At ENVIA IT, S.L. we are committed to protecting personal data and respecting the privacy of all individuals whose data may be processed through our website, platforms, products and services.
1. Data Controller
The data controller is ENVIA IT, S.L., Diseminado Puente Culebra 24, 04738 Vícar, Almería, Spain (Tax ID: B06972467). Registered at the Registro Mercantil de Almería, tomo 2139, folio 133, hoja AL-59277. Data Protection Contact: [email protected]. References to a Data Protection Contact in this Privacy Policy do not imply the formal designation of a Data Protection Officer (DPO) under Article 37 of the GDPR, unless otherwise communicated by ENVIA IT, S.L.
2. Scope
This Privacy Policy applies when you browse our website, contact us, register for an account, purchase a subscription to our products, engage us for custom development or consulting, interact with us as a customer, partner, supplier or business contact, receive commercial communications, use any of our SaaS platforms (Nudato, MRM, VEP), or your data is processed through one of our platforms on behalf of a customer. For specific data processing related to the Nudato platform and event attendees, refer also to the Nudato Privacy Policy at nudato.com/privacy.
3. Our Roles: Controller and Processor
Envia IT acts as controller when processing personal data for its own purposes: website operation and analytics, lead and prospect management, account creation, customer/partner/supplier relationship management, billing, technical support, security, recruitment processes, legal compliance and direct marketing. Envia IT acts as processor when processing personal data on behalf of customers through its SaaS platforms or in custom development projects. In those cases, the customer is the controller and Envia IT processes the data on the customer's documented instructions, governed by the applicable Data Processing Addendum (DPA).
4. Categories of Personal Data We Process
Data collected through the website and commercial interactions: identification data (name, surname), contact (email, phone), professional (job title, organization, country), communications, interest data (selected solutions), consent records, and technical/browsing data (IP, device, cookies). Data related to customer accounts: account and authentication data, contracts, subscriptions, billing, support, security and audit logs. Data processed through SaaS platforms on behalf of customers: end-user data, attendees, registration, interaction, communications and uploaded files. Data related to custom development projects: project contacts, access credentials to client environments and technical data.
5. Sources of Personal Data
We collect data directly from you when you fill in forms or contact us; automatically through cookies and logs when you browse our website; from our customers when they upload data to our platforms; from partners and resellers in connection with joint commercial activities; from service providers and integration partners; and from publicly available professional sources, where permitted by law.
6. Purposes of Processing and Legal Bases
We process data for the following purposes with their corresponding legal bases: responding to enquiries (consent or pre-contractual steps), managing subscriptions/accounts/contracts (performance of a contract), managing custom development projects (performance of a contract), billing and tax compliance (legal obligation), relationship management (contract / legitimate interest), technical support (contract / legitimate interest), security and fraud prevention (legitimate interest / legal obligation), cookie management (consent where required), commercial communications (consent or legitimate interest), evidence of consent (legal obligation), and recruitment processes (consent or pre-contractual steps). Where legitimate interest is cited, ENVIA IT, S.L. has conducted a Legitimate Interest Assessment (LIA).
7. Data Retention
We retain personal data only for as long as necessary. Customer data: duration of contract + 6 years. Billing data: 6 years or longer if required by law. Partner and supplier data: duration of relationship + 6 years. Prospective customer data: 12 months from last contact. Website form data: 6 months. Support data: 2 years. Custom project data: project duration + warranty period + 6 years. Cookies: up to 24 months. Evidence of consent: 5 years. Security logs: 12 months. Candidate data: up to 24 months with consent. When Envia IT acts as processor, retention is governed by the customer's instructions and the applicable DPA.
8. Recipients and Service Providers
We may share personal data with trusted third parties where necessary, including providers of cloud hosting and infrastructure, content delivery and security, payment processing, communications, development and DevOps tools, analytics, AI-assisted functionalities and reCAPTCHA. Main providers: AWS (hosting, EU/US), Cloudflare (CDN/security, global), Google Analytics (analytics, US, consent required), Google reCAPTCHA (security, US), GitHub (DevOps, US), Stripe (payments, US/EU), Twilio (messaging, US), OpenAI (AI, US). We do not sell personal data.
9. International Data Transfers
Personal data may be transferred internationally where our providers are located outside your country. We implement appropriate safeguards: adequacy decisions issued by the European Commission, the EU-US Data Privacy Framework (DPF) for transfers to certified US organizations, Standard Contractual Clauses (SCCs), and the UK International Data Transfer Agreement (IDTA) where applicable. For Latin American jurisdictions, transfers comply with LFPDPPP (Mexico), Law 25.326 (Argentina), LGPD (Brazil), Law 19.628 (Chile) and Law 29733 (Peru).
10. Cookies and Similar Technologies
For detailed information about the cookies used on enviait.com, please refer to our Cookie Policy, available at enviait.com/cookie-policy.
11. Data Subject Rights
Depending on applicable law and your location, you may have the right to: access your personal data, rectify inaccurate or incomplete data, request erasure, request restriction of processing, object to processing, data portability, withdraw consent at any time, and object to direct marketing. To exercise your rights, contact [email protected] with subject: Data Protection – Envia IT. Response timeframes: EU/UK (GDPR): one month, extendable by two months; Mexico: 20 business days; Argentina: 10 business days; Brazil: 15 days for simplified requests; Chile/Peru: per applicable local legislation.
12. Complaints and Supervisory Authorities
Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es. United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk. Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd. Mexico: Instituto Nacional de Transparencia (INAI). Argentina: Agencia de Acceso a la Información Pública (AAIP). Chile/Peru: applicable local data protection authorities.
13. Security Measures
Envia IT applies technical and organizational measures aligned with UNE-EN ISO 27001 standards, aimed at protecting personal data against unauthorized access, loss, alteration, unlawful disclosure or destruction. These measures include access control and role-based permissions, authentication and credential protection, logging and monitoring, secure communications (TLS/SSL), backup and recovery processes, vendor and infrastructure controls, internal procedures for incident handling and continuous security training for personnel.
14. Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, Envia IT will notify the competent supervisory authority within 72 hours (Article 33 GDPR), notify affected data subjects without undue delay where high risk is identified (Article 34 GDPR) and, where acting as processor, notify the affected customer/controller without undue delay.
15. Third-Party Data and Age
If you provide personal data relating to third parties, you represent that you are authorized to do so and that you have informed those individuals about the relevant processing. Our services are intended for business and professional use. Users must be at least 18 years old to provide personal data or use our services.
16. Changes and Contact
We may update this Privacy Policy from time to time. Material changes will be communicated through the website or other appropriate channels. For enquiries: ENVIA IT, S.L. — Data Protection Contact: [email protected]. General enquiries: [email protected]. Phone: +34 877 401 969.