Privacy Policy
Patata Communication Agency, S.L.
Version: 10 July 2025
1 Controller
Patata Communication Agency, S.L.
Calle Riera Principal Nº 8, 08328 Alella (Barcelona), Spain
Tax Identification Number (NIF): B75668129
Email: contact@patataagency.com
Website: www.patataagency.com
2 Data-Protection Officer
We are not required to appoint a Data‑Protection Officer under Article 37 GDPR because our core activities do not involve large‑scale processing of special‑category data or systematic monitoring of individuals. We review this status regularly and will nominate a DPO if our processing activities change.
3 Personal Data We Process
ActivityPersonal dataSourceData subjectsContact form / EmailName, email address, message content, technical metadata (IP address, timestamp)Provided directly by the userEnquirers, prospective customersAI ChatbotConversation text, IP address, timestamp, browser/device informationProvided directly by the user; collected automaticallyWebsite visitorsWeb Analytics (Google Analytics 4)Pseudonymised identifier, truncated IP address, device and usage informationCollected automaticallyWebsite visitors
We do not collect any special‑category data (e.g. health information) and we do not create customer profiles.
4 Purposes and Legal Bases
ActivityPurposeLegal basis (Article 6 GDPR)Contact form / EmailResponding to your enquiry and any follow‑up communication(b) contractual or pre‑contractual stepsAI ChatbotInteractive guidance and support; improving our services (aggregated statistics, error analysis)(a) consent (banner opt‑in)Web AnalyticsMeasuring reach, detecting technical issues, optimising content(f) legitimate interest (balanced with user interests) or (a) consent via cookie banner
5 Recipients and International Transfers
RecipientServicePrimary server location(s)Transfer safeguardsOpenAI, Inc.Processing of chatbot conversationsUSA (global region, 30‑day log retention)Standard Contractual Clauses (SCCs) + EU–US Data Privacy Framework (DPF) certificationFramer B.V.Website hosting & CMSAWS eu‑west‑1 (Ireland)SCCsVercel, Inc.Deployment platform / Edge NetworkEU edge nodes; fallback USASCCs + EU–US DPF certificationResend, Inc.Transactional email service (contact form)AWS us‑east‑1 (USA)SCCs + EU–US DPF certificationGoogle LLCGoogle Workspace (email), Google Analytics 4EEA data centres & USAEU–US DPF certification
We do not sell or share personal data with third parties for advertising purposes.
6 Data Retention
Data setRetention periodDeletion methodContact‑form messages (Google Workspace inbox)Deleted within 60 days after we close the enquiryAutomatic purge rule in Gmail (older_than:60d)AI Chatbot logs (OpenAI abuse monitoring)Automatically erased after 30 daysAutomatic rotation by OpenAIWeb‑analytics aggregates14 months (minimum setting in GA4)Automatic expiry configured in GA4
We keep no local archives or backups of personal data beyond these periods unless legal claims require longer storage.
7 Data Subject Rights
Under Articles 15‑22 GDPR you have the right to request access to, rectification or erasure of your data, restriction of processing, data portability, and to object to processing or withdraw consent at any time. Please send your request to contact@patataagency.com and include information that enables us to verify your identity.
8 Security Measures
We implement industry‑standard safeguards in accordance with Article 32 GDPR, including TLS encryption, role‑based access controls, encrypted backups, regular software updates, and least‑privilege principles for our staff and freelancers.
9 Complaint to the Supervisory Authority
If you believe that our processing of your personal data infringes data‑protection law, you can lodge a complaint with the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain, or via www.aepd.es.
10 Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal, technical or business developments. The "Version" date at the top indicates when this document was last amended.