Privacy Policy

1. Who We Are
Role
Entity / Contact
Data Controller
Full name, company, job title
EU Representative*
(Art. 27 GDPR)
Email, phone
Data Protection Officer (DPO)
IP address, cookie IDs, pages visited, clicks, browser & OS
General contact
IP address, cookie IDs, pages visited, clicks, browser & OS
Please use these contact details only for GDPR-related enquiries or to exercise data-subject rights within the European Union.
2. What Data We Collect & How
Category
Examples
Source
Identification
Full name, company, job title
Contact / quotation forms
Contact details
Email, phone
Contact form
Usage & device data
IP address (anonymised in the EEA/UK/CH), cookie or advertising IDs, pages visited, clicks, browser & OS
Cookies, pixels, server logs
We do not intentionally collect “special-category” data (e.g., health, race, political opinions). Users must provide only accurate and relevant information.
3. Purposes & Legal Bases (Art. 6 GDPR)
Purpose
Legal basis
Legitimate-interest explanation (where applicable)
Respond to enquiries / prepare proposals
Contractual necessity Art 6 (1)(b)
Send newsletters & marketing
Consent Art 6 (1)(a) (opt-in box, can withdraw anytime)
Core site operation & security (strictly-necessary cookies, DDOS protection)
Legitimate interest Art 6 (1)(f)
Keep site functional & secure for all visitors
Analytics & performance (GA4)
Consent in EEA/UK/CH/BR, legitimate interest elsewhere
Improve content & UX with minimal privacy impact
Advertising / remarketing (Google Ads, Meta, LinkedIn)
Consent in EEA/UK/CH/BR, legitimate interest elsewhere
Grow our business by showing relevant ads

Users may withdraw consent at any moment; past processing remains lawful.

4. Cookies & Tracking

Non-essential cookies load only after you click “Accept” in our banner. You can revisit preferences via the Cookie Settings link. Full details appear in our Cookie Policy, which also describes Google Consent Mode v2 and Global Privacy Control (GPC) handling.

5. Processors & Data Sharing

We only share data with the processors below, each bound by a Data Processing Agreement and acting on our instructions:

Processor
Purpose
Safeguard for international transfer
Google LLC / Google Ireland
Cloud hosting, Google Analytics 4, Google Ads
SCCs + EU-US DPF
Meta Platforms Ireland Ltd.
Ad measurement & audiences
SCCs
LinkedIn Ireland Unlimited Co.
Ad measurement & audiences
SCCs
Mailchimp (Intuit Inc.)
Email marketing
SCCs + EU-US DPF
Monday.com Ltd.
CRM & lead management
SCCs
Other Google-authorised
Sub-processors
listed at https://business.safety.google/adssub
processors
Infrastructure support
30-day prior notice of changes
*Standard Contractual Clauses (“SCCs”), EU-US Data Privacy Framework (“DPF”), or UK/Swiss equivalents, as applicable. No processor may sell or share your data for its own purposes (CCPA §1798.140).
6. International Transfers

Data may be stored in the USA or other countries where our processors operate. Transfers rely on SCCs and, where recognised, the EU-US DPF or UK/Swiss adequacy decisions. You can request a copy of the relevant clauses via info@positive.agency.

7. Retention
Data set
Maximum period*
Leads / enquiries
3 years after last interaction or until deletion request
Newsletter list
Until you click “unsubscribe”
Analytics events
26 months (GA4)
Back-ups
Overwritten within 180 days
*We erase or anonymise once the purpose expires; shorter periods apply where law requires.
8. Security & Data Incidents

We host the Site on Webflow, which is SOC 2 Type II-certified and runs on ISO 27001-certified Amazon Web Services data centres. All traffic is encrypted via SSL/TLS, databases are encrypted at rest, and Cloudflare Enterprise provides DDoS mitigation and web-application firewall protection. Administrative access to Webflow, our CRM and email accounts is restricted with strong passwords and two-factor authentication (TOTP codes or FIDO2 security keys).

If a data incident occurs we will (i) notify the Supervisory Authority within 72 h when required, (ii) contact affected users without undue delay, and (iii) take remediation steps, all per Articles 33-34 GDPR and Google Ads Data Processing Terms.

9. Automated Decision-Making & Profiling

Ads are served based on pseudonymous identifiers and browsing behaviour.No decision produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

10. Your Rights
Right
How to exercise
Access, rectification, erasure, restriction, portability, objection
Email mdelaroca@positive.agency
Withdraw consent
Use “unsubscribe” links, Cookie Settings, or email us
“Do Not Sell/Share” (California)
Footer link or email
Lodge a complaint
You may contact your local Supervisory Authority; our lead authority is the Spanish Data Protection Agency (AEPD)
We answer requests within 30 days.
11. Children

Our services target adults 18+. If we learn we processed data from a child under 13 (U.S.) or under 16 (EEA) without parental consent, we will erase it immediately.

12. Changes to This Policy

We may update this notice at any time. The current version is shown by the “Last updated” date.Material changes will be announced on the Site or by e-mail at least 14 days in advance.

13. Contact

Questions about privacy?Email info@positive.agency or our DPO at mdelaroca@positive.agency.We reply within 30 days.

© 2025 Positive Communications LLC · All rights reserved