Skip to main content

Privacy policy

APP Cl@ve is an application for mobile devices that allows citizens to identify themselves electronically in order to authenticate themselves and create electronic signatures in their relations with Public Administrations.

The State Tax Administration Agency distributes the mobile application "Cl@ve" and is responsible for protecting the legal rights and privacy of users. The mobile application provides a section with a legally valid privacy notice and terms of service. The privacy policy is based on:

  • The request for the data necessary to provide the requested services.
  • The processing of personal data in accordance with the provisions of “Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, relating to the protection of natural persons with regard to processing of personal data and the free circulation of these data (General Data Protection Regulation)” and the “Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights” and other regulations of application.
  • The use of cookies to the extent necessary for the correct functioning and display of the service, with a limited duration.

Access to and use of the Cl@ve application entails the status of User, which implies observance and compliance with the provisions contained herein, as well as any other legal provisions that may be applicable.

1. Developer information and point of contact.

Developer Name: State Revenue Office

Website: https://sede.agenciatributaria.gob.es

E-mail: supportapp@correo.aeat.es

Address: SG Exploitation - Tax Information Technology Department - State Tax Administration Agency. Santa Maria Magdalena Street, 16, 28016 Madrid (Spain)

The State Tax Administration Agency is regulated by the Resolution of December 28, 2009, of the Presidency of the State Tax Administration Agency, which creates the electronic headquarters and regulates the electronic records of the State Tax Administration Agency published in the (BOE December 29, 2009).

2. Who is responsible for the processing of APP Cl@ve User data?

The person responsible for processing the data of the APP Cl@ve user is:

Name: State Tax Administration Agency.

Data Protection Officer of the State Tax Administration Agency: dpd@correo.aeat.es

Address: Santa Maria Magdalena Street, 16, 28016 Madrid.

3. What data is processed about the User?

The information processed about the User comes from the data contained in the Cl@ve registry of the State Tax Administration Agency. Some data will be processed depending on the actions carried out by the User from the Cl@ve APP.

As a result of the accesses, the data relating to the person that could be processed in the Cl@ve APP will belong to one or more of the following types and will be used exclusively for the purposes of this system and will not be transferred to third parties unless expressly indicated, or it is necessary for the fulfillment of a legal obligation:

  • Identification or contact data: name, surname, DNI/NIE, Validity date of your DNI (or Issue date if it is a Permanent DNI) or support number of your NIE, email address associated with Cl@ve, telephone number associated with Cl@ve.
  • Device identification data: operating system, mobile device model.

Additionally, to protect access to certain functionalities of the APP and in any case to activate the device with their DNI/NIE, the User must have some user authentication factor configured on the device provided by their operating system: credentials (pattern, code, etc.) or biometrics (fingerprint, facial recognition, etc.).

The APP does not require granting any additional permission on the device for its operation, although after completing some of the Cl@ve procedures in the APP, if the User wishes to view the PDF document of the operation performed, the APP will request permission to access the file storage.

In addition, the following data that is not associated with the User's identifying data is processed:

  • Application Activity: App Interactions, information about how you interact with the App. For example, the number of times you visit a page or sections through Firebase Analytics (service provided by Google, Inc. ). This data is used only for the purposes necessary to obtain statistics that allow us to improve the user experience.
  • Application information and performance: Crash logs, crash log data, and unexpected issues via the Firebase Crashlytics service (service provided by Google, Inc. ). These are data that are used solely for the purposes necessary to resolve problems and provide an early response to incidents.
  • In the event that push notifications from the APP are enabled on the mobile device to receive the requested requests, which is recommended, device IDs or other types: identifiers related to a device for sending push notifications to the mobile device through the Firebase Cloud Messaging service (service provided by Google, Inc. ). This data is used only for the purposes necessary to provide and improve the functions of the application.

4. How does the Cl@ve APP obtain User data and where does it come from?

The data is obtained by queries to the servers of the State Tax Administration Agency, based on the data that the User has provided in the Cl@ve system registration. Under no circumstances will data be obtained from these sources without the consent of the User.

The domains of the servers used to send the data are:

"sede.agenciatributaria.gob.es", “www.agenciatributaria.gob.es”, "www1.agenciatributaria.gob.es", "www2.agenciatributaria.gob.es", "www6.agenciatributaria.gob.es", "www12.agenciatributaria.gob.es".

Once the User accesses the application and accepts the privacy policy and terms of service, if registered in Cl@ve, he/she may activate the device by indicating his/her DNI or NIE and the validity date of his/her DNI (or Date of Issue if it is a Permanent DNI) or the support number of his/her NIE, using an activation code that will be sent to the phone associated with Cl@ve. The Cl@ve APP stores the DNI or NIE that you have entered on the device along with the credentials obtained. The User can delete this data whenever he or she wishes using the “deactivate device” option in the Cl@ve APP.

Once the activation has been carried out in the APP, every time you access a procedure or request a signature through the browser or a mobile application integrated with Cl@ve, you will be sent a request that you can view easily and quickly through this APP. Each request is for single use, has a limited time validity and is for personal and non-transferable use.

Regarding the Cl@ve procedures offered, they are obtained through queries to the Cl@ve applications of the State Tax Administration Agency or, where appropriate, the Social Security IT Management, and are provided in a similar way from the electronic headquarters of the State Tax Administration Agency or Social Security and from the Cl@ve APP. When accessing these procedures, no data is stored in the Cl@ve APP.

5. What is the legal basis for the processing of User data?

The processing of personal data that can be carried out through the Cl@ve APP and the applications of the State Tax Administration Agency that support it, are based on the consent of the interested party in compliance with the provisions of the “Regulation (EU) 2016 /679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data (General Data Protection Regulation)” and the “Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights” and other applicable regulations.

Furthermore, we inform you that the regulations applicable to the services offered from the Cl@ve APP are as follows:

  • Regulation (EU) 2016/679, of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of these data (General Data Protection Regulation)
  • Organic Law 3/2018 of 5 December on Personal Data Protection and safeguarding digital rights.
  • Royal Decree 311/2022, of May 3, regulating the National Security Scheme.
  • Order HAP/2142/2014, of 14 November, creating the Cl@ve personal data file. (BOE, 15-November-2014)
  • Order PRE/1838/2014, of October 8, publishing the Agreement of the Council of Ministers, of September 19, 2014, approving Cl@ve, the common platform of the State Public Administrative Sector for identification, authentication and electronic signature through the use of agreed keys. (BOE, 09-October-2014)
  • Resolution of December 14, 2015, of the Directorate of Information and Communications Technologies, establishing the technical requirements necessary for the development and application of the Cl@ve system. (BOE, 29-December-2015)

6. What and why do we use User data?

The objective of the Cl@ve APP is to facilitate the relationship between the User and Public Administrations by offering them access to authentication and signature requests from the Cl@ve system, with which they can identify themselves and make signatures before the Administration in the procedures that have it enabled, while also constituting a comprehensive tool for accessing management and personalized information about the Cl@ve system.

The information and data collected in the Cl@ve APP will be processed solely for the purpose of offering the User a personalized service. For this purpose, we use the User's data to offer the following services:

  • Receive an authentication request with Mobile Cl@ve or the Cl@ve PIN PIN that you request when accessing a Public Administration procedure, being able to access it from the APP and being notified through a push notification sent to your mobile device.
  • Procedures on the system Cl@ve:
    • Register at Cl@ve .
    • Regenerate Cl@ve Permanente Activation Code.
    • Modify the phone number associated with Cl@ve .
    • Modify the email associated with Cl@ve .
    • Get a higher level of security in Cl@ve .
    • Revoke the Cl@ve Firma certificate.
  • Procedures for the Permanent Cl@ve system:
    • Change of password.
    • Forget password.
    • Activation of Permanent Cl@ve.
    • Unsubscribe from Cl@ve Permanente.

7. How long is User data stored?

The period of conservation of the User's data in the Cl@ve APP will be the time that their DNI or NIE is active in the APP. However, at any time the User can delete the data from the “deactivate device” option from the Cl@ve APP itself, activating the APP with their DNI or NIE on another mobile device or through the “Manage my active device with the Cl@ve mobile application” management available at the Electronic Headquarters of the State Tax Administration Agency. You can consult more information about the data processed through the Cl@ve management applications: Data protection information.

8. Who has access to the User's data?

Only the User has access to the User's data from the Cl@ve APP.

Notwithstanding the foregoing, in certain cases (for example, to resolve an incident or query raised by the User) it may be necessary to access the data strictly necessary in order to resolve the incident or respond to your query.

9. What are the User's rights and how can they control their data?

The regulations grant the User a series of rights in relation to the data and information that we process about the User. Specifically, the rights of access, rectification, deletion and portability of data, limitation and opposition to its processing. You can consult the information on data protection ( Information on data protection ) and the information to the interested party on data protection in the procedure ( Processing of personal data - General Data Protection Regulation )

10. How is User data protected?

The State Tax Administration Agency guarantees that personal information will be stored and used for the necessary time and only to provide you with personalized services, guaranteeing the security measures required by Royal Decree 311/2022, of May 3, which regulates the National Security Scheme.

The State Tax Administration Agency has adopted the necessary technical and organisational measures to prevent the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to such data, which may in particular cause physical, material or immaterial damage and harm. The measures adopted take into account the state of technology, the nature of the data and the risks to which they are exposed and are periodically reviewed to ensure their adaptation to new situations or risk scenarios.

11. Cookie Policy

The Cl@ve APP uses cookies to the extent necessary for its correct operation and display.

Cookies are temporary and under no circumstances are they used to gather personal information.

12. Privacy Policy Update Date

Latest update: June 7, 2023.