Estrategeos
Legal information · GDPR · LOPDGDD

Privacy policy

Detailed information about the processing of personal data by Estrategeos S.L.: controller, categories of data, purposes, legal basis, recipients, international transfers, retention periods, rights and filing complaints.

Last updated: 24 April 2026 Regulation (EU) 2016/679 · LOPDGDD Version: 19.0

Data controller

  • Controller: Estrategeos S.L.
  • Tax ID (NIF): B02715894
  • Address: C/ Postas, 16 — 4th floor DC, 28012 Madrid, Spain
  • Privacy contact: admin@estrategeos.com
  • Data Protection Officer (DPO): the designation of a DPO is not mandatory for Estrategeos S.L. under Art. 37 GDPR (the processing does not constitute a core activity involving large-scale systematic monitoring). Privacy enquiries are nonetheless routed to the address above.

Data processed

Depending on the channel and purpose, Estrategeos S.L. may process the following categories of data:

  • Identification and contact data: name, surname, email, phone, postal address when required for service delivery.
  • Professional data: employment profile, employer, sector, position, income and income-structure information when relevant to the tax consultation.
  • Tax and financial data: NIF/NIE, tax domicile, filed tax returns, supporting documents, invoices, bank statements and further information voluntarily provided by the client during the engagement.
  • Browsing data: IP address (anonymised), cookie identifiers with prior consent, pages visited, session duration. See the Cookies Policy.
  • Communications data: content of emails, submitted forms, WhatsApp messages when the user initiates contact through that channel.

We do not process special categories of data (Art. 9 GDPR) unless the user voluntarily provides them in a tax consultation that requires them (e.g. a recognised disability affecting IRPF deductions). In that case, processing is based on explicit consent.

Purposes of processing

Data is processed for the following, distinct, purposes:

  • Managing enquiries and leads: responding to requests via the /evaluation form, WhatsApp, email or call, and assessing engagement viability.
  • Delivery of professional services: performing the tax advisory contract formalised through an engagement letter: case study, preparation and filing of returns, representation before AEAT and TEAR, appeals management, international consultancy.
  • Administrative and accounting management: invoicing (Holded), collections and payments (Qonto, Stripe), accounting and annual accounts, compliance with tax obligations of Estrategeos S.L.
  • Compliance with legal obligations: Spanish Law 10/2010 on Anti-Money Laundering and Counter-Terrorism Financing (customer identification, 10-year retention), tax law (Art. 95 LGT), REAF professional ethics.
  • Commercial communications: sending updates, guides and content related to contracted services or expressed interest, only with specific prior consent.
  • Website analysis and improvement: aggregate traffic and usage measurement through Google Analytics 4 when the user accepts analytical cookies.

Legal basis

The legal basis for each processing activity is grounded in the following provisions of Art. 6 GDPR:

  • Contractual performance (Art. 6.1.b): delivery of the contracted professional service and pre-contractual steps requested by the data subject.
  • Consent (Art. 6.1.a): commercial communications, installation of non-essential cookies, special categories of data. Consent is revocable at any time without retroactive effect.
  • Legal obligation (Art. 6.1.c): AML Law 10/2010, tax law, Commercial Code, professional ethics rules.
  • Legitimate interest (Art. 6.1.f): site security and fraud prevention, debt management, defence of claims. A balancing test is available on request.

Recipients and processors

Data may be communicated to the following recipients in pursuit of the stated purposes. Each processor is bound by a contract under Art. 28 GDPR.

RecipientPurposeLocation
Holded S.L.Invoicing and accountingSpain (EU)
Qonto (Olinda SAS)Online banking and paymentsFrance (EU)
Stripe Payments Europe LtdOnline payment processingIreland (EU) · US (SCC)
HubSpot Inc.CRM, forms, communicationsUS · EU (DPF active)
Google Ireland LtdAnalytics (GA4 with IP anonymisation)Ireland (EU) · US (DPF)
Calendly LLCOnline appointment managementUS (SCC · DPF)
Resend.com Inc.Transactional email deliveryUS (SCC)
Supabase Inc.Database hosting (client portal)EU (Frankfurt · AWS)
Cloudflare Inc.CDN and attack protectionUS · Global network (SCC · DPF)
Microsoft CorporationCorporate email and OneDriveEU · US (DPF)
AEAT, Social Security, Commercial RegistryLegal complianceSpain
Finanzamt and DE authoritiesLegal compliance for DE clientsGermany (EU)

No data is transferred to third parties for commercial purposes of those third parties.

International transfers

Certain processors (HubSpot, Google, Calendly, Stripe, Cloudflare) have a US parent company. Transfers are covered by the safeguards set out in Chapter V GDPR:

  • EU–US Data Privacy Framework (DPF) — European Commission adequacy decision of 10 July 2023 — for participating providers.
  • Standard Contractual Clauses (SCC) approved by Decision (EU) 2021/914 for remaining cases, supplemented by transfer impact assessments (TIA) where appropriate.

The client may request a copy of the safeguards applicable to each transfer by contacting admin@estrategeos.com.

Retention periods

  • Unconverted leads: up to 24 months from last contact, unless an earlier erasure request is received.
  • Client data with formal engagement: throughout the contractual relationship and, upon termination, during the applicable limitation periods: four years for tax obligations (Art. 66 LGT), six years for accounting records (Art. 30 Commercial Code), ten years for AML documentation (Art. 25 Law 10/2010).
  • Analytical cookies (GA4): 14 months from the last event (GA4 setting).
  • Marketing cookies (HubSpot): 13 months for __hstc; 30 minutes for __hssc; 1 day for __hssrc.
  • Email correspondence: retained while useful for the defence of the relationship and potential claims.

Data subject rights

The data subject may exercise the following rights by contacting admin@estrategeos.com with a copy of an identification document:

  • Access to the personal data being processed.
  • Rectification of inaccurate data.
  • Erasure (right to be forgotten) where no legal retention obligation applies.
  • Objection to processing based on legitimate interest.
  • Restriction of processing in the cases provided for in Art. 18 GDPR.
  • Portability of data where processing is based on consent or contractual performance and carried out by automated means.
  • Withdrawal of consent previously granted, without retroactive effect.
  • Not to be subject to automated decisions producing legal or significant effects (Art. 22 GDPR). Estrategeos does not make decisions about clients based solely on automated processing.
Complaint before the supervisory authority

If the data subject considers that the processing does not comply with the law, they may file a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es) or, for residents of Germany, with the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) (www.bfdi.bund.de) or the competent Land authority.

Security measures

Estrategeos S.L. applies technical and organisational measures appropriate to the risk (Art. 32 GDPR): encryption in transit (TLS 1.3) and at rest, role-based access control, enhanced authentication in the client portal (Supabase Auth), automated backups, attack protection via Cloudflare, and periodic supplier reviews. In the event of a breach, notification will be made to the AEPD within 72 hours (Art. 33 GDPR) and to the data subject where there is high risk (Art. 34 GDPR).

Minors and sensitive data

The site is not directed to minors. Estrategeos S.L. does not knowingly collect data from minors under 14 years of age (LOPDGDD threshold, Art. 7). If a minor's registration is detected without parental authorisation, the data will be deleted.

Special category data (health, ideology, religion, sexual orientation) is not subject to routine processing. Where the user voluntarily provides it in the course of a tax consultation (for example, a recognised disability certificate for IRPF deductions), processing is based on explicit consent and limited to what is strictly necessary.

Automated decisions and profiling

No decisions based solely on automated processing producing legal or significant effects on the data subject are taken (Art. 22 GDPR). Tax analysis of the file is performed by a registered professional. AI tools that may be used in documentary stages (summarisation, email classification) operate under human supervision and do not replace the advisor's judgment.

Amendments

This policy may be updated to reflect regulatory changes, AEPD doctrine or modifications in the list of processors. Substantial changes will be communicated by means of a prominent notice on the site and, where appropriate, by email to active clients. The date of the last update is shown at the beginning of this document.