Privacy Policy

Effective date: 20 June 2026

This Privacy Policy explains how Performance Labs SL processes personal data when you visit the MiEmpleadoIA websites, create an account, use the MiEmpleadoIA accounting SaaS, submit documents through Captura links, contact us, or use our billing flows.

1. Controller

The data controller is Performance Labs SL, VAT ID ESB56217169, Paseo de la Castellana 194, Planta baja, Puerta B, 28046 Madrid, Spain.

Privacy contact: hola@miempleadoia.es.

2. What MiEmpleadoIA Does

MiEmpleadoIA is a supervised software service for accounting firms and similar professional teams. It helps collect client documents, organize review queues, extract pre-accounting information, prepare exports, and manage supervised AI-assisted workflows.

MiEmpleadoIA does not file taxes, submit official accounting records, give legal or tax advice, or replace professional review. Users remain responsible for checking all outputs before using them.

3. Data We Process

Depending on how the service is used, we may process:

  • Account data: name, email, login credentials, authentication events, organization membership, roles, preferences, and support communications.
  • Organization data: firm name, slug, workspace settings, team members, billing status, subscription plan, usage limits, and audit-relevant operational events.
  • Client and contact data entered by users: client names, emails, internal references, folder labels, expected document rules, and related workflow notes.
  • Accounting documents and files: invoices, receipts, bank statements, uploaded documents, metadata, extracted text, review status, export data, and related processing results.
  • Captura upload data: public upload tokens, uploaded files, upload status, client association, device/browser metadata, and optional notes submitted by the uploader.
  • Email-source data where enabled: mailbox connection metadata, message headers, sender information, subjects, body snippets, attachments, synchronization status, and UID cursors needed to avoid duplicate processing.
  • AI processing data: prompts or structured inputs derived from uploaded documents, model outputs, confidence signals, extracted fields, and human review decisions.
  • Billing data: Stripe customer identifiers, subscription status, plan, billing address, tax identifiers where provided, invoice metadata, payment status, and portal events.
  • Website and analytics data: IP-derived technical data, pages visited, referrer, campaign parameters, consent status, and optional advertising/analytics identifiers when you accept optional cookies.
  • Security and diagnostic data: IP address, user agent, device/browser information, request logs, error logs, and abuse-prevention signals.

Do not upload special-category data unless it is strictly necessary for the accounting workflow and your organization has a lawful basis to process it.

4. Purposes And Legal Bases

We process personal data for these purposes:

  • To provide the service, authenticate users, manage organizations, process uploads, generate review outputs, and support exports. Legal basis: performance of a contract or pre-contractual steps.
  • To manage billing, subscriptions, invoices, tax collection, and payment-related support. Legal basis: performance of a contract and legal obligations.
  • To protect the service, prevent abuse, maintain security, debug incidents, and keep audit-relevant logs. Legal basis: legitimate interests and, where applicable, legal obligations.
  • To respond to contact, support, and sales requests. Legal basis: consent, pre-contractual steps, or legitimate interests depending on the request.
  • To send service notifications, onboarding messages, and important account or billing communications. Legal basis: performance of a contract and legitimate interests.
  • To improve the product, measure feature usage, and understand conversion funnels. Legal basis: legitimate interests for aggregated operational analysis, and consent for optional analytics or advertising cookies where required.
  • To comply with legal, tax, accounting, consumer, and regulatory duties. Legal basis: legal obligations.

5. Data Uploaded By Organizations

When an organization uploads or receives documents from its own clients, the organization is responsible for ensuring it has the necessary authority and legal basis to collect and process those documents. Performance Labs SL processes that data to provide MiEmpleadoIA, following the configuration and instructions of the organization, except where we must process data for our own legal, security, or billing obligations.

Organizations should inform their own clients that they use MiEmpleadoIA or similar processors when required by applicable data protection law.

6. AI Processing

MiEmpleadoIA may use AI models and related providers to extract, classify, summarize, or suggest structured accounting information from documents and workflow context. AI outputs can be incomplete or incorrect and must be reviewed by a qualified person before use.

We design the service so AI processing supports supervised workflows. We do not intentionally use customer documents to train public foundation models unless a provider agreement or product configuration explicitly allows it and the customer has been informed.

7. Recipients And Processors

We may share personal data with service providers that help operate MiEmpleadoIA, including hosting, database, file storage, email delivery, authentication, analytics, AI processing, payment processing, tax calculation, logging, and customer support providers.

Examples of provider categories include Stripe for billing and tax-aware payment flows, email infrastructure providers, storage and hosting providers, AI model providers, analytics providers when enabled, and security or operational tooling.

We may also disclose data when required by law, to protect rights and security, in connection with a corporate transaction, or with your instructions.

8. International Transfers

Some providers may process data outside the European Economic Area. Where this occurs, we rely on appropriate safeguards such as European Commission adequacy decisions, Standard Contractual Clauses, data processing agreements, provider security commitments, or other lawful transfer mechanisms.

9. Retention

We keep personal data only for as long as needed for the purposes above:

  • Account and organization data: while the account or organization is active, and for a reasonable period afterward for support, audit, and legal purposes.
  • Accounting documents and workflow data: while the organization keeps them in the service, unless deleted earlier by authorized users or required by law.
  • Billing, invoice, and tax records: for the legally required retention period.
  • Security logs: for a limited period appropriate to detect abuse, investigate incidents, and protect the service.
  • Marketing and cookie data: until consent is withdrawn, the cookie expires, or the data is no longer needed.

Deletion may be delayed where retention is required for legal claims, tax/accounting obligations, security investigations, backup integrity, or compliance duties.

10. Your Rights

Under applicable data protection law, you may have the right to access, rectify, erase, restrict, object to processing, request portability, withdraw consent, and object to automated decision-making where applicable.

To exercise your rights, contact hola@miempleadoia.es. We may need to verify your identity and, for organization-controlled data, coordinate with the organization that controls the workspace.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or another competent supervisory authority.

11. Cookies

We use cookies and similar technologies for authentication, locale selection, consent management, security, attribution, analytics, and advertising where enabled. See our Cookie Policy for more information.

12. Security

We use technical and organizational measures intended to protect personal data, including access controls, tenant scoping, secure authentication, encrypted transport, restricted operational access, and audit-oriented processing patterns. No system is completely secure, and users are responsible for managing their own credentials and team access.

13. Changes

We may update this Privacy Policy to reflect product, provider, legal, or operational changes. The updated version will be published on this page with a new effective date when appropriate.