This policy describes how we process the personal data you provide when you write to us or interact with this site, in compliance with Regulation (EU) 2016/679 (GDPR) and the Spanish Data Protection Act (Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, LOPDGDD).
1. Data controller
- Controller: Owner of EiviLab.ai (independent professional activity registered in Spain)
- Registered address: Avenida España 8, 5B, 07800 Eivissa, Illes Balears, España
- Email: hola@eivilab.ai
- Trading name: EiviLab.ai
The controller's full identifying details (full name and Spanish tax identification number, NIF) are available to supervisory authorities, data subjects exercising GDPR rights and persons with a legitimate interest upon written request to hola@eivilab.ai.
2. Data Protection Officer (DPO)
No Data Protection Officer has been appointed, as none of the circumstances set out in article 37 of the GDPR or article 34 of the Spanish Data Protection Act (LOPDGDD) apply: we do not carry out large-scale processing of special categories of data, nor systematic monitoring of data subjects as a core activity. For any matter relating to data processing, you may write directly to hola@eivilab.ai.
3. Data we process
We only process the personal data you voluntarily provide when contacting us by email at hola@eivilab.ai:
- Name and surname(s) (if you include them in your message).
- Email address.
- The organisation or company you represent, if applicable.
- The content of your message and any other information you choose to share in the communication.
This website does not have its own forms and does not collect personal data automatically beyond the technical logs described in section 6.
4. Purposes and legal basis
4.1. Responding to your commercial enquiry
Purpose: to respond to the enquiry or request for information you send us. Legal basis: the controller's legitimate interest in responding to incoming communications (Article 6(1)(f) GDPR), balanced against your rights and reasonable expectations given that you initiate the contact.
4.2. Managing the contractual relationship
Purpose: to formalise and perform a proposal or service contract should we decide to work together, including invoicing and compliance with related obligations. Legal basis: performance of a contract or the taking of pre-contractual steps (Article 6(1)(b) GDPR) and compliance with legal obligations in tax and commercial matters (Article 6(1)(c) GDPR).
5. Recipients and data processors
We do not disclose your data to third parties except where required by law. To provide the service we rely on the following providers, which act as data processors:
- Cloudflare, Inc. — site hosting (Workers) and content delivery network (CDN/DNS). It processes technical server logs (see section 6). International transfer to the United States is covered by Adequacy Decision (EU) 2023/1795 (EU-US Data Privacy Framework) and by the European Commission's Standard Contractual Clauses (SCCs) as an additional safeguard.
- Cloudflare Email Routing — receives messages addressed to hola@eivilab.ai and info@eivilab.ai at the domain's MX servers and forwards them to the final inbox. The same international transfer safeguards apply as for Cloudflare Workers (Decision 2023/1795 plus SCCs).
- Google LLC (Google Workspace) — the final destination of emails forwarded from Cloudflare Email Routing, where communications with the controller are stored and managed. International transfer to the United States is covered by Adequacy Decision (EU) 2023/1795 (EU-US Data Privacy Framework) and by the Standard Contractual Clauses (SCCs) as an additional safeguard. Google adheres to the EU-US Data Privacy Framework.
6. Technical server logs
When you access the site, our infrastructure (Cloudflare Workers) generates technical logs strictly necessary for the provision of the service and the security of the network: IP address (partial or complete), browser user agent, requested URL, response code and timestamp. These logs are retained for the time strictly necessary for technical diagnostics and the prevention of abuse. The legal basis is the legitimate interest in ensuring the security of the network and of the information (Article 6(1)(f) GDPR, recital 49).
7. Cookies
This site does not use its own or third-party cookies for analytics, advertising or personalisation purposes. Nor does it use audience-measurement tools. If cookies subject to consent are introduced in the future, this policy will be updated and the corresponding banner will be enabled in accordance with article 22.2 of the Spanish E-commerce and Information Society Services Act (LSSI-CE).
8. Retention periods
- Commercial communications without a contract: up to 2 years from the last contact, unless you request earlier erasure.
- Data associated with a contractual relationship: for the duration of the contract and, once terminated, for the periods legally required (6 years for commercial obligations under article 30 of the Spanish Commercial Code; applicable tax retention periods; and the limitation periods for any actions arising from the contract).
- Technical server logs: only for the time strictly necessary for diagnostics and operational security, in accordance with the provider's policies.
9. International transfers
As stated in section 5, Cloudflare may process technical data from servers located in the United States. This transfer is supported by appropriate safeguards under Chapter V of the GDPR: Adequacy Decision (EU) 2023/1795 and, on a complementary basis, the European Commission's Standard Contractual Clauses (SCCs).
10. Your rights
You may exercise the following rights granted by the GDPR at any time:
- Access to your personal data (Article 15).
- Rectification of inaccurate data (Article 16).
- Erasure (the "right to be forgotten", Article 17).
- Restriction of processing (Article 18).
- Data portability (Article 20).
- Objection to processing based on legitimate interest (Article 21).
- Not to be subject to automated decisions with significant effects (Article 22).
To exercise these rights, send an email to hola@eivilab.ai indicating which right you wish to exercise and enclosing a copy of your national ID card (DNI) or equivalent identity document, so that we can verify your identity. We shall reply within a maximum of one month from receipt of the request, extendable by a further two months in complex cases (Article 12(3) GDPR).
11. Complaint to the supervisory authority
If you consider that the processing of your data does not comply with the law, or if you are not satisfied with the response received when exercising your rights, you may lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.
12. Automated decisions and profiling
We do not carry out automated decisions, including profiling, that produce legal effects or significantly affect the data subject on the basis of data collected through this site.
13. Minors
The services and contents of this site are addressed exclusively to professionals and to persons over 14 years of age. We do not knowingly process personal data of minors below that age. If we detect such processing, we shall delete the data without delay.
14. Security
We apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (HTTPS/TLS), access controls and data minimisation.
15. Changes to this policy
We reserve the right to update this policy to reflect regulatory, technical or operational changes. The version in force shall always be the one published at this URL, with the update date shown at the foot of the page.
Last updated: 14 May 2026.