Privacy policy · Petit Roig

This privacy policy governs how the personal data that users provide to us through this website is processed, in compliance with the Regulation (EU) 2016/679, of 27 April, General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).

Contents

Data controller
What personal data we collect
Purposes and legal basis
Retention period
Recipients and processors
International transfers
Your rights
Security measures
Minors
Changes to this policy

1. Data controller

Controller: Julien Bellet Ribes (hereinafter, "Petit Roig")
Tax ID (NIF): 60432516Q
Address for notifications: Banyeres del Penedès, 43711 · Tarragona · Catalonia · Spain
For official notifications, contact info@petitroig.com — full postal address available upon express request or legal requirement.
Email: info@petitroig.com
Activity: Digital marketing consultancy for SMBs

We have no Data Protection Officer (DPO) as the conditions of art. 37 GDPR do not apply. For any question regarding data protection you may address the controller directly.

2. What personal data we collect

We only process data that you provide voluntarily or that is generated through browsing, grouped into the following categories:

2.1 Contact form data

Identifying: first name and surname(s).
Contact: email address and, optionally, phone number.
Company (optional): name of company or organisation.
Message content: the information you choose to include.

2.2 Email or phone communications data

Content of correspondence, professional data you share and, if the commercial relationship is formalised, billing data (Tax ID, legal name, address).

2.3 Browsing and website usage data

IP address, browser and device type, operating system, pages visited, session duration, traffic source.
This data is collected by means of cookies and similar technologies — see the Cookie policy.
When analytics or advertising, it is only processed with your explicit consent via the cookie banner.

3. Purposes and legal basis of processing

Purpose	Legal basis (GDPR)
Respond to enquiries received via the form or email	Consent of the data subject — `art. 6.1.a`
Send proposals and manage the pre-contractual process	Pre-contractual measures — `art. 6.1.b`
Perform the contracted services and billing	Contract performance — `art. 6.1.b`
Comply with tax, accounting and legal obligations	Legal obligation — `art. 6.1.c`
Commercial communications to existing clients about similar services	Legitimate interest — `art. 6.1.f` and `LSSI-CE art. 21.2`
Web analytics and audience measurement	Consent — `art. 6.1.a`
Personalised advertising and remarketing	Consent — `art. 6.1.a`

No automated decisions are made and no profiling producing significant legal effects on the user is carried out.

4. Retention period

AI assistant leads (chatbot): up to 90 days from capture, unless you request earlier deletion. See section 5 on Anthropic and Supabase processors.
Non-contracted enquiries: up to 12 months from the last contact, unless you request earlier deletion.
Clients (contractual relationship): during the relationship and once terminated, throughout the applicable legal periods — up to 6 years for commercial and accounting documentation (art. 30 of the Spanish Commercial Code) and up to 4 years for tax obligations (Spanish General Tax Law).
Browsing data and cookies: according to the duration of each cookie indicated in the Cookie policy.
Commercial communications: until the data subject withdraws consent or objects.

5. Recipients and processors

Your data will not be transferred to third parties except by legal obligation. As processors, the technology service providers that support us may access it, with whom we have signed (or will sign) the corresponding processor agreement in accordance with art. 28 GDPR:

Categoria	Proveïdor	Ubicació
Web hosting	Vercel Inc. (CDN edge in the EU)	USA · transfer under DPF
Professional email	Google Ireland Ltd. (Google Workspace for `info@` and `jbellet@`)	Ireland (EU)
Web analytics	Google Ireland Ltd. (Google Analytics 4) — only if consent is active	Ireland (EU) · transfer to USA under DPF
Digital advertising	Google Ads, Meta Platforms Ireland Ltd. — only if consent is active	Ireland (EU) · transfer to USA under DPF
Tag manager	Google Tag Manager — only if consent is active	Ireland (EU)
Transactional email (contact form)	Resend Inc.	USA · transfer under DPF
Meeting scheduling	Calendly LLC	USA · transfer under DPF
Web fonts (CDN)	Google Ireland Ltd. (Google Fonts)	Ireland (EU)
AI conversational assistant (chatbot)	Anthropic PBC (Claude API) — only if you interact with the chatbot	USA · transfer under DPF
Lead persistence (chatbot, scheduling)	Supabase Inc. (PostgreSQL DB, Frankfurt region `eu-central-1`)	EU (Frankfurt) · no extra-EU transfer

6. International data transfers

When we use services from companies located outside the European Economic Area (mainly in the United States: Google, Meta), these transfers are carried out under the framework of the EU-US Data Privacy Framework (DPF), approved by the European Commission through Adequacy Decision of 10 July 2023, along with the corresponding Standard Contractual Clauses (SCCs) where necessary.

7. Your data protection rights

As the data subject, you have the following rights, which you may exercise free of charge:

Access — to know what data we process about you.
Rectification — to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — to request that we delete your data.
Objection — to processing based on legitimate interest or for direct marketing purposes.
Restriction — to limit processing in certain circumstances.
Portability — to receive data in a structured format and transmit it to another controller.
Withdraw consent at any time, with no retroactive effect.

To exercise these rights, write to us at info@petitroig.com stating the right you wish to exercise and attaching a copy of your DNI/NIE or equivalent document. We will respond within a maximum period of one month (extendable to two months in complex cases).

If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the competent supervisory authority: the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid · www.aepd.es. In Catalonia, the Catalan Data Protection Authority (APDCAT) · apdcat.gencat.cat.

8. Security measures

We have implemented appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and ongoing resilience of the systems that process your data, in accordance with art. 32 GDPR: encrypted connections (HTTPS/TLS), access control, regular backups, confidentiality agreements with processors and protocols for security breaches.

That said, no system is 100% infallible. If we detect a security breach that may affect your rights, we will notify you within a maximum period of 72 hours in accordance with art. 33 GDPR.

9. Minors

This website is aimed at an adult, professional audience. We do not knowingly collect data from minors under 14 years of age. If you are under 14, do not provide personal data without the consent of your parents or legal guardians. If we detect that we have received data from a minor without valid consent, we will delete it immediately.

10. Changes to this policy

We may update this policy to reflect legal, jurisprudential or business changes. When changes are substantial, we will inform you prominently on the website or, if there is an active contractual relationship, by email. The date of the last update appears at the top of this page.

For any query about this policy or to exercise your rights: info@petitroig.com.