Skip to main content
Equiora
  • Services
  • Team
  • Insights
  • Contact
ES Book a call →

LEGAL · PRIVACY

Privacy Policy

Last updated: 2026-06-27


This Privacy Policy governs how Equiora processes personal data in the course of its consulting activity and through this website, in accordance with Regulation (EU) 2016/679 (the GDPR) and the Spanish Data Protection Act — Ley Orgánica 3/2018, LOPDGDD.

1. Data controller

The data controller is Dulce María Medina Rojas, trading as Equiora (“Equiora”), with the following details:

  • Holder: Dulce María Medina Rojas (sole trader / autónoma)
  • Tax ID (NIF): 79093627P
  • Registered office: Avenida VIII de Agosto, 25, Santo Domingo, La Guancha · Santa Cruz de Tenerife · Tenerife · Canary Islands · EU
  • Email: compliance@equiora.es

No Data Protection Officer (DPO) has been appointed, as the thresholds of Article 37 GDPR and Article 34 LOPDGDD are not met for our current activity and volume. For any data-protection matter, please contact compliance@equiora.es.

2. What data we process, for what purpose, and on what legal basis

We process your data for the purposes below, each with its own lawful basis. We collect only the data necessary for each purpose (data minimisation) and we carry out no automated decision-making with legal effects and no profiling.

PurposeDataLawful basis (Art. 6 GDPR)
Responding to enquiries sent through the contact form, and managing meeting bookings. Name, email, company, role, country, sector and your message; meeting date/time. Consent (6.1.a), given when you tick the box and submit the form or book the meeting.
Delivering downloadable materials you request (e.g. guides). Name and professional email. Consent (6.1.a).
B2B outreach: contacting professionals at companies likely to be interested in our services. Name, role, company, sector and professional contact data (corporate email/phone, LinkedIn). Legitimate interest (6.1.f) in direct B2B marketing (Recital 47 GDPR). See also section 3.
Managing the contractual relationship with clients and meeting tax and accounting obligations. Client and contact-person identification and contact data; billing data. Performance of a contract (6.1.b) and compliance with legal obligations (6.1.c).
Securing the site and preventing form abuse; aggregate, anonymous audience measurement. Minimal technical metadata (your IP address is processed by the provider for security). Analytics is aggregate and cookieless. Legitimate interest (6.1.f) in information security.

3. Where we obtain your data

When you contact us, the data comes from you. In our B2B outreach activity, professional contact data may come from publicly available or professional sources: your company's website, sector directories (for example, trade associations or chambers of commerce), professional networks such as LinkedIn, or contacts shared at events or through referrals. In those cases we process only data relating to your professional role, never your private life, in accordance with Article 14 GDPR.

4. How long we keep your data

  • Enquiries and outreach: for as long as there is an active commercial interest or relationship. With no interaction or open opportunity, data is deleted or anonymised after 12 months. If you object, deletion is immediate and you are added to a suppression list so we do not contact you again.
  • Clients: for the duration of the relationship and, thereafter, for the applicable legal retention periods (tax, accounting and, where relevant, professional).
  • Security: technical logs are kept only as long as strictly necessary for their purpose.

5. Who we share your data with

We do not disclose your data to third parties except where legally required. We do rely on service providers (processors) that process data on Equiora's behalf under a data-processing agreement (DPA):

ProviderPurposeLocation
Google Ireland Ltd / Google LLC (Workspace)Email, calendar and storageEU / US (SCC · DPF)
HubSpot, Inc.CRM (contact and opportunity management)EU — Frankfurt data region (SCC · DPF)
Cloudflare, Inc.Hosting, CDN, anti-abuse security and cookieless analyticsEU / US (SCC · DPF)
Cal.com, Inc.Meeting bookingsEU / US (SCC · DPF)

International transfers: some of these providers are headquartered in the United States. Transfers are covered by the Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework (DPF) set out in each provider's processing agreement. We keep an up-to-date processor list available on request at compliance@equiora.es.

6. Your rights

You may exercise the following rights, free of charge:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure of your data.
  • Objection to processing, including outreach.
  • Restriction of processing.
  • Portability of your data.
  • Withdrawal of consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise them, write to compliance@equiora.es stating the right you wish to exercise. If you believe the processing does not comply with the law, you may lodge a complaint with the Spanish Data Protection Agency — AEPD (www.aepd.es).

7. Security measures

We apply technical and organisational measures appropriate to the risk: encryption in transit (HTTPS), two-factor authentication on all accounts, role-based access control, a default-deny sharing policy, and anti-abuse protection on forms.

8. Cookies

This site uses cookieless web analytics and, where applicable, strictly necessary cookies. For details, see our Cookies Policy.

9. Changes to this policy

We may update this Privacy Policy to reflect changes in the law or in our activity. The version in force is always the one published on this page, with its last-updated date.

Equiora

Environmental assurance and ESG reporting, with rigour.

Santa Cruz de Tenerife · Tenerife · Canary Islands · EU

Services
  • All services
Equiora
  • Team
  • Insights
  • Contact
Legal
  • Legal notice
  • Privacy
  • Cookies
  • Terms
  • Accessibility
  • Credits

© 2026

Equiora. All rights reserved.