GDPR & Your Data Rights

Access (Art. 15): obtain confirmation of whether we process your data and a copy of it. Rectification (Art. 16): have inaccurate data corrected and incomplete data completed. Erasure (Art. 17): have your data deleted where the law allows it. Restriction (Art. 18): limit how we use your data while a dispute is resolved. Portability (Art. 20): receive the data you provided in a structured, machine-readable format. Objection (Art. 21): object to processing based on our legitimate interest.

Which right lets you stop a particular use of your data depends on its legal basis. Where we rely on your consent (analytics and advertising cookies), you can withdraw it at any time without affecting the lawfulness of processing before the withdrawal. Where we rely on our legitimate interest, you can object. Where processing is necessary to perform your contract or to meet a legal obligation, we cannot simply stop it, but you can still ask us to restrict it and we will tell you which basis applies. You will never be treated less favourably for exercising a right.

Write to our Data Protection Officer at the address shown above, from the email address linked to your application, stating which right you want to exercise and, if you have one, your tracking code. Exercising your rights is free of charge.

To protect your data we verify that the request really comes from you: we reply to the email address on record and may ask for additional confirmation before releasing or deleting anything. We respond within one month; for complex or numerous requests the GDPR allows up to two further months, and we will tell you within the first month if we need them. If you have not heard from us within one month, you can escalate the matter directly to the supervisory authority (see section 5).

Erasure has legal limits (Art. 17(3)(b) GDPR). Applications that have been paid for, and their payment records, are part of our tax and commercial documentation: Spanish law requires us to keep them (in general four years under the General Tax Law, six years under the Commercial Code). We will tell you in our reply exactly what we deleted and what we must retain, and that retained data is kept blocked, used only for those legal obligations.

Consent and communication records may also be kept as evidence of compliance. Unpaid drafts are simpler: they auto-delete after 30 days, and you can ask us to delete them earlier at any time.

We share data only with the processors listed in our Privacy Policy (hosting, email, payments, security, analytics with consent) under GDPR Art. 28 agreements, and, when you ask us to submit an application, with the destination's official authority, which processes it as an independent controller. International transfers are protected by adequacy decisions or Standard Contractual Clauses; transfers to a destination government are necessary to perform your contract (Art. 49(1)(b)).

If you believe we have not handled your data or your request correctly, you can lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD; C/ de Jorge Juan, 6, 28001 Madrid; www.aepd.es; electronic office sedeagpd.gob.es) or with the supervisory authority of your EU country of residence. We would appreciate the chance to resolve it directly first, but you are never required to contact us before going to the authority.