Privacy Policy

The data controller responsible for processing your personal data is: IBERANT SOLUTIONS S.L. CIF: ESB87402616 Paseo de la Castellana, 95, Piso 29, Torre Europa 28046 Madrid, Spain Email: info@iberant.com Phone: (+34) 620 219 379 Registered with the Registro Mercantil de Madrid.

We collect and process the following categories of personal data: • Identity data: full name, company name, job title. • Contact data: email address, phone number. • Technical data: IP address, browser type and version, operating system, time zone, device identifiers. • Usage data: pages visited, features used, session duration, error logs. • Account data: login credentials (passwords are stored hashed and salted, never in plain text), subscription plan, billing history. • Communication data: messages sent through the contact form or support channels. We do not collect special categories of personal data (e.g., racial or ethnic origin, political opinions, health data) unless strictly necessary and with your explicit consent.

We process your personal data for the following purposes and under the corresponding legal bases established by Article 6 of the GDPR: • Contract performance (Art. 6.1.b): To provide and maintain the ChurroStack platform, manage your account, process payments, and deliver support. • Legitimate interest (Art. 6.1.f): To improve our services, detect and prevent fraud, ensure platform security, and conduct analytics on service usage. • Consent (Art. 6.1.a): To send marketing communications, newsletters, and product updates. You may withdraw your consent at any time. • Legal obligation (Art. 6.1.c): To comply with tax, accounting, and regulatory obligations under Spanish and EU law.

We may share your personal data with the following categories of recipients: • Cloud infrastructure providers: Microsoft Azure (EU West Europe region) for hosting and data storage. • Payment processors: For subscription billing and payment processing. • Analytics services: To understand service usage and improve the platform. • Professional advisors: Legal, accounting, and audit service providers as required. • Law enforcement: When required by applicable law, court order, or governmental regulation. All third-party processors are bound by data processing agreements (DPAs) that ensure GDPR-compliant data handling. We require all processors to respect the security of your personal data and treat it in accordance with applicable law.

Your personal data is stored and processed within the European Economic Area (EEA), specifically in Microsoft Azure's West Europe region. We do not transfer personal data outside the EEA. In the event that a transfer outside the EEA becomes necessary in the future, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision under Article 45 of the GDPR.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected: • Account data: For the duration of your account and up to 5 years after account closure, as required by Spanish commercial and tax legislation (Código de Comercio and Ley General Tributaria). • Billing and transaction data: 5 years from the date of each transaction, as required by Spanish tax law. • Usage and analytics data: Up to 24 months from collection, then anonymized or deleted. • Contact form inquiries: Up to 12 months from the date of your last communication, unless a contractual relationship is established. • Marketing consent records: For as long as consent is active, plus 3 years after withdrawal for accountability purposes. When data is no longer needed, it is securely deleted or irreversibly anonymized.

Under the General Data Protection Regulation (EU) 2016/679, you have the following rights: • Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy. • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data. • Right to erasure (Art. 17): Request deletion of your data when it is no longer necessary, you withdraw consent, or processing is unlawful. • Right to restriction (Art. 18): Request that we limit processing under certain circumstances. • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller. • Right to object (Art. 21): Object to processing based on legitimate interest or direct marketing at any time. • Right not to be subject to automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or significant effects. • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of the rights listed above, please contact us at: Email: info@iberant.com Postal address: IBERANT SOLUTIONS S.L., Paseo de la Castellana, 95, Piso 29, Torre Europa, 28046 Madrid, Spain Please include sufficient information to identify yourself (full name and email associated with your account). We will respond to your request within one month, as required by the GDPR. This period may be extended by two additional months for complex requests, in which case we will inform you of the extension and the reasons for it. Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests.

Our website uses cookies and similar tracking technologies. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: • Encryption in transit (TLS/HTTPS) and at rest following Microsoft Azure standards. • Access controls with role-based permissions and multi-factor authentication for administrative access. • Regular security assessments and vulnerability testing. • Hosting in data centers certified under ISO 27001, SOC 2, and the Spanish ENS (Esquema Nacional de Seguridad). • Incident response procedures in compliance with the 72-hour GDPR breach notification requirement.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will notify you by email or through a prominent notice on our website at least 30 days before the changes take effect. We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when this policy was last revised.

If you have any questions or concerns about this Privacy Policy or our data processing practices, please contact us at: IBERANT SOLUTIONS S.L. Email: info@iberant.com Phone: (+34) 620 219 379 Address: Paseo de la Castellana, 95, Piso 29, Torre Europa, 28046 Madrid, Spain If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD): Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es