Privacy Policy - Arux Ingeniería

Introduction

This Privacy Policy describes the collection, use, and processing of personal data of users who interact with the website aruxingenieria.com. By using this website or communicating with the Owner, the user accepts the conditions described in this policy, which is adapted to the provisions of Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), Organic Law 3/2018 (LOPDGDD), and other current regulations in Spain regarding the protection of personal data.

Data Controller

The party responsible for the processing of personal data collected on aruxingenieria.com is:

Name / Owner: DARÍO LORENZO DÍAZ
NIF: 50754171W
Address: Calle de la Arquitectura, 17, 2D, 28005 Madrid, Spain
Phone: 617 154 220
Contact Email: [email protected]

Henceforth referred to as “the Controller” or “the Owner.”

Personal Data Collected

The website may collect the following categories of personal data:

Data provided directly by the user: When the user fills out the contact form, personal data such as name, email address, and the message or inquiry they wish to make are requested. This data is provided voluntarily by the user when making their request or inquiry.
Navigation data: While browsing aruxingenieria.com, certain technical data and browsing habits may be collected automatically. This includes, for example, the user’s IP address, information about their device and browser, language, pages or sections visited, date and time of connection, browsing time, and other similar data. This information is obtained primarily through cookies and similar technologies, specifically through the use of analysis tools such as Google Analytics (see the Cookie Policy for more details). Although this navigation data does not usually allow for the direct identification of the user by itself, it may be considered personal data to the extent that it could be associated with a unique identifier (such as a cookie ID or IP address).

In general, the user is not required to provide personal data to browse the website. However, refusal to provide data marked as mandatory in the contact form will prevent us from adequately attending to your request or inquiry.

Purpose of Processing

The personal data provided by the user or collected through the aruxingenieria.com website will be processed for the following explicit purposes:

Handling inquiries and communications: We use the data provided in the contact form (name, email, and message) for the sole purpose of managing and responding to the request or inquiry made by the user. This includes providing requested information about our services, addressing doubts or requirements, and, in general, maintaining communications derived from the user’s request.
Website analysis and improvement: Navigation data collected through analytical cookies (for example, through Google Analytics) is processed in an aggregate and anonymous form to obtain statistics and metrics regarding website traffic and usage. This allows us to know how users interact with the site, measure the audience, detect usage patterns, and thereby improve the structure, design, content, or services offered on aruxingenieria.com. Under no circumstances do we use this data for individual profiling purposes or to make automated decisions that produce legal effects on the user.
Compliance with legal obligations: In the event that the Controller has legal obligations to preserve or communicate certain personal data (for example, compliance with requirements from authorities, tax obligations, fraud prevention, etc.), the data will be processed to comply with said legal obligations.
Other purposes that, where appropriate, are expressly indicated at the time of data collection. In any form or channel where personal data is requested, the user will be informed of the specific purpose of the processing if it differs from those mentioned here, and their consent will be requested when necessary.

The Owner undertakes not to use the users’ personal data for purposes other than those described above, unless prior notice is given and consent is obtained if required by applicable regulations.

Lawfulness of Processing (Legal Basis)

The legal basis that allows us to process the users’ personal data, in accordance with the purposes described above, is as follows:

Consent of the data subject: For inquiries and messages sent through the contact form, the primary legal basis is the free, specific, informed, and unambiguous consent that the user grants by sending their personal data. The user has the possibility—and should—read this Privacy Policy and, if they agree, check the corresponding acceptance box before submitting the contact form. Likewise, regarding the installation of analytical cookies (Google Analytics), the processing of navigation data is based on the user’s consent, obtained through the cookie notice or banner upon starting navigation on the site. The user may withdraw their consent at any time, as explained below, without affecting the lawfulness of processing based on consent before its withdrawal.
Performance of a pre-contractual or contractual relationship: In cases where the user requests information regarding possible professional services offered by the Owner, or actually contracts said services, the processing of their data may be justified by the need for the execution of pre-contractual measures (attending to their request, preparing a quote, etc.) or, where appropriate, for the execution of a contract to which the data subject is a party.
Compliance with legal obligations: Data processing may also be based on the need to comply with legal obligations applicable to the Controller. For example, tax regulations, data protection laws, or anti-money laundering regulations may require the preservation or disclosure of certain personal data.
Legitimate interest of the Controller: In certain cases, there may be a legitimate interest on the part of the Owner to process the user’s personal data, provided that the data subject’s fundamental rights and freedoms do not prevail over said legitimate interest. Examples could include maintaining website security, addressing requests or complaints that the user makes outside the provided channels (e.g., via social media), or improving the quality of our services based on aggregated information. In any processing based on legitimate interest, the Owner will carefully evaluate their interests and the user’s rights, and will provide the user with the possibility to object to such processing as established by law.

Data Retention Period

Personal data will be kept only for the time necessary to fulfill the purposes for which it was collected, without prejudice to the retention periods that may be required by law. In general terms:

Inquiry data (contact form): Personal data provided through the contact form (name, email, message) will be kept for the time necessary to properly address and manage the user’s request and maintain the communications derived from it. Once your inquiry or request is resolved, your data may be kept blocked during the applicable legal limitation periods, solely for the purpose of complying with legal obligations or defending against possible claims.
Navigation analysis data: Information collected through Google Analytics cookies or other analytical cookies is kept for the periods indicated in the Cookie Policy. In general, analytical cookies keep navigation data in aggregate form for periods that allow for historical and comparative analysis (for example, persistent cookies that can last between 24 hours and 2 years, depending on the case). However, this data is processed in an anonymized or pseudonymized form without directly identifying the user, and can be deleted when the user revokes their consent or deletes them from their device.
Data related to legal obligations: Data that must be kept by legal mandate will be maintained for the periods determined by the respective regulations (for example, up to 5 years for tax or accounting matters, as applicable).

In any case, the Owner will perform a periodic review of the stored personal data, deleting or anonymizing those that are not necessary once the purpose that justified their processing has been fulfilled, provided they are not required to be kept under a legal obligation.

Disclosure of Data to Third Parties and Data Processors

In general terms, the Owner will not transfer or communicate users’ personal data to third parties without their express consent, except in those cases where it is necessary for the provision of a service requested by the user, for compliance with a legal obligation, or for the fulfillment of a duly weighed legitimate interest of the Controller.

However, the Owner informs users that for the operation of this website and the achievement of the aforementioned purposes, it is necessary to use trusted service providers who act as data processors on behalf of the Controller. These third parties access personal data solely to perform specific tasks on behalf of and under the instructions of the Owner, and in accordance with a data processing agreement that guarantees the security and confidentiality of the information. Among these service providers are:

Web hosting and platform services: The website is hosted on servers of a hosting provider, which implies that said provider may process data generated during navigation and use of the site (for example, storing data in server logs, website backups, etc.). This provider acts under a confidentiality and data processing contract and only accesses the information to ensure the correct functioning and technical maintenance of the web.
Analysis tools (Google Analytics): This site uses Google Analytics, a service provided by Google, Inc. (a Delaware, USA company) through its subsidiary Google Ireland Limited for users in the EU. Google Analytics uses cookies to collect navigation data (for example, truncated IP addresses, device information, pages visited, etc.) and generate statistics on the site’s traffic and visit volume. Google acts as a data processor and may have access to some of the user’s usage data to process it on behalf of the Owner. The user is informed that Google may process information on servers located outside the European Economic Area, specifically in the United States or other countries. However, Google declares that it complies with adequate safeguards for international data transfers, including, where applicable, adherence to mechanisms recognized by the EU (such as Standard Contractual Clauses approved by the European Commission, or the current legal framework replacing the old Privacy Shield). Information collected through Google Analytics is processed in aggregate form and is not shared with third parties, unless required by law or by Google itself under its terms of service. For more details, you can consult this site’s Cookie Policy and Google Analytics’ privacy policy (provided by Google).
Email services: Communications that the user makes by email (for example, when writing to us at the contact address provided) may involve the use of our provider’s email servers (for example, Google, in the case of Gmail addresses). These providers may process communication metadata (sender, recipient, date, etc.) and the message content temporarily, also acting as data processors under the required confidentiality.

Outside of the above situations, no other transfers or communications of data to third parties are foreseen. If, due to the nature of the requested service, any specific data transfer to third parties were necessary (for example, to professional collaborators, couriers, etc.), the user will be informed in advance and, when required by law, their consent will be obtained.

International Data Transfers

As a general rule, the Owner processes users’ personal data within the territory of the European Union (EU) or the European Economic Area (EEA) and does not perform international data transfers. However, certain mentioned service providers (e.g., Google) are located in countries outside the EU/EEA or may access data from outside those territories.

In cases where the use of such services involves an international data transfer to countries that do not offer a level of data protection equivalent to the European one (for example, the USA), the Controller guarantees that adequate safeguards have been implemented in accordance with regulations. These safeguards may include: the signing of standard contractual clauses approved by the European Commission with the foreign provider, verifying that the provider is adhered to an international instrument or agreement declared to have an adequate level by the competent authorities, or obtaining explicit consent from the data subjects when appropriate.

The user may request more information from the Controller about the specific safeguards applied to international data transfers, where applicable, as well as a copy of the commitments assumed by the providers, by contacting the indicated contact channels.

User Rights

The user, as a personal data subject, may exercise the rights conferred by data protection regulations. In particular, they have the possibility to exercise the following rights:

Right of Access: Allows the data subject to obtain confirmation as to whether the Owner is processing personal data concerning them and, if so, the right to know what data it is, its origin, as well as receive information about the purposes of the processing, the categories of data processed, the recipients or categories of recipients to whom the data was or will be communicated, the planned retention period, and the existence of automated decisions, among other aspects.
Right to Rectification: Empowers the user to request the correction of inaccurate personal data concerning them. They also have the right to have incomplete data completed, including by means of providing a supplementary statement.
Right to Erasure (“Right to be Forgotten”): The user may request the deletion of their personal data when, among other reasons, the data is no longer necessary for the purposes for which it was collected, they withdraw their consent (and the processing is not based on another legal ground), or it has been unlawfully processed. Following an erasure request, the data may be blocked and kept restrictedly available to competent authorities during the applicable legal limitation periods.
Right to Restriction of Processing: Under certain circumstances (for example, if the user contests the accuracy of their data, while such accuracy is being verified; or if the user has objected to the processing, while it is being verified whether the Controller’s legitimate grounds override those of the user), the data subject may request that the processing of their data be temporarily restricted, so that it is only kept for the exercise or defense of claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.
Right to Object: The user may object at any time, on grounds relating to their particular situation, to personal data concerning them being processed based on the public interest or the legitimate interest of the Controller. If this right is exercised, the Owner will stop processing the data unless they demonstrate compelling legitimate grounds or for the establishment, exercise, or defense of possible claims. Likewise, when the processing has direct marketing purposes (for example, sending commercial communications), the user has the right to object at any time to the processing of their data for such purposes, which will result in the immediate cessation of those communications.
Right to Data Portability: The data subject has the right to receive the personal data they have provided to the Controller in a structured, commonly used, and machine-readable format, and to transmit it to another data controller, whenever technically possible, in the cases provided by law (when the processing is based on consent or a contract and is carried out by automated means). This right allows the user to facilitate the reuse of their data by other services or to request the Owner, whenever technically possible, to transmit their data directly to the new controller they indicate.

In addition to the above, the user has the right to withdraw consent at any time granted for those purposes based on said legal ground, without affecting the lawfulness of processing based on consent before its withdrawal. They also have the right not to be subject to individualized decisions based solely on automated processing of their data, including profiling, under the terms established by Article 22 of the GDPR, unless legally provided exceptions apply.

Exercise of Rights

The exercise of rights is free of charge for the data subject, except in cases of manifestly unfounded or excessive requests (for example, repetitive ones), in which case the Controller may charge a reasonable fee based on the administrative costs incurred or refuse to act.

To exercise their data protection rights, the user may send a written request to the Data Controller through any of the following contact means:

Email: By sending a message to the address [email protected], with the reference “Data Protection,” clearly indicating the right they wish to exercise and regarding which personal data.
Postal mail: By writing to DARÍO LORENZO DÍAZ, Calle de la Arquitectura, 17, 2D, 28005 Madrid, Spain (ref: “Exercise of GDPR rights”), indicating in the letter the right or rights they wish to exercise and their identifying information. In this case, it is recommended to send the communication by a means that allows for proof of sending and receipt (for example, certified mail).

In either case, and in order to verify the applicant’s identity, the user must attach a copy of their ID (DNI/NIE), passport, or another valid document proving their identity. If the exercise of rights is carried out through a legal representative, documentation proving such representation must also be provided, along with the representative’s identity document.

The Controller will attend to the request and communicate a response to the data subject within a maximum period of 1 month from its receipt. This period may be extended, where necessary, by a further 2 months, taking into account the complexity and number of requests, but in such a case, the user will be informed of any such extension within the first month.

If the request does not meet the necessary requirements for processing, the Controller may ask the data subject to rectify it (for example, by providing additional information or clarifying the request).

The user also has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or another competent supervisory authority, especially when they have not obtained satisfaction in the exercise of their rights. For more information, you can consult the official website of the AEPD (www.aepd.es).

Security Measures

In compliance with current regulations, the Owner states that they have implemented the technical and organizational security measures necessary to ensure a level of security appropriate to the risk, with the aim of protecting users’ personal data against unauthorized access, alteration, loss, destruction, or unauthorized disclosure.

These measures include, among others, pseudonymization and encryption of sensitive data when applicable, perimeter protection systems (firewalls), restricted access controls to personal information, secure servers, periodic backups, internal data protection policies, and training for staff who may access the information.

While the Owner constantly applies and updates these security protocols, the user must be aware that no measure is completely infallible or inviolable, and therefore the Owner cannot guarantee absolute information security at all times. However, in the event of detecting any security incident affecting the user’s personal data, the Owner undertakes to communicate it both to the user and to the competent authorities as required by regulations (especially Articles 33 and 34 of the GDPR, regarding notification of security breaches).

Acceptance and Changes to the Privacy Policy

The user, by actively providing their personal data through this site (for example, by sending an inquiry via the contact form), declares to have been informed of the conditions on personal data protection contained in this Privacy Policy and accepts them expressly. Users are recommended to carefully read this Policy and consult it regularly, even every time they are going to use the website, as it may undergo modifications or updates.

The Owner reserves the right to modify this Privacy Policy to adapt it to legislative or jurisprudential developments, as well as to industry practices or changes in the website’s service offerings. Any significant change in the Privacy Policy will be communicated to users through the website itself (for example, by a notice on the home page or in this same section) and/or through other available contact means when legally required.

The current version of this Privacy Policy is the one shown on this website, with its last update date indicated at the bottom. Continued use of the site after such changes will imply acceptance of them.