Last update: October 2025

1. Information about the Data Controller

The Data Controller responsible for the processing of personal data collected through the website www.granpaso.company (hereinafter, the “Website”) is Granpaso Strategy Company S.L., with Tax Identification Number (CIF) B13899323, registered address at Avenida del Papa Negro 60, 3ºB, 28043 Madrid (Spain), and registered in the Madrid Business Registry under Volume 45278, Page 175, Section 8, Sheet M-796516, CNAE Code 7311 (hereinafter, “Granpaso”).

You can contact Granpaso at here@granpaso.company regarding this Privacy Policy or the processing of your personal data.

2. Data Collected, Purpose of Processing and Legal Basis

Granpaso processes personal data in two contexts: 2.1. Professional and client relationships (offline and by direct communication) and 2.2. Non-personal web analytics, through a privacy-friendly provider.

2.1. Provision of Services

When engaging in a professional or commercial relationship with Granpaso (for example, through service contracts, collaboration agreements or direct communication), we process personal data such as: Name, Surname, Email address, Phone number, Tax identification number, Payment information and billing details, and Postal or Business Address.

The purpose of processing these data is to maintain and manage the contractual or pre-contractual relationship, including communication, administration, invoicing, service delivery, and continuous improvement of our services.

The legal basis for this processing is the performance of a contract or pre-contractual measures, in accordance with Article 6(1)(b) of the GDPR.

Additionally, these data may be used to send commercial communications to existing clients, provided they have not objected at any time. The legal basis for this is Granpaso’s legitimate interest in direct marketing, in accordance with Article 6(1)(f) of the GDPR.

2.2. Web Analytics

Granpaso does not use forms, cookies, or any tracking technologies that collect personal data through the Website.

The Website uses Simple Analytics, a privacy-friendly analytics tool that does not collect personal data, does not use cookies, and is fully compliant with the GDPR and the ePrivacy Directive.

The purpose of this data processing is to: (1) Understand overall website usage and traffic patterns and (2) Improve the structure, content, and user experience of the Website.

The legal basis for this processing is Granpaso’s legitimate interest in understanding and improving the Website’s performance (Article 6(1)(f) GDPR). No personal data are collected, stored, or shared with third parties for marketing or profiling purposes.

3. Data Retention Period

Client data will be kept for as long as the contractual or professional relationship remains in place, and for the period necessary to comply with legal obligations (e.g. tax or accounting).

Analytics data are aggregated and non-personal; no identifiable data are stored.

Once the data are no longer required, they will be securely deleted or anonymized.

4. Recipients

Personal data will not be transferred to third parties, except where required by law. Service providers (such as accounting or IT providers) may act as data processors under Granpaso’s instructions and are bound by GDPR-compliant data processing agreements.

5. International Data Transfers

Granpaso does not transfer personal data outside the European Economic Area in the normal course of business.

If international transfers are required (e.g., when using third-party tools), appropriate safeguards such as Standard Contractual Clauses will be applied in accordance with GDPR requirements.

6. Data Subject Rights

Under applicable data protection regulations, you have the following rights: (1) Withdraw consent at any time (when processing is based on consent). (2) Access your personal data. (3) Rectify inaccurate or incomplete data. (4) Request erasure of your data when they are no longer necessary for the purposes collected. (5) Request restriction of processing, in which case the data will only be kept for the exercise or defence of legal claims. (6) Object to data processing, especially for direct marketing purposes. (7) Data portability, allowing you to receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.

You may exercise these rights by contacting here@granpaso.company, clearly indicating your request and attaching a copy of your ID if necessary.

Alternatively, you may write to: Granpaso Strategy Company S.L., Avenida del Papa Negro 60, 3ºB 28043 Madrid (Spain).

If you believe your rights have been violated, you can file a complaint with the Spanish Data Protection Agency (AEPD): C/ Jorge Juan, 6, 28001 Madrid, Website (https://www.aepd.es) and Electronic headquarters (https://sedeagpd.gob.es/sede-electronica-web).

7. Security and Updating of Your Personal Data

Granpaso has adopted all necessary technical and organisational measures to ensure the security of personal data and to prevent alteration, loss, or unauthorized access or processing, in accordance with applicable regulations. However, absolute security does not exist.

It is important that you inform Granpaso of any changes to your personal data so we can keep them up to date. Failure to provide accurate or complete data may make it impossible to manage your relationship or deliver requested services.

8. Confidentiality

All personal data will be treated with the utmost care and confidentiality by all personnel involved in any phase of the processing.