compliance (Commercial Communications)

In compliance with Law 34/2002 (LSSI-CE):

  • We will not send you advertising or promotional communications by email unless you have previously requested or authorized them.
  • If you are an existing customer, we may send you commercial communications regarding services similar to those you have already contracted (e.g., API updates or critical alerts).
  • You can unsubscribe from these emails at any time by clicking the "Unsubscribe" link or contacting us.

9. Changes to this Policy

We reserve the right to modify this policy to adapt to legislative changes or industry practices. Substantial changes will be communicated via the website or email before they become effective.