Data Processing & Sub-Processors
Last Updated: 2025-11-13
Data Processing & Sub-Processors
Overview
Spain Direct processes personal data as a Data Controller for our website visitors and newsletter subscribers. This page documents our data processing practices, including third-party sub-processors that may have access to your data.
Our Commitment to GDPR
We are committed to protecting your personal data under:
- EU Regulation 2016/679 (General Data Protection Regulation - GDPR)
- EU Directive 2002/58/EC (ePrivacy Directive)
- CCPA (California Consumer Privacy Act) for applicable users
Company Information
Data Controller:
- Legal Name: SPAIN DIRECT TAX & LEGAL
- Entity Type: SAS (Société par Actions Simplifiée)
- SIREN: 989 657 325
- Address: 1 Rue de Stockholm, 75008 Paris, France
- Email: privacy@spaindirect.com
Data Protection Officer Contact:
- Email: privacy@spaindirect.com
- Response Time: Within 10 business days
Data Processing Activities
1. Website Analytics & Performance
Purpose: To understand how users interact with our website and improve service quality
Data Collected:
- IP address (anonymized)
- Browser type and version
- Device information
- Pages visited and time spent
- Referrer information
- Geographic location (country-level only)
Retention Period: 26 months
Legal Basis: Legitimate Interest (EU GDPR Article 6(1)(f))
Note: We do NOT use Google Analytics or similar tracking that sends data to third parties. We only collect aggregated analytics data for website performance monitoring.
2. Newsletter Subscription
Purpose: To send marketing communications and updates about Spain Direct services
Data Collected:
- Email address
- Name (optional)
- Language preference
- Consent timestamp
Retention Period: Until unsubscribed + 90 days (legal requirement)
Legal Basis: Explicit Consent (EU GDPR Article 6(1)(a))
Rights: You can withdraw consent at any time by clicking "Unsubscribe" in any email or contacting privacy@spaindirect.com
3. Contact Form Submissions
Purpose: To respond to customer inquiries and provide support
Data Collected:
- Name
- Email address
- Message content
- Submission timestamp
Retention Period: 24 months (or until inquiry resolved)
Legal Basis: Legitimate Interest (EU GDPR Article 6(1)(f))
4. Calendly Integration (Appointment Booking)
Purpose: To schedule consultation appointments
Data Collected:
- Name
- Email address
- Phone number (optional)
- Selected time slot
- Meeting details
Retention Period: According to Calendly's retention policy (see Data Processing Agreement)
Legal Basis: Legitimate Interest (EU GDPR Article 6(1)(f))
Sub-Processor: Calendly, Inc. (see DPA below)
Third-Party Sub-Processors
We use the following services that may process your personal data. All services are GDPR-compliant and have executed Data Processing Agreements (DPA).
1. Calendly, Inc.
Service: Appointment Scheduling & Meeting Management
Website: https://calendly.com
Data Processing Agreement: Available upon request at privacy@spaindirect.com
Data Processed:
- Name
- Email address
- Phone number (optional)
- Meeting preferences
- Calendar integrations
Location: United States (EU-US Data Adequacy Decision)
GDPR Compliance: Calendly operates under the EU-US Data Adequacy Framework
Your Rights: You can contact Calendly directly at privacy@calendly.com
2. Vercel Inc. (Website Hosting)
Service: Website Hosting, Deployment & CDN
Website: https://vercel.com
Data Processing Agreement: Available via Vercel's website
Data Processed:
- Server logs (IP, user agent, timestamps)
- Website usage analytics
- Performance metrics
Location: United States (EU-US Data Adequacy Decision)
GDPR Compliance: Vercel has executed DPA under Standard Contractual Clauses (SCCs)
Your Rights: You can contact Vercel at privacy@vercel.com
3. Unsplash (Image Provider)
Service: Stock Photography
Website: https://unsplash.com
Data Processed:
- No personal data processed
- Images are publicly available
- Download logs do not contain personally identifiable information
GDPR Compliance: Unsplash's images are public domain under Unsplash License
4. Next.js & Vercel Analytics
Service: Web Framework & Analytics
Data Processed:
- Aggregated usage data
- Performance metrics
- No personally identifiable information
GDPR Compliance: Data is aggregated and anonymized
Cookies & Consent Management
Essential Cookies (Always Active)
- Session management
- Security tokens
- Preference storage
- Consent preference storage
No consent required (Required for site functionality)
Marketing/Analytics Cookies (Opt-In Only)
- Currently NOT implemented on our website
- If implemented in future, explicit opt-in will be required
- User can withdraw consent at any time
Your Rights Under GDPR
As a data subject, you have the following rights:
1. Right of Access
You have the right to request a copy of the personal data we hold about you.
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Access Request"
Response Time: Within 30 calendar days
2. Right to Rectification
You have the right to request correction of inaccurate personal data.
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Rectification Request"
3. Right to Erasure ("Right to Be Forgotten")
You have the right to request deletion of your personal data under certain circumstances.
Exceptions:
- If we have a legal obligation to retain data
- If the data is necessary for contract fulfillment
- If you gave explicit consent and we're processing based on consent
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Erasure Request"
4. Right to Restrict Processing
You have the right to request that we limit how we use your data.
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Restriction Request"
5. Right to Data Portability
You have the right to receive your data in a structured, commonly-used format.
Supported Formats: CSV, JSON
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Portability Request"
6. Right to Object
You have the right to object to certain types of data processing.
How to Request: Email privacy@spaindirect.com with subject line "GDPR Data Processing Objection"
7. Rights Related to Automated Decision Making
You have the right to request human intervention for decisions made by automated means.
Current Status: We do not make automated decisions about individuals.
Data Breach Notification
In the event of a personal data breach, we will:
- Notify affected individuals within 72 hours (GDPR requirement)
- Provide information about:
- Nature of the breach
- Data affected
- Measures taken
- Our Data Protection Officer contact
- Report to relevant supervisory authorities where required
Contact for Data Breach Concerns: privacy@spaindirect.com
Data Retention Periods
| Data Type | Retention Period | Reason | |-----------|-----------------|--------| | Website Analytics | 26 months | Website improvement & legal requirements | | Newsletter Subscribers | Until unsubscribed + 90 days | Legal & email compliance | | Contact Form Data | 24 months | Customer service & dispute resolution | | Server Logs | 30 days | Security & performance monitoring | | Cookie Consent Records | 13 months | GDPR compliance & user preference |
International Data Transfers
Important Notice: Some of our sub-processors are located in the United States. These transfers are authorized under:
- EU-US Data Adequacy Decision (Schrems II compatible)
- Standard Contractual Clauses (SCCs) - included in Data Processing Agreements
- Binding Corporate Rules - where applicable
We have conducted Transfer Impact Assessments for all international transfers and determined that appropriate safeguards are in place.
Changes to This Policy
We may update this page periodically to reflect changes in our data processing practices. We will notify you of material changes via:
- Email (for newsletter subscribers)
- Notice on our website
- Updated date at the top of this page
Last Updated: November 13, 2025
Contact Us
For any questions about our data processing practices or to exercise your GDPR rights:
Email: privacy@spaindirect.com
Mailing Address: Spain Direct 1 Rue de Stockholm 75008 Paris France
Response Time: Within 10 business days
Data Protection Officer: You can also contact our Data Protection Officer directly at privacy@spaindirect.com