Privacy Policy

1. Data controller

The controller of your personal data processed through this website and the B2B commercial communications issued by Emplyx (hereinafter the Website) is:

• Controller: Emplyx
• NIF: 46762976C
• Address: Calle Matilde Diez 10, 08195 Sant Cugat, Barcelona, Spain
• Contact: legal@emplyx.com

This Privacy Policy applies to the public Website and to commercial communications directed at B2B professionals. The processing of personal data within the Emplyx software (SaaS) is governed by specific documentation and agreements.

2. Data we may process

Unless otherwise provided in Section 10, the personal data we process is provided directly by you, primarily when you fill in forms or contact us:

• Contact data: first name, surname, company, job title, email, phone.
• Communication data: the content of the message or request you send us.
• Technical data: IP address, device and browser identifiers, security logs.
• Browsing and cookie data: according to the accepted settings (see Cookie Policy).

3. Purposes and legal bases

We process your personal data for the following purposes:

• Handling requests and enquiries (contact, demo, commercial information). Legal basis: performance of pre-contractual measures at the request of the data subject (Art. 6(1)(b) GDPR) and/or legitimate interest (Art. 6(1)(f) GDPR).
• Sending commercial communications if you subscribe or request them. Legal basis: consent (Art. 6(1)(a) GDPR), which you may withdraw at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Unsolicited B2B commercial communications to professionals holding roles related to our offering. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). See Section 10 for details.
• Website security, fraud and abuse prevention. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Analytics and measurement via cookies or similar technologies. Legal basis: consent (Art. 6(1)(a) GDPR), withdrawable at any time.
• Compliance with legal obligations (tax, accounting, defence of claims). Legal basis: legal obligation (Art. 6(1)(c) GDPR).

4. Recipients and data processors

To provide our services, we engage providers who act as data processors under a contract in accordance with Art. 28 GDPR. The categories of providers and, by way of non-exhaustive examples, representative instances we use are:

• Email sending and transactional messaging (e.g. Mailgun Technologies, Inc.).
• Hosting infrastructure and dedicated servers (e.g. Hetzner Online GmbH).
• Cloud services and backup storage (e.g. Microsoft Azure and Amazon Web Services).
• Internal corporate productivity and email (e.g. Microsoft 365 from Microsoft Ireland Operations Ltd.).
• Generative artificial intelligence services to assist the drafting of B2B communications (e.g. Google Cloud / Vertex AI and Anthropic, PBC).
• Monitoring, metrics and observability on our own infrastructure.

This list may change over time according to operational needs. You may request the updated list of data processors by writing to legal@emplyx.com.

We may also disclose your data where there is a legal obligation or where it is necessary for the establishment, exercise or defence of legal claims, as well as to competent authorities and courts where legally required.

We do not sell, rent or transfer your data to third parties for commercial purposes.

5. International transfers

Some of the providers referred to in Section 4 are established outside the European Economic Area (EEA), principally in the United States. Consequently, part of the processing of your data involves an international transfer.

Where this occurs, Emplyx ensures that the transfer is covered by a valid mechanism under the GDPR, in particular:

• An adequacy decision by the European Commission, where one exists (e.g. the EU–US Data Privacy Framework for providers certified in the United States).
• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), signed with providers not covered by an adequacy decision.
• Complementary technical and organisational measures where necessary following the relevant transfer impact assessment (encryption in transit and at rest, access controls, anonymisation where feasible).

You may request a copy of the applicable safeguards by writing to legal@emplyx.com.

6. Retention periods

We retain data for the following periods:

• Data associated with a request or demo: up to 3 years from the last contact, unless the relationship develops into a customer relationship, in which case contractual and statutory retention periods apply.
• Data for B2B commercial communications (prospecting): until you exercise your right to object, or up to 3 years from the last send with no response from you, whichever comes first.
• Technical data and security logs: a maximum of 12 months.
• Cookies: the period defined in the Cookie Policy for each category.
• Data for legal obligations or defence of claims: for the applicable statutory limitation periods (up to 6 years for commercial and accounting obligations and up to 4 years for tax obligations in Spain, pursuant to Arts. 30 of the Spanish Commercial Code (Código de Comercio) and 66 LGT, or the equivalent periods applicable in other jurisdictions).

After these periods, data are deleted or irreversibly anonymised.

7. Your rights

As a data subject, you have the following rights:

• Access: to know what data of yours we process.
• Rectification: to correct inaccurate data.
• Erasure: to request the deletion of your data.
• Objection: to object to processing, in particular for commercial prospecting purposes.
• Restriction of processing.
• Portability: to receive your data in a structured format.
• Withdrawal of consent, where that is the legal basis, without retroactive effect on processing already carried out.
• Not to be subject to solely automated individual decisions with significant legal effects.

To exercise any of these rights, write to legal@emplyx.com stating the right you wish to exercise and, if you consider it necessary, enclosing a document verifying your identity. Your request will be addressed within a maximum of one month, extendable to two where justified by complexity.

If you consider that your rights have not been properly addressed, you may lodge a complaint with the competent supervisory authority: Agencia Española de Protección de Datos (AEPD, www.aepd.es), Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI, www.inai.org.mx) for Mexico, Agencia de Acceso a la Información Pública (AAIP, www.argentina.gob.ar/aaip) for Argentina, or the supervisory authority in your EU country (edpb.europa.eu).

8. Security

We apply technical and organisational measures appropriate to the risk of the processing, in particular: encryption in transit (TLS) and at rest, role-based access controls, encrypted backups, environment segregation, activity logging, internal training and periodic review. In the event of a security breach posing a risk to the rights and freedoms of those affected, we will notify the supervisory authority within 72 hours in accordance with Art. 33 GDPR and, where applicable, the affected data subjects.

9. Automated decision-making and profiling

To personalise B2B commercial communications and improve the relevance of our messages, we may use generative artificial intelligence tools (provided by suppliers such as Google Cloud / Vertex AI or Anthropic) that process publicly available professional data to assist in drafting email content.

This processing does not constitute solely automated individual decision-making with significant legal effects within the meaning of Art. 22 GDPR: the generated content is reviewed and approved before sending, no decisions affecting your rights are taken, and you may always object to the processing via the mechanisms described in Section 7 and the unsubscribe link included in each communication.

10. B2B commercial communications (data obtained from publicly accessible sources)

Where Emplyx sends you commercial communications to your professional email address without you having previously contacted us, we process your data under Art. 14 GDPR, applicable to data not collected directly from the data subject.

Categories of data: professional data (first name, surname, job title or position, professional email address and the company or organisation with which you are associated).

Origin of the data: publicly accessible sources, in particular: corporate websites, professional and sector directories, public registers (Registro Mercantil, BORME and equivalents) and other public sources of business activity information.

Purpose: to contact you in your capacity as a professional to present Emplyx services, products or commercial initiatives related to your professional activity or that of your company.

Legal basis: the legitimate interest of the controller (Art. 6(1)(f) GDPR) in carrying out B2B commercial activity directed at professionals. We have carried out a balancing assessment which concludes that this processing does not disproportionately affect your rights and freedoms, taking into account: (i) that the data relate to your professional activity and not to your private sphere; (ii) that they originate from publicly accessible sources where they appear precisely to facilitate professional contact; (iii) that it is limited to a reasonable initial communication; and (iv) that each communication offers a simple, free mechanism to object to the processing.

Retention period: your data will be retained until you exercise your right to object or request erasure, or for up to 3 years from the last send with no response from you, whichever comes first. After that period, the data are deleted from our prospecting databases.

Rights: you may object at any time to the processing of your data for commercial communications, as well as exercise the other rights described in Section 7, by writing to legal@emplyx.com or using the unsubscribe link included in each communication.

11. Protection of minors

The Website and Emplyx services are directed exclusively at adult professionals. We do not knowingly process personal data of children under 14. If you are aware that a minor has provided us with data without authorisation, please contact us at legal@emplyx.com and we will proceed with its deletion.

12. Changes to this policy

Emplyx may modify this Privacy Policy when necessary to adapt it to regulatory, technical or operational changes. The version in force will always be the one published on the Website, indicating the date of last update. We will keep a version history available on request at legal@emplyx.com.