Your data,
handled the way we build software.
This Privacy Policy explains, in plain language, how Giroteam collects, uses, stores and protects personal data when you visit our website, request a consultation, sign a contract with us, or interact with any of our services. It is drafted to comply with the EU General Data Protection Regulation (Regulation 2016/679, GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD). Read it once; the rights it describes are yours, and we mean them.
What this policy covers, at a glance.
Twelve sections, each addressing one obligation we have under Spanish and European data-protection law. Jump to any of them.
Who is responsible
for your personal data.
Under Article 4(7) of the GDPR, the data controller is the entity that determines the purposes and means of processing your personal data. For everything described in this Privacy Policy, that entity is Giroteam — a software studio registered in Spain, with operations in Málaga and clients across the European Union. The legally binding identification details are listed below.
- Legal name
- Giroteam
- Legal form
- Spanish private commercial entity
- Tax ID (CIF/NIF)
- B81602195
- Registered address
- Málaga, Andalusia, Spain
- Contact email
- hello@giroteam.com
- Telephone
- +34 851 81 72 90
- Privacy contact
- privacy@giroteam.com
Giroteam has not formally appointed a Data Protection Officer (DPO) because the conditions in Article 37 of the GDPR are not met (we do not carry out large-scale regular monitoring nor process special categories of data on a large scale). A dedicated privacy contact is nevertheless available at the email above and will respond within the statutory deadlines.
We collect only what the work actually requires.
Data minimisation, in practice. Below are the categories of personal data we may process — and only when there is a clear, lawful reason to do so.
Identification data
Full name, professional title, the company you represent, and — where required for invoicing — your tax identification number. Collected from you directly when you contact us or sign an engagement.
Contact data
Email address, telephone number, postal address, and the channel you used to reach us (web form, email, telephone, LinkedIn). Used solely to reply to your enquiry and run the engagement.
Commercial relationship data
Project details, scoping notes, contracts, statements of work, communications history, and the records needed to deliver and bill the work. We keep these as part of the file on your engagement.
Technical & usage data
IP address, browser type, device class, pages visited, time on page, and approximate (city-level) geolocation. Collected automatically when you visit our website, and only with your prior consent for non-essential cookies.
Billing & financial data
Invoicing details, bank account or card data routed via a regulated payment processor, VAT number, and the accounting records mandated by Spanish commercial and tax law.
Recruitment data
CV, portfolio, cover letter, references, interview notes and the contact details of anyone who applies to join Giroteam. Processed only for the selection process you applied to.
Note — We do not knowingly process special categories of data (Art. 9 GDPR) such as health, biometric, genetic, religious or political data. We do not collect data from minors. If a special category surfaces accidentally (for example, in a free-text field), we delete it as soon as we identify it.
Eight purposes. Each one named, each one bounded.
Under Article 5(1)(b) of the GDPR, personal data must be collected for specified, explicit and legitimate purposes. The following table lists every purpose for which Giroteam processes personal data, the activities it covers, and the legal basis that permits it. We do not repurpose your data for anything outside this table without notifying you first.
Every operation
has a lawful footing.
Article 6 of the GDPR requires that every processing activity rest on at least one of six lawful bases. Giroteam relies on four of them, listed below. We tell you which one applies to a given activity at the point of collection, and again here for the record.
Performance of a contract
When you become a client, processing your data is necessary to deliver the engagement we have agreed: scoping the project, designing the system, building it, integrating it with your stack, and operating it after launch. Without this processing, we cannot perform the contract.
Your consent
We rely on consent for non-essential cookies, for marketing communications, and for any optional data we ask for on the website. Consent is given freely, can be withdrawn at any time, and withdrawing it never affects the lawfulness of processing that took place before withdrawal.
Legal obligation
Spanish tax law (LGT, Law 58/2003) and commercial law (Código de Comercio) require us to keep invoices, accounting books and certain commercial records for fixed periods. We process and retain the data needed to comply with those obligations, and no more.
Legitimate interest
For security monitoring, fraud prevention, the management of our website and IT infrastructure, and limited B2B prospecting to professional contacts, we rely on our legitimate interest in running a safe and viable business. A balancing test has been carried out in every case and is available on request.
We keep your data only as long as we need it — and not a day longer.
Article 5(1)(e) of the GDPR requires that personal data be kept in identifiable form only for as long as necessary. The following retention periods are derived from that principle, applied to Spanish commercial, tax and labour law. Once a period expires, the data is securely deleted or anonymised.
When a retention period expires, data is either deleted from production systems and backups in the next rotation cycle, or irreversibly anonymised so it can no longer be linked to any individual. If a legal claim, audit or investigation is in progress, the relevant data may be retained beyond these periods until the matter is closed.
Who else sees your data —
and under what binding terms.
Cloud infrastructure providers
Hosting, storage and compute for our website and client systems. Primarily based in the EU (Frankfurt, Helsinki, Madrid) on AWS, GCP or Hetzner, selected per project.
Email and collaboration tools
Business email, calendars, document collaboration and video calls for our day-to-day work with you. EU-resident services preferred.
Privacy-respecting analytics
Cookieless or consent-based analytics to understand website usage in aggregate. IP addresses are anonymised; no cross-site profiling.
Payment processors
Regulated payment institutions process card and bank-transfer payments. We never store full card numbers — we receive only confirmation that a payment succeeded or failed.
CRM and project tools
The systems where we keep your engagement file, our shared task boards, and the documentation we produce during a project.
Accounting and tax advisors
External accountants and tax advisors who process invoicing and accounting data to help us meet Spanish tax and commercial obligations. Bound by professional secrecy.
Public authorities & regulators
Spanish tax authority (AEAT), social-security authority (TGSS), AEPD, courts and police forces when a legally binding request requires us to share specific data.
Legal advisors & auditors
Lawyers, auditors and insurers when needed to establish, exercise or defend legal claims, or to comply with mandatory audits. Bound by professional confidentiality.
Note — A current, named list of our active sub-processors is available on request to privacy@giroteam.com. We notify clients of material changes to that list before a new sub-processor begins processing their data.
When data leaves the EU,
it travels under contract.
Some of our processors are headquartered outside the European Economic Area (EEA) — typically in the United States or the United Kingdom. Whenever your data is transferred outside the EEA, Giroteam relies on the safeguards required by Chapter V of the GDPR (Articles 44–49). These safeguards are listed below.
Standard Contractual Clauses (SCCs)
Where no adequacy decision exists, we sign the European Commission's 2021 Standard Contractual Clauses with the processor, in the appropriate module, before any transfer takes place.
Adequacy decisions
For transfers to countries the European Commission has formally recognised as providing an adequate level of protection (e.g. the UK under the 2021 decision), we rely on that adequacy decision as the transfer mechanism.
EU–US Data Privacy Framework
For processors certified under the EU–US Data Privacy Framework (Commission Implementing Decision of 10 July 2023), we rely on that certification, verified for active status before transferring.
Transfer impact assessments
For each non-EEA processor we carry out a Transfer Impact Assessment (TIA) in line with EDPB Recommendations 01/2020, evaluating the destination country's laws and adding supplementary measures (encryption, pseudonymisation) where needed.
Eight rights under the GDPR.
Free to exercise. Always.
Spanish and European law gives you a defined set of rights over your own personal data. Exercising any of them is free and does not require you to justify yourself. We will respond within one month of your request, extensible by two further months for complex cases (Art. 12(3) GDPR).
Access
Get a copy of the personal data we hold about you, the purposes for which we process it, and the recipients to whom we disclose it (Art. 15 GDPR).
Rectification
Have inaccurate data corrected and incomplete data completed without undue delay (Art. 16 GDPR).
Erasure
Ask us to delete your personal data where the legal grounds in Article 17 GDPR apply, also known as the 'right to be forgotten'.
Restriction
Have processing of your data restricted while we verify a rectification request, contest its accuracy, or assess a legitimate-interest objection (Art. 18 GDPR).
Portability
Receive the data you have provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller (Art. 20 GDPR).
Objection
Object to processing based on legitimate interest — including direct marketing — at any time, on grounds relating to your particular situation (Art. 21 GDPR).
Withdraw consent
Withdraw consent at any time for any processing based on it. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).
No automated decisions
Not be subject to a decision based solely on automated processing that produces legal effects on you. Giroteam does not run such decision-making (Art. 22 GDPR).
Sending us a rights request.
Use any of these four steps. Whichever route you choose, we will track and respond to it the same way.
- 01Email privacy@giroteam.com from the address we hold for you, naming the right(s) you want to exercise.
- 02If you write from a different address, we may ask you to confirm identity to prevent disclosing your data to someone else (Art. 12(6) GDPR).
- 03We acknowledge receipt within 72 hours and substantively respond within one calendar month.
- 04If we cannot fulfil the request, we will explain why in writing and remind you of your right to lodge a complaint with the AEPD.
Right to file a complaint with the AEPD
If you believe we have mishandled your personal data and our response has not satisfied you, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos), the competent supervisory authority in Spain.
- Authority
- Agencia Española de Protección de Datos
- Address
- C/ Jorge Juan 6, 28001 Madrid
- Web
- www.aepd.es
Technical and organisational measures —
designed, not bolted on.
Article 32 GDPR requires controllers and processors to implement security measures appropriate to the risk. Because Giroteam builds production software for mid-market operations, security is part of how we work, not a downstream concern. The measures below summarise our current baseline.
-
M·01
Encryption in transit and at rest
TLS 1.2+ on every public endpoint we operate. Sensitive data encrypted at rest using AES-256 or equivalent. Secrets stored in dedicated secret managers, never in source code.
-
M·02
Access control & least privilege
Role-based access on every system, with explicit grants reviewed at least quarterly. Mandatory multi-factor authentication for every Giroteam team member on every production system.
-
M·03
Backups & disaster recovery
Encrypted, region-redundant backups with documented recovery procedures. Backup restoration tested at planned intervals, not only when something has already gone wrong.
-
M·04
Vulnerability management
Dependencies scanned automatically on every build. Critical patches applied within defined SLAs. Penetration testing conducted on client systems where the engagement includes it.
-
M·05
Audit logging
Every access to personal data on our internal systems is logged, with tamper-evident retention sized to the obligations of the engagement and to applicable cybersecurity rules.
-
M·06
Staff training & confidentiality
Every Giroteam team member is bound by a written confidentiality undertaking and trained on data-protection responsibilities on joining and at refresh intervals afterwards.
If something goes wrong, you'll hear from us.
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware of it (Art. 33 GDPR) and, where the risk is high, notify you directly without undue delay (Art. 34 GDPR). The notification will describe the nature of the breach, the categories and approximate number of people affected, the likely consequences, and the measures taken or proposed to address it.
Giroteam's services
are not directed at children.
Our website and services are aimed exclusively at professionals, companies and adult contacts. We do not knowingly collect or process the personal data of children under 14 years of age — the threshold set by Article 7 of the Spanish LOPDGDD for direct consent to data processing.
If we become aware that we have inadvertently processed personal data of a child under that age without verifiable parental or guardian authorisation, we will delete that data without undue delay. If you are a parent or guardian and believe a minor in your care has provided us with personal data, please contact privacy@giroteam.com and we will act on it immediately.
When this policy changes,
the change is recorded here.
We update this Privacy Policy when the law, our systems, our processors, or our business activities change in ways that affect how your data is handled. Material changes — those that meaningfully alter your rights or our obligations — are announced before they take effect, by email where we have an active relationship with you and prominently on this page in every other case.
Talk to a human,
not a ticket queue.
Every data-protection enquiry sent to privacy@giroteam.com is reviewed by a person on the senior team — the same people who would build your system if you were a client. We respond within one working day, and substantively within the statutory deadlines.