Privacy Policy
This Privacy Policy describes how Secyda Labs, S.L. ("Secyda") collects, uses, retains, protects and, where applicable, communicates personal data processed through the website secyda.eu, its subdomains, forms, contact environments, investor portals, datarooms and other interactions in which Secyda acts as data controller. Secyda processes personal data in accordance with Regulation (EU) 2016/679 ("GDPR"), Organic Law 3/2018 and other applicable data protection and information society services legislation.
Data controller
- Secyda Labs, S.L. — CIF: B88750724
- Address: Campoamor 90, 46022 Valencia, Spain
- Privacy email: legal@secyda.eu
Privacy contact
Secyda has an internal contact responsible for coordinating privacy and data protection matters. For any enquiry, exercise of rights or communication related to this Policy, please write to legal@secyda.eu.
Categories of data Secyda may process
- Data provided directly by the data subject: identity data, contact data, professional data, information provided in forms, requests, meetings, demos or communications with Secyda, and information shared in investment, partnership, pilot or due diligence contexts.
- Automatically collected data: IP address, device or browser identifiers, browser type, operating system, language, pages visited, browsing paths, usage events and data derived from the use of storage technologies, in accordance with the Cookie Policy.
- Third-party data provided by the user: if a person provides Secyda with personal data of third parties, they guarantee that they have sufficient legal basis to do so and that they have previously informed those third parties where required.
Data is collected through website forms, email or other corporate contact communications, requests for access to private portals or investor materials, browsing interactions in accordance with cookie preferences, and meetings or professional interactions related to Secyda's activities.
We do not process special category data within the meaning of Article 9 GDPR.
5. Sources of data
Secyda may obtain personal data through website forms, communications sent by email or other corporate contact means, waiting list, demo request, early access or commercial contact forms, requests for access to private portals or investor materials, browsing and website usage interactions in accordance with cookie preferences, and meetings, events, commercial sessions or professional interactions related to Secyda's activities.
Purposes of processing
6.1. Handling contact requests and communications
Managing, responding to and following up on contact requests, legal, commercial, institutional, technical or corporate enquiries sent through forms, email or other communication channels.
6.2. Managing commercial opportunities and professional relationships
Managing requests for information about products, services, demos, pilots, proposals, collaborations, contracting, tenders, suppliers, partnerships or professional relationships linked to Secyda's activities.
6.3. Managing early access and waiting lists
Managing expressions of interest, waiting lists, early access programmes or communications related to Secyda products, services or initiatives when requested by the data subject.
6.4. Managing the investor portal and restricted areas
Verifying identities, managing access, administering permissions, preserving security and facilitating the use of private areas, investor portals, datarooms and other restricted environments.
6.5. Website and infrastructure security
Monitoring the operation of the website and associated infrastructure, preventing unauthorised access, detecting abuse, investigating incidents and protecting Secyda's systems, assets and information, as well as those of users and third parties.
6.6. Website improvement and analytics
Analysing website usage, understanding browsing trends, measuring page and content performance, and improving the user experience, always in accordance with the applicable legal basis and the cookie preferences expressed by the user.
6.7. Legal compliance and defence
Complying with legal, regulatory or administrative obligations; managing authority requests; attending audits; and exercising or defending claims.
6.8. Sending communications
Sending informational, corporate, professional or commercial communications related to Secyda, its products, services, events or activities, where prior consent exists or where another legitimate basis under applicable law applies.
Legal bases for processing
- Consent of the data subject, for example for sending certain communications, managing waiting lists or accepting analytics cookies.
- Performance of pre-contractual measures or a contractual relationship, where processing is necessary to handle a request, manage access or prepare a commercial relationship requested by the data subject or the entity they represent.
- Compliance with legal obligations applicable to Secyda.
- Legitimate interest Legitimate interest of Secyda, where applicable and as long as the rights and freedoms of data subjects do not prevail; for example, to ensure website security, prevent fraud, manage incidents or maintain corporate professional relationships.
Recipients of data
As a general rule, Secyda does not sell personal data or share it with third parties for their own purposes, except where required by law or for legitimate operational necessity. The following categories of third parties may access personal data:
- Service providers including hosting, infrastructure, email, cybersecurity, forms, analytics, technical support or corporate tools.
- Legal, tax, accounting, audit advisors and other professionals subject to confidentiality obligations.
- Financial institutions, investors, partners or authorised third parties, only where necessary for the management of a legitimate relationship and with appropriate safeguards.
- Public authorities, courts, tribunals or other competent authorities, where legally required or upon valid request.
Where third parties act on behalf of Secyda, the corresponding data processing agreements will be signed where legally required.
Providers and infrastructure
Secyda manages its digital infrastructure primarily on its own servers hosted in the European Union. Corporate email is managed through Proton Mail AG, headquartered in Switzerland, a country with an adequacy decision from the European Commission under Article 45 GDPR. Web analytics, when the user consents, are processed by a self-hosted instance of PostHog on Secyda's servers within the European Economic Area. No analytical data is transferred to third-party infrastructure outside Secyda's control. The specific identity of other providers may vary over time due to operational, security or regulatory compliance needs. When such providers access personal data on Secyda's behalf, they do so pursuant to documented instructions, appropriate contracts and suitable technical and organisational measures.
International transfers
As a general rule, Secyda processes personal data within the European Economic Area. The only provider involving an international data transfer is Proton Mail AG (Switzerland), covered by the European Commission's adequacy decision for Switzerland. Should other international transfers occur, Secyda will adopt the appropriate safeguards required by the GDPR, which may include adequacy decisions, standard contractual clauses approved by the European Commission or other valid mechanisms under applicable law. Additional information about applicable safeguards may be requested by contacting legal@secyda.eu.
Data retention
- Contact requests and enquiries: for the time necessary to handle the request plus the applicable legal limitation periods.
- Commercial requests and professional relationships: while reasonable mutual interest is maintained and for the periods necessary to evidence the relationship or address potential claims.
- Waiting lists or early access: until the data subject unsubscribes, withdraws consent or the initiative closes.
- Access to private portals or datarooms: for the duration of the relationship and the periods necessary to evidence access and meet legal or contractual obligations.
- Browsing and analytics data: for the periods indicated in the Cookie Policy or until consent is withdrawn.
Automated decisions and profiling
Secyda does not make decisions based solely on automated processing that produce legal effects on individuals or significantly affect them. Should such processes be implemented in the future, Secyda will inform affected individuals in accordance with applicable regulations.
13. Mandatory data
In forms or processes where data is identified as mandatory, failure to provide it may prevent the provision of the service, handling of the request or processing of the relevant relationship.
Data subject rights
The data subject may exercise, in the terms provided for by applicable law, the following rights: access, rectification, erasure, objection, restriction of processing, data portability, withdrawal of consent at any time when processing is based on consent, and the right not to be subject to automated individual decisions, where applicable.
To exercise these rights, a request may be sent to legal@secyda.eu indicating name and surname, contact details, the right to be exercised and information necessary to verify identity where reasonably or legally required.
Furthermore, if you consider that your rights have not been adequately addressed, you may lodge a complaint with the Spanish Data Protection Agency. (Spanish Data Protection Agency).
Information security
Secyda applies appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised access or unauthorised disclosure. These measures include, as appropriate, communications encryption, access controls, environment segmentation, backups, activity logs, enhanced authentication, privilege minimisation, internal incident response procedures and infrastructure hardening measures. No security measure can guarantee absolute protection. Secyda therefore continuously reviews and improves its controls in accordance with risk and the state of the art.
16. Minors
The Secyda website and corporate services are not directed at minors. Secyda does not knowingly request information from minors without the intervention or authorisation that may be legally required. If data from a minor is found to have been collected contrary to this Policy, Secyda will take reasonable steps to delete or regularise it.
17. Changes to this Policy
Secyda may update this Privacy Policy to reflect legal, regulatory, technical, organisational or business changes. When changes are relevant, the updated version will be published on the website with the date of last update and, where legally required, additional information or consent measures will be adopted.