Privacy Policy
1. Purpose
This Privacy Policy aims to inform individuals (hereinafter, users or data subjects) visiting our website (hereinafter, website, site, or web) about how we collect, process, and protect personal data provided by any means (forms, emails, phone calls, contracts, etc.). After reading this policy, you can freely decide whether you want us to process your data. Additionally, it serves to supplement the information previously provided to data subjects in the information clauses found in the processes for collecting personal data.
This policy also aims to comply with Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter GDPR) and with Organic Law 3/2018 of December 5, on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD).
2. Who is responsible for processing your personal data?
| Entity: | MISTRAL BUSINESS SOLUTIONS, S.L.U. |
| CIF/NIF: | B98539083 |
| Postal address: | Av. Corts Valencianes, 17, 2nd and 3rd, 46015 Valencia (Valencia) |
| Phone: | 961 48 69 16 |
| Email: | [email protected] |
| Corporate Purpose: | Computer Consulting |
| Website: | https://www.mistralbs.com/ |
| Registration Data: | Registered in the Commercial Registry of Valencia, Volume 9633, Book 6915, Page 49, Sheet V-154049. |
3. Why will we process your data (legal basis)?
The processing of your personal data by our entity will be carried out on one or more of the following legal bases:
Article 6.1 a) GDPR:
When you provide your express, free, informed, and unequivocal consent, after being informed at the time of data collection and in more detail through this Privacy Policy, that by reading it and agreeing, you voluntarily authorize us to process your data for one or more purposes by marking the checkboxes provided in our web forms, giving verbal consent (requiring voice recording), or signing the information clauses we provide when requesting your personal data.
Article 6.1 b) GDPR:
For the execution of a contract to which you are a party or have requested pre-contractual measures.
Article 6.1 c) GDPR:
When processing is necessary for the compliance with a legal obligation applicable to our entity.
Article 6.1 d) GDPR:
When processing is necessary to protect vital interests of the data subject or another natural person.
Article 6.1 e) GDPR:
When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 6.1 f) GDPR:
When processing is necessary for the purposes of the legitimate interests pursued by our entity or by a third party, provided that these interests are not overridden by the interests or fundamental rights and freedoms of the data subject. In this regard, we inform you that our entity has carried out a balancing analysis weighing our legitimate interests against the rights and freedoms of the data subject, always respecting their fundamental rights. This does not apply to processing carried out by public authorities in the exercise of their functions.
In the case that the user is under 14 years old, parental consent or legal representative approval will be required to process their data. The user is solely responsible for the accuracy of the data they provide.
4. What personal data will we process and how do we obtain it?
To carry out our business activities, it is essential to process personal data, which may be collected through digital means, paper documents, or as a result of face-to-face or phone conversations. In all cases, the data will be processed fairly, lawfully, and transparently.
The categories of data that our entity will process are:
- Identifying data: name, surname, ID or equivalent document, image, voice, and signature.
- Contact data: phone, email, postal address.
- Commercial data: budgets, purchase conditions, service and/or purchase management and history, contact results (phone, email, messaging, and other communication channels).
- Accounting data: income and expense control, billing data.
- Banking data: bank accounts and cards.
- Curricular data: academic data, professional experience, personal characteristics, etc.
- Goods and services transaction data: bank transfers and direct debits, amounts, and concepts.
- Navigation data: analysis of website stay time, pages visited, demographic data (e.g., age, sex, language).
Our entity will not collect sensitive category data (e.g., health data, ethnic origin, political opinions, or religious beliefs), but if necessary, we will inform and request prior, explicit consent to process such data.
Therefore, the requested data will be adequate, relevant, and limited to what is strictly necessary, processed only by authorized personnel and/or collaborators who have signed a confidentiality agreement and are committed to ensuring the confidentiality, integrity, and availability of the data, in compliance with the legal requirements of the GDPR. Data will be processed within the boundaries of the law.
Data may be provided directly by the data subject or their legal representative, though we may delegate some functions to collaborators who will collect the data, but this will only be done with prior, explicit consent.
In cases where a data subject does not provide the requested data or provides incomplete or incorrect data, we may not be able to maintain or comply with the relationship.
The categories of data we process about a person will depend on their relationship with our entity, as described below:
4.1. Clients:
Identifying, contact, commercial, accounting, banking, and goods and services transaction data will be processed, and they may only be collected if the client provides them at the time of contracting services, requesting pre-contractual measures, or during the maintenance of the service provision relationship.
The data may be collected in person, by phone, email, or through the forms available on our website, online chat, instant messaging, etc.
Legal basis: Article 6.1 a); 6.1 b); 6.1 c); 6.1 f) GDPR
4.2. Information requesters:
Whether the request is in person, by phone, or in writing (e.g., email or web forms), we will request and process identifying, contact, and commercial data.
Legal basis: Article 6.1 a); 6.1 f) GDPR
4.3. Suppliers:
We will process identification, contact, commercial, accounting, banking, goods and services transaction, and financial data.
These data will be processed throughout the commercial relationship, and only if the supplier provides them to begin the relationship.
Legal basis: Article 6.1 a); 6.1 b); 6.1 c); 6.1 f) GDPR
4.4. Job applicants:
For this category, we will process curricular, identifying, contact, and other professional or personal data provided by the applicant when submitting their candidacy.
Data may be collected in person, by email, web forms, during selection interviews (either in-person or virtual), or through a collaborator to whom we delegate specific functions.
Legal basis: Article 6.1 a); 6.1 b); 6.1 f) GDPR
4.5. Social media users:
We are present on various social media platforms and may process identifying, contact, commercial, and other data that the user enables to be viewed or shared with other users of the social media platform, including curricular data (e.g., LinkedIn). For more information, consult our Social Media Policy.
Legal basis: Articulo 6.1 f) RGPD
4.6. Claimants:
We will process identifying, contact, and personal information provided by the claimant or third parties.
Legal basis: Article 6.1 a); 6.1 c); 6.1 f) GDPR
4.7. Visitors:
We will process identifying, contact, company, and visit reason data when the visitor provides it to access our facilities or when their contact at our entity provides it to grant access.
Legal basis: Article 6.1 c); 6.1 f) GDPR
4.8. Web users:
When visiting our website, and only if the user expressly authorizes it, we may collect analytical data (e.g., visit duration or pages viewed) and demographic data (e.g., sex, age, country, or language). For more information, visit our Cookie Policy.
Legal basisArticulo 6.1 a) RGPD
4.9. Additional information for data subjects:
We will provide the legally required information in the corresponding information clauses included in various data collection media (e.g., forms, contracts, etc.), allowing the data subject to freely decide whether they wish their personal data to be processed by our entity. For detailed information, these clauses will indicate how to access this policy.
All categories and types of personal data processed will be duly identified in the relevant processing activities owned by our entity.
5. What will your data be used for?
In general, the processing of personal data carried out by our entity aims to fulfill and maintain the relationship with the various groups of people we interact with.
Depending on the relationship, the processing of your data serves different purposes, which we detail below for illustrative purposes, but not limited to:
5.1. Clients:
Your personal data will be processed to identify you, fulfill and maintain the pre-contractual and contractual relationship, including sending commercial communications by various means, responding to inquiries, conducting quality controls and commercial statistics, providing our services, managing accounting, transacting goods and services, managing collections, handling incidents, complaints, and exercising rights, as well as for other purposes we are required to comply with in relation to this relationship, the laws to which we are subject, or to attend to our legitimate interests.
5.2. Information requesters:
We will process your personal data to address any information requests you wish to make, to identify you, for sending or delivering quotes and information about goods and/or services of your interest, including in our response (verbal or written) commercial information related to your request. We will also conduct follow-up contacts via various means to know the decisions made regarding the commercial proposals we have sent
5.3. Job Applicants:
Your data will be processed to include you in our selection processes and job pool, to identify you, as well as to contact you and inform you about job openings, coordinate interviews, and other matters related to your application.
5.4. Suppliers:
Your personal data will be processed to maintain the pre-contractual and contractual relationship, fulfill the commercial relationship whether for requesting quotes, purchasing goods or contracting services, making inquiries and identifying you, managing accounting, transacting goods and services, as well as for other necessary purposes to comply with this relationship, our legal obligations, and legitimate interests.
5.5. Social Media Users:
We will process your personal data to maintain the relationship as users of the same social network, to identify you, to contact you, share news or advertisements, and process other personal data that the social network user allows to be shared with other members of the network. For more information, please refer to our Social Media Policy.
5.6. Claimants:
Personal data will be processed to identify you, manage your complaint, and contact you regarding its status, in addition to fulfilling our legal obligations and legitimate interests.
5.7. Visitors:
Data from visits to our facilities will be processed to identify you, to comply with our obligations in terms of occupational risk prevention, and for security and access control purposes.
5.8. Website Users:
By accepting the installation of cookies when visiting our website, data may be processed for various purposes (e.g., analyzing visits). For more information, please visit our Cookie Policy.
5.9. Additional Information for Interested Parties:
The information legally established in the corresponding informational clauses included in various data collection methods (e.g., forms, scripts, contracts, etc.) will be made available to interested parties, so that you may freely and expressly decide whether you wish for your personal data to be processed by our entity. In this sense, such information will be reiterated in the different documents or communications we share with interested parties (e.g., labels, invoices, legal notices, etc.).
If the interested party does not provide the requested data or provides incomplete or incorrect data, we may not be able to process their information request or engage with them.
The data will not be processed further or for purposes other than those accepted by the interested parties.
The purposes that motivate the processing of personal data will be duly identified in the corresponding processing activities owned by our company.
6. Data Retention
The personal data provided will be retained as long as we maintain the relationship with the interested party and for the time necessary to fulfill the purpose for which the data was collected.
Once this relationship ends, we will keep the data blocked in cases where it is necessary to retain it, either until the expiration of liabilities for exclusive purposes of claims or legal actions, as well as to comply with our legal obligations, for example:
| Interested Parties | Sectoral Scope | Legal Basis | Retention Period |
|
Accounting | Art. 30.1 R.D. Commercial Code |
|
|
Tax | Art. 66 General Tax Law 58/2003 |
|
|
General | Art. 1964.2 Civil Code |
Actions without a special deadline expire five years from when the obligation can be enforced. In continuous obligations, the period starts anew with each breach. |
|
Labor | AEPD's Labor Relations Guide |
|
|
Access Control | AEPD Instruction 1/1996 |
|
|
Cookies Usage | AEPD’s Cookie Usage Guide |
|
|
Commercial Legal |
Art. 20.1 a) and d) Spanish Constitution |
|
When the data is no longer necessary, our entity will proceed with its secure and confidential deletion and destruction.
7. Profile Creation
We do not create profiles or make automated decisions using your personal data. However, if we decide to do so, we will inform you and seek your prior consent.
You also have the right to object to this type of processing at any time by writing to us at: [email protected]
8. Data Transfer
As a general rule, our entity does not transfer personal data to third parties without prior consent. However, data will be transferred in the following cases:
For our clients or suppliers, their personal data may be transferred to third parties due to legal obligations (e.g., Tax Agency) or when necessary to provide our services or pay invoices (e.g., banking entities).
Furthermore, personal data of clients or suppliers may be processed by third parties to whom we delegate some of our obligations (e.g., accounting advisors). All of them have committed via a processing agreement to comply with the same security measures implemented by our entity and to maintain confidentiality regarding the processed personal data, among other obligations under data protection laws.
For job applicants, their data will not be transferred to third parties unless legally required.
Regarding information requesters or website users, their data will not be transferred to third parties except in the cases previously explained, and only with their explicit consent, unless our legitimate interest prevails or we are legally obligated to do so, in which case consent will not be required.
In general terms, we may transfer your personal data to judges, courts, the Public Prosecutor's Office, and/or competent public administrations for possible claims when we are obligated to do so.
9. International Data Transfer
In the case of transfers to third entities located outside the European Economic Area, we will inform and request prior and explicit consent from the interested parties.
10. Security Measures
Our entity has implemented all the necessary technical and organizational measures to protect the personal data processed, preventing its loss, theft or unauthorized use.
These measures have been developed according to the type of data processed and the purposes of such processing. They are periodically verified in our internal compliance controls of personal data protection regulations and through external audits.
11. Your Rights
You, as the owner of your personal data and acting in your own name or through your representative, may contact our entity at any time and request the exercise of your rights regarding personal data protection.
We explain these rights below:
11.1. Right of Access:
You have the right to know whether or not we are processing your personal data and to request the following information:
- Whether or not we are processing your personal data.
- The purposes of the processing and the categories of personal data processed.
- The origin of your data, if not provided by you.
- The recipients or categories of recipients to whom your personal data have been or will be communicated, including third parties or international organizations.
- Information about the safeguards in place for the transfer of your data to a third country or an international organization, if applicable.
- The expected retention period, or, if not possible, the criteria for determining this period.
- If there are automated decisions, including profiling, with significant information about the applied logic, as well as the intended impact and consequences of the processing.
- A copy of your personal data being processed.
11.2. Right to Rectification:
You may request the rectification of your personal data when they are inaccurate or to complete them when they are incomplete.
11.3. Right to Object:
You may object to the processing of your data when it is inaccurate or no longer necessary for its processing.
If you act as the defendant or as a person affected by a complaint under Law 2/2023, you will not be able to exercise your right to object, as it is presumed (unless proven otherwise) that there are legitimate reasons for the processing of your personal data, as stipulated in Article 31.4 of the Law.
11.4. Right to Erasure:
You may request that your data be deleted for any of the following reasons:
- Your data is no longer necessary for the purposes for which it was collected or processed.
- You have not consented to the processing of your data.
- When you have exercised the right to object.
- When the data has been processed unlawfully.
- When the data must be erased in order to comply with a legal obligation.
11.5. Right to Restrict Processing:
You may request to exercise this right when one or more of the following apply:
- When you dispute the accuracy of your data, for a period that allows the data controller to verify its accuracy.
- When the processing is unlawful and you oppose the erasure of your data and request instead the restriction of its use.
- When the data is no longer needed for the purposes of processing, but the data subject needs it for the formulation, exercise, or defense of claims.
- When you have objected to the processing under Article 21, section 1, while it is verified whether the legitimate interests of the controller override those of the data subject.
11.6. Right to Data Portability:
This refers to the right to obtain data related to you in a structured, commonly used, and machine-readable format, as well as to transmit it to another controller for further processing.
11.7. Right Not to Be Subject to Automated Decisions:
Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar way.
11.8. How to Exercise Your Rights:
To exercise any of your rights, you must contact MISTRAL BUSINESS SOLUTIONS, S.L.U., either by postal mail to the address: Av. Corts Valencianes, 17, 2nd and 3rd, 46015 Valencia, or by email at: [email protected] stating the rights you wish to exercise. If you act on behalf of someone else, you must prove your representation. If there are reasonable doubts regarding the identity of the person making the request, we may request additional information to confirm their identity.
If you would like to make any suggestions or inquiries regarding the processing of your personal data, you can contact our data protection consultants:
BUSINESS ADAPTER, S.L.
Ronda Guglielmo Marconi, 11, 26, (Parque Tecnológico) 46980 Paterna (Valencia).
Interested Party Attention Form
We inform you that you have the right to file a complaint with the Spanish Data Protection Agency at: C/ Jorge Juan, 6, 28001 Madrid or at www.aepd.es.
12. Commitment to Personal Data Protection
Purpose and Scope of Application
This commitment aims to comply with European and Spanish data protection regulations and the guarantee of digital rights (GDPR and LOPDGDD), and it will be mandatory for all departments and workers of our entity, as well as for third parties acting on our behalf.
Principles Governing the Processing of Personal Data
We will process personal data lawfully, fairly, transparently, with data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. The processing of special category data is prohibited, as provided in Article 9 of the GDPR and LOPDGDD.
Record of Processing Activities
Our entity will maintain a record of processing activities to assess processing risks and implement necessary security measures to ensure confidentiality, integrity, availability, and retention periods of the data
Impact Assessment
For each processing activity, we analyze the need to conduct an Impact Assessment and assess whether there is a risk to the rights and freedoms of the data subjects, in order to determine if additional technical and organizational measures are necessary to ensure their fundamental rights.
Security Measures and Security Breaches
We will apply all necessary technical and organizational measures to the personal data processed. In the case of a security breach, the Security Breach Protocol designed for such purposes will be applied.
Data Protection Rights
Our entity will attend to and respond as quickly and diligently as possible to requests for the exercise of rights or information about the violation of these rights.
Guarantee of digital rights in the labor environment
Policies will be approved to ensure workers' digital rights, and they will be adequately informed about them. These will promote the right to reconcile work, personal, and family life; and ensure the right to information and privacy. Our entity may exercise control over the performance of labor functions, within the limits set forth in Article 20.3 of the Workers' Statute.
Training
All necessary workers will be trained in data protection and their digital rights in the workplace.
Control
We have external consultants who advise and audit us in order to comply with the GDPR and LOPDGDD.
13. Update of This Policy:
Our entity reserves the right to modify this Policy without prior notice. Therefore, we recommend that you consult it every time you visit our website.
Updated on 26th November 2025
