GDPR Compliance Policy
Last updated: 29-10-2025
1. Introduction
At SiestaAI, we take data protection and privacy very seriously.
As a company established in Spain and operating globally, we are fully committed to complying with the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
This document outlines our approach to GDPR compliance, including how we collect, process, store, and protect personal data of individuals (“data subjects”) located within the European Economic Area (EEA).
2. Our Role Under GDPR
Depending on the context of data processing, SiestaAI may act as either:
A Data Controller, when we determine the purposes and means of processing personal data (e.g., website visitors, clients, marketing data).
A Data Processor, when we process data on behalf of a client in connection with the services we provide (e.g., automation workflows involving user data).
In both cases, we implement strong data protection and security measures to ensure compliance with GDPR.
3. Legal Bases for Processing
We process personal data only when there is a lawful basis under Article 6 of the GDPR. These include:
Consent: When you have given us explicit permission to process your data (e.g., subscribing to a newsletter).
Contractual necessity: When processing is necessary to perform a contract or provide a requested service.
Legal obligation: When processing is required to comply with applicable laws or regulations.
Legitimate interests: When processing is necessary for our legitimate business interests, provided they do not override your rights and freedoms.
4. Data We Process
We collect and process the following categories of personal data (depending on the nature of your interaction with us):
Contact details (name, email, phone number)
Company and business information
Payment and billing details
Technical data (IP address, browser type, device information)
Website analytics and behavioral data
Any data you voluntarily share with us through forms, chat, or email
We do not collect or process special categories of data (e.g., health, religion, political opinions) unless explicitly required and lawfully justified.
5. Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Correct any inaccurate or incomplete information.
Right to Erasure (“Right to Be Forgotten”): Request deletion of your data in certain circumstances.
Right to Restrict Processing: Limit how we process your data.
Right to Data Portability: Request a copy of your data in a structured, machine-readable format.
Right to Object: Object to certain types of processing, such as direct marketing.
Right to Withdraw Consent: Withdraw consent at any time, without affecting prior lawful processing.
To exercise any of these rights, please contact us at [Your Contact Email]. We will respond to your request within 30 days, in accordance with GDPR requirements.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations.
When data is no longer needed, it is securely deleted, anonymized, or archived in compliance with GDPR principles.
7. Data Security
We implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data, including:
Encryption and secure storage
Access control and authentication
Regular security audits and monitoring
Staff training on data protection practices
While no system can guarantee absolute security, we continuously assess and improve our safeguards to protect personal information.
8. Data Transfers Outside the EEA
When personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions for countries recognized as providing adequate data protection
Other GDPR-compliant mechanisms ensuring lawful international transfers
9. Data Processing on Behalf of Clients
When acting as a Data Processor, we:
Process data strictly according to the client’s documented instructions
Implement equivalent data protection and security measures as required by GDPR
Enter into Data Processing Agreements (DPAs) with clients to ensure compliance
Assist clients in fulfilling their own GDPR obligations (e.g., responding to data subject requests)
10. Data Breach Notification
In the event of a personal data breach, we will:
Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (if required by law)
Inform affected individuals without undue delay, if the breach poses a high risk to their rights and freedoms
Take immediate action to contain and remedy the situation
11. Data Protection Officer (DPO)
If required by law, [Your Agency Name] will appoint a Data Protection Officer (DPO) to oversee compliance.
For inquiries related to data protection or GDPR compliance, please contact:
Entity: SiestaAI
Email: info@siestaai.es
Subject line: “GDPR Inquiry”
12. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority.
As we are based in Spain, our lead supervisory authority is:
Agencia Española de Protección de Datos (AEPD)
Website: https://www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
13. Updates to This Policy
We may update this GDPR Compliance Policy from time to time to reflect regulatory changes or improvements in our data protection practices.
All updates will be published on this page with a revised “last updated” date.
14. Contact Us
If you have any questions about our GDPR compliance or how we handle your personal data, please contact:
Entity: SiestaAI
Registered Address: Calle Frederik Handel 3 Buzon 499 03738 Javea
Email: info@siestaai.es
Website: siestaai.es