Skip to content
Developer Docs

Privacy policy

Information on the processing of personal data arising from access to and use of the Zertiban Developer Portal, prepared in accordance with the GDPR and the Spanish LOPDGDD.

Document version

v1.0 · Last updated: 2026-05-25

Data controller

Zertiban, S.L.U., with registered office at Plaza de España 12, 1st floor (offices A/B), 28008 Madrid (Spain), acts as data controller for any personal data that may derive from access to and use of the Developer Portal.

Data protection officer: [email protected]

Zerti Payments, S.L. is involved in providing the technology services, APIs and infrastructure associated with the portal and acts, where applicable, as data processor in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

Access to the Developer Portal entails reading and accepting this privacy policy, which has been prepared in accordance with the GDPR, Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights, as well as the interpretative criteria of the Spanish Data Protection Agency and the European Data Protection Board.

Purpose and nature of the portal

The Developer Portal has an exclusively technical and informational purpose, aimed at providing developers and integrators with access to technical documentation, integration guides and sandbox testing environments for the Zerti Payments APIs. It does not constitute an environment aimed at end consumers, a service contracting system, or a user registration platform.

The portal does not provide for the creation of personal accounts, registration systems or user sign-up processes, nor does it offer authentication or login functionality. It also does not include structured contact forms, although a communication channel may be enabled through the email address [email protected], intended exclusively for technical support and incident resolution related to API integration.

Data processed

No personal data is collected through forms or registration mechanisms. However, the technical operation of the portal and interaction with the API services necessarily involves the processing of certain technical data, such as:

  • IP addresses.
  • Technical request identifiers.
  • Access logs and timestamps.
  • Activity traces and security events.
  • Where applicable, the use of API keys or tokens in test environments.

This data is considered personal data when it allows the direct or indirect identification of a natural person, in accordance with Article 4.1 of the GDPR and the established doctrine of the European supervisory authorities.

The processing of this data is based on the legitimate interest of the data controller, in accordance with Article 6.1.f of the GDPR, consisting of ensuring the security of networks and information systems, preventing improper use of the APIs, detecting unauthorised access and the correct operation of the technical environment.

Likewise, insofar as access to the portal and its technical documentation is provided at the request of the data subject, such processing may be based on pre-contractual measures in accordance with Article 6.1.b of the GDPR.

In any case, the corresponding balancing of interests has been carried out in accordance with the guidelines of the European Data Protection Board, ensuring that the processing is proportionate, necessary and compatible with the reasonable expectations of the data subjects.

Cookies and analytics tools

The Developer Portal does not use cookies for analytics, advertising or user behaviour tracking purposes, nor does it incorporate profiling or audience measurement tools such as Google Analytics, Hotjar, Intercom or equivalents.

Only technical elements strictly necessary for the operation, security and stability of the system may exist, such as load balancing mechanisms, perimeter security controls or technical session management, which are excluded from the consent regime in accordance with the cookie guidelines of the Spanish Data Protection Agency.

Disclosures and processors

Personal data will not be disclosed to third parties except as required by law. However, it may be accessed by Zerti Payments, S.L. in its capacity as technology provider, API infrastructure and associated services provider, acting as data processor in accordance with Article 28 of the GDPR.

Other technology providers necessary for hosting, security, monitoring or maintenance of the system may also be involved, also acting as data processors under contract, with the technical and organisational guarantees required by applicable regulations.

International transfers

No transfers outside the European Economic Area are envisaged. Should technical reasons require the use of providers located in third countries, such transfers will be carried out exclusively under the existence of appropriate safeguards in accordance with Articles 44 et seq. of the GDPR, such as adequacy decisions of the European Commission or the execution of standard contractual clauses.

Retention and technical logs

Personal data deriving from the operation of the portal, including activity records and technical logs, is retained for a purpose strictly limited to ensuring the security, traceability, resilience and correct operation of the system.

The Developer Portal generates and maintains automatic technical records (logs) deriving from interaction with the system, including accesses, API calls, security events, technical errors and information associated with the IP address and other technical identifiers. These logs are necessary to comply with security and control obligations deriving both from Article 32 of the GDPR and from the network and system security requirements established in the Spanish National Security Framework and in Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA).

These records enable incident detection, prevention of improper use, traceability of operations and reconstruction of events in the event of security incidents. The data is retained only for the time necessary for these purposes, and is subsequently blocked during the periods legally required for addressing potential liabilities.

Security measures

The data controller has implemented appropriate technical and organisational measures to ensure a level of security adequate to the risk, including:

  • Strict access controls.
  • Activity monitoring and event logging.
  • Traceability of API calls.
  • Anomaly detection systems.
  • Protection measures against unauthorised access.

All of the above in accordance with Article 32 of the GDPR and under the principle of security by design and by default.

Minors and automated decisions

The Developer Portal is not intended for minors or end consumers, but exclusively for technical developers and integrators. Likewise, no automated decisions or profiling is carried out on portal users.

Exercise of rights

Data subjects may exercise their rights of access, rectification, erasure, restriction of processing, objection and, where applicable, portability, by sending a communication to the email address [email protected].

They may also file a complaint with the Spanish Data Protection Agency, the competent supervisory authority in Spain.

Changes

The data controller may modify this privacy policy when necessary to adapt it to regulatory, doctrinal or technical changes; the version in force at any given time will be published on the Developer Portal.