Privacy Policy
Last updated: May 2026
Data Controller
Nodalix Consulting S.L. — incorporation in progress. Registered office: Barcelona, Spain. VAT: [In progress]. Registered in the Barcelona Commercial Registry.
Purpose of processing
Personal data collected through website forms is used exclusively for: (a) responding to inquiries and information requests; (b) managing pre-contractual and contractual commercial relationships; (c) sending commercial communications if you have given express consent.
Legal basis
Processing is based on: (a) Consent of the data subject (Art. 6.1.a GDPR) for commercial communications; (b) Performance of pre-contractual measures (Art. 6.1.b GDPR) for diagnostic requests; (c) Legitimate interest (Art. 6.1.f GDPR) for maintaining commercial relationships.
Retention period
Data is retained for the time necessary for the stated purpose. If no contract is formalized: 2 years. If formalized: duration of the relationship + 6 years (legal period for keeping commercial records).
Rights of data subjects
You may exercise your rights of access, rectification, erasure, objection, restriction of processing and portability by contacting contacto@nodalix.es, attaching a copy of your ID. You have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).
International transfers
Data is hosted on servers of Hetzner Online GmbH located in Germany (FSN1 data center). Transfers to EEA are made with legal basis of EU Adequacy Decision (executive decision (EU) 2023/1791).
Security measures
Appropriate technical and organizational measures have been implemented: AES-256-GCM encryption, restricted access with multi-factor authentication, access auditing, automated backups, and credential rotation policy.
Data Processing Agreement
For Nodalix clients, a Data Processing Agreement (DPA) is signed in accordance with Art. 28 GDPR before any processing of personal data. The DPA includes: subject matter, duration, purpose, categories of data, obligations of the processor, authorized subprocessors (Hetzner, Resend), audit mechanisms, and data destruction/return procedures.
Download document
View full DPA (Art. 28 GDPR)