This privacy policy governs how the personal data that users provide to us through this website is processed, in compliance with the Regulation (EU) 2016/679, of 27 April, General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).
We have no Data Protection Officer (DPO) as the conditions of art. 37 GDPR do not apply. For any question regarding data protection you may address the controller directly.
We only process data that you provide voluntarily or that is generated through browsing, grouped into the following categories:
pr_contact_state_<lang>: local storage of the multi-step contact form progress (only current step + pre-selected interest_type, TTL 24h). Strictly necessary for form operation; no PII persisted (name, email, phone, message). Auto-removed on submit, abandonment or TTL expiry.pr_scorecard_state_<lang>_v1: local storage of the B2B Acquisition Scorecard progress (chosen answers and result, computed entirely in your browser). Strictly necessary to let you continue the questionnaire if you reload the page. Contains no PII until you optionally choose to send yourself the summary by email. Removed on questionnaire restart or on send.| Purpose | Legal basis (GDPR) |
|---|---|
| Respond to enquiries received via the contact form, email or lead magnets (scorecard, checklist, etc.) | Pre-contractual measures at the data subject's request (art. 6.1.b) + legitimate interest in operational response (art. 6.1.f). Reflected via acknowledgement of this notice (not consent under art. 6.1.a). |
| Generate and send you the automated web audit you request (analysis of the public page you provide and delivery of the report by email) | Performance of a service requested by the data subject (art. 6.1.b) + legitimate operational interest (art. 6.1.f) for ancillary purposes: technical logs, security and abuse prevention, audit trail (proof of the request) and defence against possible claims. Reflected via acknowledgement of this notice (not consent under art. 6.1.a). |
| Send you tips and updates by email (nurture) when you tick the optional box on the audit form | Consent, with double opt-in: art. 6.1.a and LSSI-CE art. 21 |
| Send proposals and manage the pre-contractual process | Pre-contractual measures: art. 6.1.b |
| Perform the contracted services and billing | Contract performance: art. 6.1.b |
| Comply with tax, accounting and legal obligations | Legal obligation: art. 6.1.c |
| Commercial communications to existing clients about similar services | Legitimate interest: art. 6.1.f and LSSI-CE art. 21.2 |
| Web analytics and audience measurement | Consent: art. 6.1.a |
| Personalised advertising and remarketing | Consent: art. 6.1.a |
No automated decisions are made and no profiling producing significant legal effects on the user is carried out.
AUDIT_RESULT_TTL_DAYS) and then deleted. The associated lead (email, URL and business name) follows the general 90 day retention of interactive resources.Your data will not be transferred to third parties except by legal obligation. As processors, the technology service providers that support us may access it, with whom we have signed (or will sign) the corresponding processor agreement in accordance with art. 28 GDPR:
| Categoria | Proveïdor | Ubicació |
|---|---|---|
| Web hosting | Vercel Inc. (CDN edge in the EU) | USA · transfer under DPF |
| Professional email | Google Ireland Ltd. (Google Workspace for info@ and jbellet@) |
Ireland (EU) |
| Web analytics | Google Ireland Ltd. (Google Analytics 4), only if consent is active | Ireland (EU) · transfer to USA under DPF |
| Digital advertising | Google Ads, Meta Platforms Ireland Ltd., only if consent is active | Ireland (EU) · transfer to USA under DPF |
| Tag manager | Google Tag Manager, only if consent is active | Ireland (EU) |
| Transactional email (contact form and interactive resources / lead magnets) | Resend Inc. | USA · transfer under DPF |
| Meeting scheduling | Calendly LLC | USA · transfer under DPF |
| Web fonts (CDN) | Google Ireland Ltd. (Google Fonts) | Ireland (EU) |
| AI conversational assistant (chatbot) | Anthropic PBC (Claude API), only if you interact with the chatbot | USA · transfer under DPF |
| Lead persistence (chatbot, Calendly scheduling, contact form and lead magnets) | Supabase Inc. (PostgreSQL DB, Frankfurt region eu-central-1), DPF active verified |
EU (Frankfurt) · no extra-EU transfer |
| Technical analysis of the web audit (receives the audited public URL and the business name, only if you request the audit) | DataForSEO LLC | USA · transfer under SCC (standard contractual clauses, Decision 2021/914). DataForSEO is not certified under the DPF. |
Form anti-abuse protection (security challenge loaded from challenges.cloudflare.com) |
Cloudflare, Inc. (Turnstile) | USA · transfer under SCC and DPF |
When we use services from companies located outside the European Economic Area (mainly in the United States: Google, Meta), these transfers are carried out under the framework of the EU-US Data Privacy Framework (DPF), approved by the European Commission through Adequacy Decision of 10 July 2023, along with the corresponding Standard Contractual Clauses (SCCs) where necessary.
As the data subject, you have the following rights, which you may exercise free of charge:
To exercise these rights, write to us at info@petitroig.com stating the right you wish to exercise and attaching a copy of your DNI/NIE or equivalent document. We will respond within a maximum period of one month (extendable to two months in complex cases).
If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the competent supervisory authority: the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid · www.aepd.es. In Catalonia, the Catalan Data Protection Authority (APDCAT) · apdcat.gencat.cat.
We have implemented appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and ongoing resilience of the systems that process your data, in accordance with art. 32 GDPR: encrypted connections (HTTPS/TLS), access control, regular backups, confidentiality agreements with processors and protocols for security breaches.
That said, no system is 100% infallible. If we detect a security breach that may affect your rights, we will notify you within a maximum period of 72 hours in accordance with art. 33 GDPR.
This website is aimed at an adult, professional audience. We do not knowingly collect data from minors under 14 years of age. If you are under 14, do not provide personal data without the consent of your parents or legal guardians. If we detect that we have received data from a minor without valid consent, we will delete it immediately.
We may update this policy to reflect legal, jurisprudential or business changes. When changes are substantial, we will inform you prominently on the website or, if there is an active contractual relationship, by email. The date of the last update appears at the top of this page.
For any query about this policy or to exercise your rights: info@petitroig.com.