If you request information or if you contract Verifacti as a Client to integrate it into your SIF with the services included in the contracted Plan, the Data Controller for your Personal Data is the company Bilbabit, S.L., with registered office at c/ Udaberría, 10 -4º B -48992 - Getxo (Bizkaia), duly registered in the Commercial Registry of Bizkaia, Section 8, Sheet BI-84418, and with tax identification number (NIF): B75777847. Hereinafter, BILBABIT.
You may contact BILBABIT directly and effectively in relation to this privacy policy at the email address: info@verifacti.com.
If you contract Verifacti as a Client (whether a free or paid plan), you must register as a Client by clicking on the registration button provided for this purpose on the Website and providing your data through any of the following options:
In any case, BILBABIT will have access to your IP address, and for the contracting of paid services, BILBABIT will ask you to provide your tax details (name or company name, tax address, tax identification number), as well as details relating to the payment method used, retaining, in the case of payment by credit/debit card, only the last four digits thereof.
Your data as a Client at Verifacti is collected to enable the provision of the contracted Verifacti service, to send notifications relating to the service, and to manage billing and payment.
BILBABIT may also process your data for the purpose of sending commercial communications about its services, provided you have not objected to this, either at the time of collecting your data or at any subsequent time.
We remind you that you have the right to object to the sending of commercial communications at any time.
The legal basis for the Processing of your data for the provision of the service, billing management, payment, and sending of service notifications is the performance of a contract or pre-contract to which you, as a Data Subject, are a party.
The legal basis for sending commercial communications about BILBABIT's services, if you have contracted any of its services, is the legitimate interest of BILBABIT for direct marketing purposes.
If you contact BILBABIT by email or through the contact form to request information, BILBABIT will have access to your IP address, the email address you use, and the data you provide through that communication.
If you request information through any of the means that Verifacti makes available to you (chat, forms, etc.), identifying data such as your name, telephone number, and/or email address will be collected for the purpose of attending to your request, on the basis of the legitimate interest of BILBABIT.
We will send you commercial communications only if you have given your informed, free, unambiguous, and specific consent for this purpose.
The legal basis for responding to any information request is the legitimate interest of BILBABIT in attending to such requests.
The legal basis for sending commercial communications is the provision of informed, free, specific, and unambiguous consent through a clear affirmative action, such as ticking a checkbox.
If you subscribe to the Verifacti Newsletter, BILBABIT will process the following personal data:
Sending communications with relevant information, promotions, offers, and news related to Verifacti.
The legal basis for the Processing is the consent given by the Data Subject.
The Personal Data provided will be retained as long as there is a mutual interest in maintaining the purpose of the Processing and for the period during which legal liabilities may arise from the services provided to the Client as Data Subject.
When Processing is no longer necessary for the stated purposes, the Personal Data will be deleted using appropriate security measures.
A recipient is understood as any natural or legal person, public authority, agency, or other body to which personal data is disclosed, whether or not a third party.
Your data will not be disclosed to any third party other than BILBABIT, unless there is a legal obligation or you have given your express authorisation.
There are Data Processors, understood as entities that process personal data under the responsibility of BILBABIT, following its instructions, as providers of services necessary for the provision of the service requested by the Data Subject, with whom BILBABIT has entered into a data processing agreement in accordance with the applicable data protection regulations.
International data transfers involve a flow of personal data from Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland, and Norway).
BILBABIT may carry out international data transfers to sub-processors established in the United States, but only to entities adhering to the Data Privacy Framework.
As a Data Subject, you are entitled to exercise the following rights recognised by data protection legislation, as provided therein:
Furthermore, if you consider that any of your data protection rights have been infringed, you are entitled to lodge a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan, 6, 28001-Madrid https://www.aepd.es/ or through the electronic office of the AEPD: https://sedeagpd.gob.es/sede-electronica-web/.
In order to safeguard the security of the personal data of Data Subjects, BILBABIT has adopted all necessary technical and organisational measures to ensure the security of the personal data provided.
All of this is to prevent its alteration, loss, and/or unauthorised Processing or access, as required by the regulations, although absolute security does not exist.
To keep your personal data as a Data Subject up to date, you have the option of modifying or rectifying it through your Client Account at Verifacti or by contacting BILBABIT at the email address: soporte@verifacti.com.
Personal Data will be treated with the utmost care and confidentiality by all personnel involved in any phase of the Processing.
By contracting the services of BILBABIT, the Data Controller authorises BILBABIT to process on its behalf the personal data necessary to provide the contracted services.
The processing of the Processed Data will take place for as long as the service contract with the Client remains in force.
The processing of data by BILBABIT as Data Processor will be carried out at its own facilities using its own digital means and systems. The nature of the processing of the Processed Data is automated and consists of storing and accessing personal data.
The purpose of the Processing of the Data by the Data Processor on behalf of the Data Controller is exclusively the provision of the services contracted by the Data Controller.
For these purposes, the categories of Data Subjects and the types of data that may be processed by BILBABIT in its capacity as Data Processor are detailed below:
Those strictly necessary to achieve the purpose of providing the contracted services, and specifically:
The duty to inform the Data Subject of the processing shall be the sole responsibility of the Data Controller.
The Data Controller guarantees that the data provided to the Processor has been obtained lawfully and that it is adequate, relevant, and limited to the purposes of the processing.
The Data Controller shall make available to the Processor all the information necessary for the provision of the services.
BILBABIT undertakes to comply with all obligations incumbent upon it as Data Processor in accordance with current legislation and any other applicable provision or regulation.
BILBABIT shall not use or apply the Processed Data for purposes other than the provision of the contracted service.
The Data Processor shall make available to the Data Controller the information necessary to demonstrate compliance with the data processing agreement, allowing the inspections and audits necessary to evaluate the processing.
BILBABIT guarantees that the persons authorised to process the Processed Data have expressly committed in writing to respect the confidentiality of the data and are subject to a legal obligation of confidentiality.
BILBABIT shall take measures to ensure that any person acting under its authority and having access to personal data can only process them in accordance with the instructions of the Data Controller and is obliged to do so under current legislation.
BILBABIT guarantees that the persons authorised to process the data have received the necessary training to ensure that the protection of personal data is not put at risk.
BILBABIT declares that it is up to date with the obligations arising from data protection regulations, especially with regard to the implementation of security measures for the different categories of data and processing established in Article 32 of the GDPR.
BILBABIT guarantees that these security measures will be properly implemented and will help the Data Controller to comply with the obligations established in the GDPR, taking into account the nature of the processing and the information available to the Data Processor.
The Data Controller shall carry out an analysis of the possible risks arising from the processing to determine the appropriate security measures to ensure the security of the processed information and the rights of the Data Subject and, if the Data Controller determines that risks exist, shall send the Processor a report with the impact assessment so that the Data Processor can proceed to implement the appropriate measures to prevent or mitigate the risks.
BILBABIT shall analyse the possible risks and other circumstances that may have an impact on security and that may be attributable to it and, where applicable, shall inform the Data Controller to assess its impact.
Security breaches of which the Data Processor becomes aware shall be notified without undue delay to the Data Controller for its knowledge and the application of measures to remedy and mitigate the effects caused.
The notification of a possible security breach shall contain at least the following information:
The Data Processor may not disclose data to other recipients unless it has previously obtained the written authorisation of the Data Controller, which, if it exists, shall be attached to this agreement.
The transmission of data to public authorities in the exercise of their public service does not require the authorisation of the Data Controller if such transmissions are necessary to achieve the purpose of the processing.
BILBABIT undertakes to fully comply with the applicable Data Protection Laws with regard to the engagement of Sub-processors, including the conditions referred to in Article 28 of the GDPR, where applicable.
BILBABIT shall have general authorisation for the engagement of the following sub-processors currently in use:
BILBABIT shall specifically inform the Data Controller in writing of any change it intends to make to the list, whether by adding to it or replacing a Sub-processor, with a minimum of 30 days' notice, thereby giving the Data Controller sufficient time to object to such changes before the engagement of the Sub-processor(s) in question.
BILBABIT shall provide the Data Controller with the information necessary for the Data Controller to exercise its right of objection. If the Data Controller does not object within the aforementioned 30-day period, authorisation to appoint the Sub-processor shall be deemed to have been granted.
BILBABIT shall observe, where applicable, the implementation of appropriate safeguards, including, but not limited to, the use of Standard Contractual Clauses (SCCs) and/or other applicable measures.
BILBABIT must include in any agreement with Sub-processors receiving Confidential Information a provision whereby the Sub-processor shall be subject to the same obligations of confidentiality, data protection, and data security to which the Processor is bound under the Agreement and this DPA.
In any case, BILBABIT shall remain fully liable for any negligence and/or damage caused to the Data Controller and/or its Processed Data and for any breach of Data Protection Laws or the rights of Data Subjects by its Sub-processors.
BILBABIT provides its services through servers located in European territory, so there is no international transfer of Processed Data.
Notwithstanding the foregoing, if the Processor intends to process the Processed Data outside the territory of the European Economic Area (EEA), including through the use of Sub-processors or to transfer data to any third country or international organisation without an adequacy decision in accordance with Article 45(3) GDPR, or any other existing legal requirement/limitation under applicable data protection laws regarding transfers of personal data, BILBABIT shall only do so subject to the prior written approval of the Data Controller and subject to the implementation of appropriate safeguards, including, but not limited to, the use of Standard Contractual Clauses (SCCs), which shall apply automatically where necessary, and/or other applicable measures, to ensure sufficient safeguards for compliance with such requirements and any applicable data protection laws.
BILBABIT shall, whenever possible, and taking into account the nature of the processing, create the necessary technical and organisational conditions to assist the Data Controller in its obligation to respond to requests regarding Data Subject rights.
In the event that the Processor receives a request for the exercise of such rights, it shall notify the Data Controller immediately, and in no case later than the business day following receipt of the request, along with any other information that may be relevant to the resolution of the request.
In accordance with Article 82 of the GDPR, the Data Controller shall be liable for damages caused by any processing operation in which it participates that does not comply with the provisions of the GDPR, and only the Data Processor shall be liable for damages and losses caused by processing where it has not complied with the obligations of the GDPR specifically directed at the Data Processor or has acted outside or contrary to the lawful instructions of the Data Controller.
Likewise, the Data Processor shall be exempt from liability if it can prove that it was in no way responsible for the event giving rise to the damage.
Once the contracted services have ended for any reason, if the Data Processor has stored personal data, or any other document and/or medium provided to it by any means, it shall return or delete them, at the discretion of the Data Controller, including any existing copies.
Data shall not be deleted when its retention is required by a legal obligation, in which case the Data Processor shall continue to store it, blocking the data and limiting its processing to the extent that liabilities may arise from its relationship with the Data Controller.
The Data Processor shall maintain the obligation of secrecy and confidentiality of the data even after the conclusion of the service relationship.
In the event that the Client wishes to obtain a signed copy of the Data Processing Agreement (DPA), it may request it by sending an email to soporte@verifacti.com.