Capydox Privacy Policy

Last updated: 21/05/2026

This Privacy Policy (the "Policy") explains how Capydox processes personal data about visitors to our website, registered users and customers who use our API documentation and evidence service (together, the "Service").

By using the Service or contacting Capydox through our channels, you agree that your personal data will be processed as described in this Policy.

1. Controller identity and scope

The data controller is a self-employed professional operating under the trade name Capydox (in this document, "Capydox", "we" or the "Controller"), with professional address in Spain. Full identification and contact details are provided in the Legal Notice on our website.

This Policy applies to:

Browsing the public Capydox website, including contact, registration and newsletter forms.
Using the Capydox platform as a SaaS service, both via the web interface and the desktop application connected to a cloud account.
Interactions with our support and commercial channels.

Where Capydox acts as a data processor on behalf of a customer (for example an organisation using team workspaces and corporate SSO), the applicable Data Processing Agreement (DPA) will also apply in addition to this Policy.

2. Personal data we process

Capydox may process the following categories of personal data, depending on how you use the Service:

Account and registration data

First and last name (optional in some forms).
Email address.
Encrypted password or equivalent credentials.
Preferred language.
Organisation or company associated with the account, where applicable.

Profile and workspace configuration data

Workspace name and description.
Team roles (admin, member, guest, etc.).
Invitations sent to members and their status.
SSO/OIDC configuration where enabled by the organisation.
Notification preferences and display settings.

Usage data

Basic activity within the app (for example creating collections, generating documentation, running evidence).
Administrative audit trails and technical logs required for security and service operation.
Device and browser information (for example browser type, operating system, time zone, language, truncated IP address) to detect technical issues and improve the user experience.

Technical API content and documentation

Content of imported collections (URLs, headers, parameters, example bodies, variables, etc.).
Imported or generated OpenAPI specifications.
Documentation text, markdown, evidence and other artefacts you or your organisation create within workspaces.

Billing and payment data

Customer, subscription and plan identifiers.
Payment status, billing history and related metadata.
Payment instrument details (for example card information) are mainly processed by our payment processor (e.g. Stripe) according to its own policies.

Support and communication data

Messages sent via support channels, tickets and email.
Screenshots, attachments and related metadata.

Cookies and similar technologies

Technical cookies required to run the site and Service.
Cookies and similar technologies for analytics or measurement (for example Vercel Analytics, Google Analytics 4), only where a valid legal basis exists (consent, legitimate interest or equivalent) and as described in our Cookies Policy.

Capydox does not intentionally request or require special categories of data (such as health data, political opinions, trade union membership) to provide the Service. If a Customer chooses to include such data in Customer Content, they remain responsible for ensuring a valid legal basis and adequate minimisation.

3. Purposes and legal bases

Capydox processes your personal data for the following purposes and on the following legal bases:

Providing the Service and managing your account

Creating and managing your user account.
Granting access to the Service and to the workspaces you are authorised to use.
Delivering API documentation, collection import, OpenAPI generation, evidence and team collaboration features.

Legal basis: performance of a contract or pre-contractual steps (Art. 6.1(b) GDPR).

Billing, payments and administration

Managing monthly or yearly subscriptions, free trials, renewals and cancellations.
Issuing invoices and fulfilling accounting and tax obligations.

Legal basis: compliance with legal obligations (Art. 6.1(c) GDPR) and performance of a contract (Art. 6.1(b) GDPR).

Technical support and customer service

Handling enquiries submitted through our support channels.
Diagnosing and resolving technical issues.

Legal basis: performance of a contract (Art. 6.1(b) GDPR) and, in some cases, legitimate interest (Art. 6.1(f) GDPR) in maintaining service quality.

Account and Service security

Monitoring access and unusual activity to prevent fraud or unauthorised access.
Applying technical and organisational security measures (for example logging, access controls, abuse detection).

Legal basis: legitimate interest in keeping the Service and accounts secure (Art. 6.1(f) GDPR).

Analytics and product improvement

Obtaining aggregated metrics on site performance, feature usage and user flows.
Improving the Service and prioritising new features.

Legal basis: legitimate interest in improving the product (Art. 6.1(f) GDPR) or consent where required under cookie and tracking rules.

Service and, where applicable, marketing communications

Sending strictly necessary service messages (for example account confirmation, important changes, security alerts, billing notifications).
Sending product-related marketing communications (feature updates, usage tips) where we have a prior relationship or you have given consent.

Legal basis: performance of a contract/legitimate interest for service communications; consent or legitimate interest (subject to local e-privacy rules) for some marketing communications.

You may opt out of marketing communications at any time by following the instructions included in each message.

4. Desktop application and local data

Capydox provides a desktop application that connects to the cloud Service.

To use Capydox Desktop as part of the SaaS product, you need an online account and authentication against Capydox servers.
The app may analyse your project code locally to generate OpenAPI specifications; the source code is not sent to Capydox unless you choose to upload the generated specification or other artefacts.
The app may store local data on your device, such as temporary scan artefacts, window preferences, embedded browser sessions and local configuration.

Personal data processing associated with the desktop app follows this Policy and is further detailed in our separate document on imported collections and encryption available in the legal section.

5. Imported collections and technical workspace content

Imported collections (for example from Postman, Insomnia or ApiDog), OpenAPI specifications and API documentation may contain personal data or sensitive information, depending on how the Customer configures and exports its projects.

Capydox treats this content as confidential Customer information and uses it only to:

Provide the Service (importing, generating and maintaining documentation and evidence).
Offer technical support where strictly necessary and authorised.

In production environments, sensitive workspace content (including imported collections and derived artefacts) is stored using strong application-level encryption, in addition to standard infrastructure security measures.

Technical details and user obligations are described in the dedicated "Imported collections and encryption" document.

6. Recipients and processors (sub-processors)

Capydox may disclose or grant access to personal data to the following types of recipients:

Data processors / sub-processors

Service providers necessary to operate the Service, for example:

Payment processor (e.g. Stripe).
Transactional email provider (e.g. Resend).
Database and backend providers (e.g. Supabase and Railway).
Frontend hosting and content distribution providers (e.g. Vercel and Cloudflare R2, GitHub Releases as a fallback).
Analytics and measurement tools (e.g. Vercel Analytics, Google Tag Manager, Google Analytics 4, where enabled).
Social login and SSO providers (Google, GitHub, Microsoft, customer-configured IdPs).

These providers only access data as needed to perform their services for Capydox and are bound by data processing agreements that comply with GDPR.

Legal obligations and protection of rights

Capydox may disclose data to administrative authorities, courts or other third parties where necessary to:

Comply with legal obligations.
Respond to official requests.
Protect the rights, safety or property of Capydox, users or third parties.

Capydox does not sell personal data.

7. International data transfers

Some providers may be located outside the European Economic Area (EEA) or may carry out international data transfers.

Where this is the case, Capydox will ensure appropriate safeguards, such as:

Adequacy decisions by the European Commission.
Standard Contractual Clauses (SCCs) approved by the European Commission.
Other mechanisms recognised under data protection laws.

You can contact us for more information about international transfers and the safeguards applied.

8. Data retention periods

Capydox keeps personal data only for as long as necessary to fulfil the purposes for which they were collected and, thereafter, for additional periods required by applicable law or to preserve evidence for possible legal claims.

In general:

Account and Service usage data are retained while your account or your organisation's contract remains active, and deleted or anonymised within a reasonable time after termination.
Billing and payment data are kept for the periods required by tax and accounting rules.
Certain technical and security logs may be retained for longer periods where necessary to prevent fraud, investigate incidents or protect our systems.

When data are no longer needed, Capydox will delete or anonymise them according to internal retention policies.

9. Your data protection rights

Subject to the conditions set out in data protection law, you may exercise the following rights:

Right of access: obtain confirmation as to whether we process your personal data and access such data.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure: request deletion of your data where they are no longer needed or where you withdraw consent in certain cases.
Right to restriction: request that processing be restricted in specific circumstances.
Right to object: object to certain processing activities based on legitimate interest.
Right to data portability: receive your data in a structured, commonly used format and have them transmitted to another controller where technically feasible.

To exercise your rights, please contact Capydox using the details provided in the Legal Notice or on our website, clearly indicating which right you wish to exercise and providing sufficient information to verify your identity.

You also have the right to lodge a complaint with a competent data protection authority (for example, the Spanish Data Protection Agency – AEPD – if you are in Spain) if you believe that your data are being processed in breach of applicable law.

10. Cookies and similar technologies

Capydox uses cookies and similar technologies to:

Ensure the technical operation of the site and Service (necessary cookies).
Remember user preferences and manage sessions.
Obtain aggregated statistics about usage and performance, where a valid legal basis exists.

Details on the cookies we use, their purposes and how to manage your preferences are provided in our Cookies Policy, available from the website footer and privacy settings.

11. Information security

Capydox implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss or alteration, and against unauthorised access, disclosure or processing.

These include, among other measures:

Encrypted communications via HTTPS/TLS.
Role-based access controls and robust authentication.
Application-level encryption of specific sensitive fields in databases.
Regular backups and disaster recovery procedures.
Internal processes for managing security incidents.

While we strive to protect personal data, no system is completely secure. If a significant data breach occurs, Capydox will notify affected users and, where required, the relevant supervisory authorities in accordance with applicable law.

12. Changes to this Privacy Policy

Capydox may update this Policy where necessary to reflect changes in the Service, our processing activities or applicable law.

Where changes are material, Capydox will notify registered users through appropriate channels (for example in-app notice or email) and, where required, seek renewed consent.

The current version of this Policy will always be available on the Capydox website, showing the last updated date.

13. Contact

If you have any questions about this Policy or about how we process personal data, you can contact Capydox using the details provided in the Legal Notice and in the contact section of the website.

If we appoint a dedicated privacy or data protection contact in the future, we will include their details here.