Privacy Policy

Privacy policy of Listto (Akaen) in accordance with the GDPR and the Spanish LOPDGDD.

Try it for free Return to home

Last update

February 15, 2026.

Introduction

This policy explains how we process personal data at Listto (Akaen brand), both when you browse the website and when you use the CRM service to create estimates and invoices via WhatsApp or web. It applies in accordance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD) and related regulations.

Data controller and roles

For browsing, contact, contracting, billing and support data of Listto users, the legal entity behind Listto is currently in the process of incorporation. Once completed, the company name, tax ID, full registered address and registry details will be published.

In the meantime, identifying details of the responsible owner are provided upon request by email at admin@akaen.com.

For data that our users upload into the CRM about their own customers (for example: company name, tax ID, address, contact details and billing data), Listto acts as data processor and the Listto user acts as data controller.

No Data Protection Officer (DPO) has been appointed as the current processing activities do not trigger a legal obligation to do so.

What data we process and where it comes from

Identification and contact data of Listto users: name, surname, phone, email and company/professional details.
Financial and billing data of the user: subscribed plan, payment details, payment history and administrative incidents.
CRM data provided by users about their customers: name or company name, tax ID, addresses, phone numbers, emails, concepts, amounts, taxes and related documents.
Communication data: content of messages, audio and images sent by the user to generate documents.
Technical and usage data: IP, online identifiers, logs, device, browser, date/time and security events.

Data sources: (i) the data subject, (ii) service usage and (iii) third-party data provided by the Listto user. Mandatory fields are identified in forms or onboarding flows; if not provided, service delivery may not be possible.

Purposes of processing

Manage onboarding, user accounts, authentication and platform access.
Provide the CRM service and generate estimates/invoices, including storage of customer and document data for reuse and traceability.
Handle technical support requests and operational communications.
Issue invoices, manage collections and comply with accounting, tax and commercial obligations.
Maintain service security, prevent fraud and resolve technical incidents.
Run aggregated analytics on platform usage where a valid legal basis exists.
Comply with legal obligations and requests from competent authorities.

Legal basis

Performance of a contract or pre-contractual measures (Art. 6.1.b GDPR) to deliver the requested service.
Compliance with legal obligations (Art. 6.1.c GDPR), especially tax, accounting and fraud-prevention obligations.
Legitimate interest (Art. 6.1.f GDPR) for platform security, product improvement and incident management, with appropriate balancing tests and safeguards.
Consent (Art. 6.1.a GDPR) where required, for example for non-essential cookies or non-operational communications.

If you are a Listto user and upload your customers' data, you declare that you have a valid legal basis and that you have provided the required privacy information to those data subjects.

Recipients and international transfers

We may disclose data to providers acting as processors or subprocessors (cloud infrastructure, messaging, storage, analytics, support and services required to operate the platform), under contract and documented instructions. You can check the updated list at subprocessors.
We may also disclose data to public administrations, courts and tribunals where legally required.
We do not sell personal data.
Where international transfers outside the EEA occur, we apply the safeguards required by GDPR Chapter V (for example, adequacy decisions or standard contractual clauses, as applicable).

Data retention

We retain data while the contractual relationship is active and for any applicable legal liability periods afterwards.
As a general rule, billing and tax-obligation data are retained for 4 years (Spanish General Tax Law) and contractual/civil data for 5 years (Art. 1964 Spanish Civil Code), unless longer periods are legally required.
CRM data that users store about their customers is retained while the user keeps the account active or until deletion is requested, without prejudice to backups and temporary legal blocking.
Once the applicable periods expire, data is securely deleted or anonymised.

Data subject rights

You may exercise your rights of access, rectification, erasure, objection, restriction of processing, portability and withdrawal of consent by emailing admin@akaen.com. We may request additional information to verify your identity.

If your data is in Listto because you are a customer of one of our users, that user is the primary controller; however, we will cooperate with them to facilitate the exercise of your rights.

If you believe your request has not been handled properly, you may lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es.

Minors

Listto is not intended for children under 14 years of age. We do not knowingly process data of minors under that age without valid authorisation. If we detect unauthorised processing, we will delete the data as soon as possible after verification.

Security and confidentiality

We implement technical and organisational measures appropriate to the risk: encryption in transit (TLS), access controls, logical account segregation, backups, activity logging and incident-management procedures. Personnel with data access are bound by confidentiality obligations. No system is fully invulnerable, but we continuously review and improve our protection measures.