Privacy Notice
1. Data Controller
Real Zero, S.L. ("Real Zero") is the controller of personal data collected through its automated recovery stations (in-person vending) and, in the future, its online drink-pack store.
Tax ID (NIF / VAT): B-24961658
Registered office: Calle Redencilla del Camino 9 — Escalera G, 5°B, 28050 Madrid, Spain
Contact: info@realzero.es · +34 623 345 790
2. What we collect and why
| Data category | When collected | Legal basis (GDPR) | Purpose |
|---|---|---|---|
| Transaction data: card brand (Visa, Mastercard…), card last 4 digits, BIN, payment token (when paying with Monyx wallet), payment method, timestamp, amount, product, station | At each purchase | Art. 6(1)(b) — performance of the sales contract | Process payment, issue receipt, fraud prevention |
| Derived recurring-customer identifier (brand + last 4, or Monyx token) | Computed from the above | Art. 6(1)(f) — legitimate interest | Internal loyalty analytics: spot returning customers, improve product mix |
| Billing data (name, tax ID, address) when a named invoice is requested | On customer request | Art. 6(1)(c) — legal obligation (Spanish tax law) | Issue and retain invoices |
| Online-order data (name, email, shipping address, Stripe-tokenized payment data) — forthcoming | When buying a drink pack on the website | Art. 6(1)(b) — performance of contract | Process the order, ship the product, send order updates |
We never collect or store the full card number (PAN) or CVV; special categories of data (health, religion, ideology, biometric data, etc.); or data on minors under 16. Our product is aimed at adult athletes.
3. Processors and third parties
To operate the service we rely on third-party providers. Some act as processors (handling data on our instructions); others are independent controllers. All are EU-based or covered by a valid GDPR transfer mechanism (Standard Contractual Clauses).
| Provider | Role | GDPR role | Location |
|---|---|---|---|
| Nayax Europe UAB (Lithuania) and Nayax Ltd. (Israel) | In-station payment processing, telemetry, transaction feed | Processor (sales data); Controller (operator KYC data) | EU + Israel (with SCCs + Schrems-II Additional Safeguards). Nayax Privacy Policy |
| Nayaxvend Iberica SL | Local distributor (KYC + commercial relationship) | Independent controller | Spain |
| Stripe Payments Europe Ltd. (forthcoming) | Online-store payment processing | Processor | Ireland. Stripe Privacy Policy |
| Holded SL | Accounting and invoicing software | Independent controller for accounting data | Spain. Holded Privacy Policy |
| Render Services Inc. | Hosting of the internal analytics app | Processor | EU (Frankfurt region) |
| Turso (ChiselStrike Inc.) | Analytics database | Processor | EU |
| Vercel Inc. | Public-website hosting | Processor | USA (SCCs). Vercel Privacy Policy |
| Cloudflare Inc. | CDN and internal-console access control | Processor | Global, with SCCs |
| Resend | Transactional email delivery | Processor | EU |
| Formspree Inc. | Website-form submission processing | Processor | USA (SCCs). Formspree Privacy Policy |
| WhatsApp Business (Meta) | Customer messaging via WhatsApp Business | Independent controller for messaging metadata | Ireland / USA. WhatsApp Business Terms |
| Anthropic PBC | AI for internal operational recommendations | Processor | US under SCCs. Only aggregate sales metrics are sent — never identifiable end-customer data |
4. Retention
| Data type | Retention period |
|---|---|
| Aggregate transaction data (loyalty + analytics) | 24 months from last purchase, then anonymized |
| Invoices and accounting data | 6 years (Spanish Commercial Code, art. 30) |
| Operator KYC data (us, held by Nayax) | Duration of the contract + applicable statutory periods |
| Internal-console access logs | 12 months |
| Online order data (forthcoming) | 6 years for tax compliance; marketing data until consent is withdrawn |
5. Your rights
Under the GDPR and LOPDGDD you have the right to:
- Access the data we hold about you.
- Rectify inaccurate data.
- Erasure ("right to be forgotten") when the data is no longer necessary.
- Restrict processing.
- Data portability: receive your data in a structured format.
- Object to processing based on legitimate interest (including loyalty analytics).
- Not be subject to automated decisions with significant effects. (We don't take any.)
- Withdraw consent at any time, where processing relies on consent.
To exercise any of these rights, email info@realzero.es indicating which right and providing reasonable proof of identity (e.g. the last 4 digits of the card used, the approximate purchase date). We respond within 30 days.
If you believe we have not handled your request properly, you may complain to the Spanish Data Protection Agency (AEPD): www.aepd.es.
6. International transfers
Some providers (notably Nayax Ltd. in Israel and Anthropic in the US) are outside the EEA. Those transfers use the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the Additional Safeguards post-Schrems II described in Annex II of the Data Protection Addendum signed with each provider.
7. Security
We apply reasonable technical and organisational measures: encryption in transit (HTTPS/TLS), encryption at rest (AES-256), multi-factor authentication on the internal console, least-privilege staff access, and periodic access reviews. Sensitive secrets (API keys, tokens) are stored encrypted with Fernet (AES-128 + HMAC-SHA256) in our database.
8. Changes to this Notice
We may update this policy. The current version is always published at this URL with the "Last updated" date above. If changes are material and affect you as an identifiable customer, we will notify you via the appropriate channel (transactional email or a notice on the station).
9. Contact
Questions about this Notice or how Real Zero handles your personal data:
info@realzero.es
Real Zero, S.L., Calle Redencilla del Camino 9 — Escalera G, 5°B, 28050 Madrid, Spain