Privacy Policy

1. Data Controller

The data controller for personal data is OC Flow Media SL (hereinafter, “OC Flow Media” or “the Owner”), with address for notifications at C/ Pau Casals, 3 (Edificio CINC), 17001 Girona, Spain.

Contact email: legal@ocflowmedia.com.

We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under article 37 GDPR or article 34 LOPDGDD.

2. Personal Data We Collect

Data provided directly by the User through web forms: full name, email address, phone number and, in the case of the audit form, voluntary professional information about the company (sector, size, operational challenges).

Data collected automatically through cookies and similar technologies (subject to consent, except for strictly necessary ones): IP address, device and browser identifiers, pages visited, time spent and traffic source. Full details are available in our Cookie Policy.

We do not collect sensitive personal data (special categories under article 9 GDPR: health, racial origin, political opinions, etc.). If the User voluntarily provides them in a free-text field, we recommend refraining from doing so: they will be processed with the same diligence as the rest, but they are not necessary for the services we provide.

3. Purposes of Processing and Legal Basis

a) To respond to inquiries and requests received through the contact form. Legal basis: implementation of pre-contractual measures at the request of the data subject (art. 6.1.b GDPR) and, where applicable, consent (art. 6.1.a GDPR).

b) To manage the request and, where applicable, the provision of the AI audit and consulting service. Legal basis: implementation of pre-contractual measures and, once the relationship is formalised, performance of the contract (art. 6.1.b GDPR).

c) To manage subscription to our newsletter and to send commercial communications related to OC Flow Media. Legal basis: explicit consent of the data subject, collected specifically in the newsletter subscription form (art. 6.1.a GDPR). The User may unsubscribe at any time via the link included in each email.

d) To comply with applicable legal obligations, including tax, accounting and commercial obligations, and to respond to requests from competent authorities. Legal basis: compliance with a legal obligation (art. 6.1.c GDPR).

e) To analyse the use of the website through analytics tools (Google Analytics, Metricool) to improve content and user experience. Legal basis: consent (art. 6.1.a GDPR).

f) To measure the effectiveness of advertising campaigns and display personalised content through marketing cookies (LinkedIn Insight). Legal basis: consent (art. 6.1.a GDPR).

4. Retention Period

We retain personal data only for the time necessary to fulfil the purposes for which it was collected:

Newsletter subscribers: until the User withdraws consent (unsubscribes). After unsubscription, we retain a minimum record (email + unsubscription date) for 3 years to evidence the lawfulness of the historic processing, in accordance with the accountability principle of art. 5.2 GDPR.

Contact form data without subsequent contractual relationship: 1 year from the last communication.

Client data (audit, consulting): for the entire duration of the contractual relationship and, after its termination, 5 years, in compliance with the retention obligations under Spanish tax legislation (article 30 of the Commercial Code and article 66 of the General Tax Law 58/2003).

Browsing data and server logs: up to 12 months.

Cookies and similar technologies: as detailed in the Cookie Policy.

5. Recipients of the Data (Data Processors)

To provide our services we work with suppliers acting as data processors, with whom we have signed the relevant data processing agreement under article 28 GDPR. Your data may be communicated to:

MailerLite Limited (Ireland): newsletter management and delivery of commercial communications. Data stored in the European Union, ISO 27001 certified.

Make.com (Celonis Inc.): automation of the web form workflow. It processes the data submitted from the contact and audit forms to route it to OC Flow Media's internal tools.

Google Ireland Limited: Google Workspace (corporate email legal@ocflowmedia.com), Google Analytics and Google Tag Manager.

LinkedIn Ireland Unlimited Company: LinkedIn Insight Tag (only if the User grants marketing consent).

Metricool Software, S.L. (Spain): web analytics tool (only if the User grants analytics consent).

Vercel Inc.: hosting of the website ocflowmedia.com.

Pipedrive OÜ (Estonia) or equivalent platform (CRM): internal management of clients and commercial contacts.

In addition, we may communicate your data to the competent authorities (tax administration, law enforcement, courts) when there is a legal obligation to do so.

6. International Data Transfers

Some of our suppliers (Google, LinkedIn, Vercel, Make.com, Pipedrive) have a presence in the United States or in other countries outside the European Economic Area. These international transfers are based on one of the following appropriate safeguards provided by the GDPR:

Adequacy Decision of the European Commission of 10 July 2023 recognising an adequate level of protection of the EU-US Data Privacy Framework, to which these US suppliers adhere.

Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914), included in the data processor agreements.

MailerLite, Metricool and the Make.com services we use store the data in the European Union, so they do not entail any international transfer.

7. Automated Decisions and Profiling

OC Flow Media does not carry out automated decisions which produce legal effects on the User or significantly affect them in a similar manner (art. 22 GDPR).

Nor do we carry out profiling with such effects.

8. User Rights

As a data subject, the User may exercise the following rights at any time: access to their data, rectification, erasure (“right to be forgotten”), restriction of processing, objection, portability and, where the processing is based on consent, the right to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, simply send an email to legal@ocflowmedia.com indicating the right you wish to exercise and attaching, if necessary, a document evidencing the requester's identity. We will respond within one month, extendable by two further months in particularly complex cases.

Furthermore, if the User considers that their rights have not been properly handled or that the processing of their data infringes the applicable regulations, they have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan, 6, 28001 Madrid (www.aepd.es), which is the competent supervisory authority.

9. Minors

The website ocflowmedia.com is not directed to children under 14 years of age, the minimum age established by article 7 of the LOPDGDD to give valid consent for the processing of personal data in Spain.

If we become aware that personal data of a minor under 14 has been collected without the verifiable consent of the holder of parental responsibility or guardianship, we will proceed to its immediate deletion. Anyone who suspects this has occurred can let us know at legal@ocflowmedia.com.

10. Security Measures

OC Flow Media has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with article 32 GDPR: access controls, encryption in transit via TLS protocol, regular backups, staff training and selection of suppliers with recognised guarantees (ISO 27001, EU-US Data Privacy Framework, equivalent certifications).

However, no system on the Internet can be considered absolutely secure. In the event of a personal data security breach involving a high risk to the rights and freedoms of the affected Users, we will notify it without undue delay in accordance with article 34 GDPR.

11. Changes to this Policy

We may update this Privacy Policy when we add new services, when applicable legislation changes, or when recommended by the AEPD or European Data Protection Board (EDPB) guidelines.

Any substantial changes will be notified by means of a prominent notice on the website or, where appropriate, through a new request for consent. We recommend that you review this policy periodically.