Privacy

Privacy Policy

We explain what personal data we process, on what legal basis, for how long, with whom we share it and how you can exercise your rights. No opaque clauses. The way any GDPR policy should be.

Last updated: 27 April 2026 · Version: 3.0

1. Identity of the data controller and the Data Protection Officer (DPO)

Data controller

  • Holder: Manuel Navarro Rajoy (sole trader).
  • Trade name: LegalData.pro.
  • Address: C. Miquel Servet 149, 08912 Badalona - Barcelona (España).
  • General email: info@legaldata.pro.
  • Phone: +34 679 519 744.

Designated Data Protection Officer (DPO)

In accordance with Articles 37 to 39 of Regulation (EU) 2016/679 (GDPR), the following Data Protection Officer has been designated:

  • Name: Manuel Navarro Rajoy.
  • Professional certification: individual DPO certification under the AEPD-DPO Scheme, registry A2025166DPD, verifiable at the AEPD electronic office.
  • Direct contact for the DPO: info@legaldata.pro with «DPO Enquiry» in the subject line.

The DPO operates with full functional independence. Anyone may contact the DPO to exercise their rights or raise any question regarding the processing of their personal data.

2. Processing activities and purposes

We maintain a record of processing activities pursuant to Article 30 of the GDPR. The current processing activities are:

2.1. Handling information requests and commercial proposals

  • Purpose: respond to information requests and proposals received via email, WhatsApp, phone or web form.
  • Data categories: identification details (name and surname), contact details (email, phone, company), message content and, in the web form, also the IP address and the browser User-Agent. We only record what is necessary to reply and to identify abuse.
  • Source: directly from the data subject.
  • Automated decision-making: none.

2.2. Provision of contracted professional services

  • Purpose: performance of the contract entered into (External DPO, GDPR audit, cybersecurity, IT forensic expert work, AI Act, etc.).
  • Data categories: the identification and contact details above, billing data and, depending on the engagement, data from the client's processing activities provided to us strictly for the service.
  • Automated decision-making: none.

2.3. Compliance with accounting, tax and legal obligations

  • Purpose: issue and retain invoices, respond to administrative or judicial requests and comply with tax obligations.
  • Data categories: identification, fiscal (Tax ID), economic (amounts and invoiced concepts).

2.4. Optional electronic communications

  • Purpose: sending newsletters or communications about professional publications or events only when the data subject has explicitly requested it. We currently do not send commercial communications without prior request.

3. Legal basis for each processing activity

ProcessingGDPR legal basis
Handling information requestsArt. 6(1)(b) — pre-contractual measures at the data subject's request.
Provision of contracted servicesArt. 6(1)(b) — performance of a contract.
Accounting and tax record-keepingArt. 6(1)(c) — legal obligation of the controller.
Abuse detection and prevention (IP/UA from form)Art. 6(1)(f) — legitimate interest in protecting the site against spam and attacks. Balancing test available on request.
Newsletter or optional communicationsArt. 6(1)(a) — explicit and revocable consent at any time.

4. Retention periods

Data typePeriodReason
Requests not leading to a contract1 year from last interactionHandling of possible follow-ups.
Customer data with contracted serviceTerm of the contract + 5 yearsGeneral limitation period for contractual actions (Art. 1964 Spanish Civil Code).
Accounting and tax records6 yearsArt. 30 Spanish Commercial Code and tax legislation.
IP and User-Agent from the web form12 monthsAbuse detection and incident response.
Server and technical logs12 monthsSystem security and diagnostics.
CookiesAs per cookie policySee Cookie Policy.

Once the periods have elapsed, data is deleted or anonymised. When data must be retained due to a legal obligation, it is blocked (access restricted to strict compliance with the obligation) and erased upon completion.

5. Data recipients: processors and disclosures

We do not disclose personal data to third parties for commercial purposes. We do use the following data processors, all under a written processing agreement in accordance with Article 28 of the GDPR:

ProviderServiceProcessing location
OVHcloud (OVH SAS)Web hosting and SMTP server for the domain.European Union (France).
Google Ireland Ltd.Google Tag Manager and Google Analytics 4 (only if the user consents to measurement cookies).EU / USA under the EU-US Data Privacy Framework and Standard Contractual Clauses.
Meta Platforms Ireland Ltd.WhatsApp messaging, only when the user chooses to contact us through that channel.EU / USA under Standard Contractual Clauses.

Where a processor operates outside the European Economic Area, we require the safeguards set out in Articles 44 to 49 of the GDPR: an adequacy decision of the European Commission, Standard Contractual Clauses, Binding Corporate Rules or, failing those, the derogations of Article 49.

Data may also be communicated to public authorities, courts and tribunals in compliance with legal obligations.

6. Your rights as a data subject

As a person whose data we process, you have the rights granted by Articles 15 to 22 of the GDPR:

  • Access: know what data we process about you.
  • Rectification: correct inaccurate data.
  • Erasure («right to be forgotten»): have your data deleted when it is no longer necessary.
  • Restriction of processing: block the use of data in certain circumstances.
  • Objection: object to processing based on legitimate interest.
  • Portability: receive your data in a structured format or have it transmitted to another controller.
  • Not to be subject to automated decisions: at LegalData.pro we do not make automated decisions with legal effects on individuals. No profiling is performed.
  • Withdrawal of consent: where processing is based on consent, you may withdraw it at any time without retroactive effects.

How to exercise your rights

Write to the DPO at info@legaldata.pro indicating in the subject line which right you wish to exercise. Please attach a document that allows us to verify your identity. We will respond within a maximum of one month from receipt, extendable by two further months in particularly complex cases (Art. 12(3) GDPR).

Complaint to the supervisory authority

If you believe that the processing does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es, C/ Jorge Juan 6, 28001 Madrid). However, we encourage you to contact our DPO first to resolve the issue directly.

7. Security measures

We apply technical and organisational measures appropriate to the risk, in accordance with Article 32 of the GDPR:

  • Encryption in transit: the site is served entirely over HTTPS (TLS 1.2+), including the contact form.
  • Access control: two-factor authentication on internal tools and least-privilege permissions.
  • Backups: with periodic restoration testing.
  • Activity logging: server and form-submission logs for security incident detection.
  • Anti-spam and anti-abuse: per-IP rate limiting, honeypot in forms and server-side validation.
  • Vendor management: processing agreements and periodic review.
  • Breach notification policy: in the event of a personal data breach, notification to the AEPD within 72 hours and to the data subjects when applicable (Arts. 33 and 34 GDPR).

8. Cookies

The site uses strictly necessary cookies for its operation and, only if the user explicitly consents, measurement cookies. The detailed information (which cookies are used, retention periods, third parties, legal basis and how to manage them) is in our Cookie Policy.

9. Minors

The services and the website are intended for professionals and adults. We do not knowingly process data from children under 14. If we become aware that a minor's data has been provided without the consent of those holding parental authority or guardianship, we delete it immediately (Art. 8 GDPR and Art. 7 LOPDGDD).

10. Changes

This policy may be updated to reflect regulatory changes or changes to the processing activities. When changes are substantial, we will inform you prominently on this page and, if it affects processing based on your consent, we will request it again. The date of the current version and the revision number appear at the top of the document.

11. Confidentiality and professional secrecy

As a DPO certified under the AEPD-DPO Scheme and a Court Forensic IT Expert (TIP 639 AEPEJU), Manuel Navarro Rajoy is bound by the duty of professional secrecy, which remains in force even after the contractual relationship ends. All information you entrust to us is treated with the utmost confidentiality.

Privacy contact

Have questions about your data or want to exercise a right?

Write to the DPO email and we will respond within a clear deadline as required by GDPR. If you need certainty about how a specific data point has been handled, let us know and we will review it with you.

Write to the DPO Open WhatsApp Cookie Policy