Data protection

Privacy Policy

Last updated: 25 May 2026 (US scope added)

⚠️ DRAFT — NOT VERIFIED BY A DATA PROTECTION LAWYER. This document is a working draft based on standard GDPR/UK GDPR templates with preliminary US state-law coverage (CCPA/CPRA, VCDPA, and similar). Do not rely on it as legal advice and do not treat it as binding until reviewed by a qualified data protection professional (DPO, solicitor or equivalent) covering the relevant jurisdictions (EU/UK/US · including state-level review for California, Virginia, Colorado, Connecticut, Utah, Texas). Verification pending before public launch.

1. Data controller

Under Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018 (UK GDPR), and applicable US state privacy laws (including California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA and Texas TDPSA · pending solicitor confirmation of applicability thresholds), the entity responsible for the processing of personal data collected through www.auditscale.eu (acting as "data controller" under EU/UK terminology and as "business" under US state-law terminology) is:

Controller: Andrés Prestien (Spanish NIF 47389476P), trading as AuditScale
Address: Seville, Spain
Contact (data protection enquiries): contacto@auditscale.es
EU Representative: Not applicable — controller established in the EU (Spain).
UK Representative under UK GDPR Art. 27: To be appointed if and when processing of UK personal data becomes regular (currently below threshold). UK residents may contact the controller directly at the email above.

2. What data we collect and why

Data	Purpose	Legal basis (GDPR Art. 6)	Retention
Full name, professional email, firm name, employees range, annual revenue range, firm URL	Evaluate eligibility for the GEO Dashboard and respond to your request	6(1)(b) — performance of pre-contractual measures at your request	24 months after last contact, then deleted
Marketing consent (checkbox)	Audit trail of your explicit consent	6(1)(a) — consent	Until consent is withdrawn + 3 years (evidentiary)
Booking data (Cal.com)	Schedule the strategy call	6(1)(b) — performance of pre-contractual measures	36 months after the meeting
Technical / log data (IP, browser, timestamp)	Site security, fraud prevention, aggregated analytics	6(1)(f) — legitimate interest in site integrity	Logs: 30 days. Aggregated analytics: 24 months.

3. Form draft saved in your browser

To prevent loss of your progress if you close the modal by accident, the form fields you fill in (excluding the consent checkbox) are saved automatically in your browser's localStorage under the key auditscale_modal_draft_en_v1. This data never leaves your device until you submit the form. It is cleared automatically after a successful submission. You can clear it manually at any time from your browser's developer tools.

4. Third-party processors

Formspree, Inc. (USA) — receives the form data and delivers it to our inbox. Data transfer outside the EEA is covered by Standard Contractual Clauses. See Formspree Privacy Policy.
Cal.com, Inc. (Delaware, USA · with optional EU data residency in Germany for European customers) — manages the booking calendar embedded in the thank-you page. Data Processing Agreement (DPA) is available to AuditScale through Cal.com's standard processor terms. See Cal.com Privacy Policy.
Vercel, Inc. (USA) — hosting provider serving this website. See Vercel Privacy Policy.
Google LLC (USA) — Google Fonts (Inter typeface). Loaded from googleapis.com. No personal data is sent beyond the standard HTTP headers (IP, user-agent).

5. International data transfers

Some processors are located outside the European Economic Area or the United Kingdom (mainly in the United States). Each transfer is protected by one or more of the following safeguards, verified at the time of publication of this notice:

Processor	Primary safeguard	Status (verified 25 May 2026)
Vercel, Inc.	EU-U.S. Data Privacy Framework (including UK Extension and Swiss-U.S. DPF)	✅ Certified · public registry
Google LLC (Google Fonts)	EU-U.S. Data Privacy Framework	✅ Certified · listed in official DPF List
Formspree, Inc.	Standard Contractual Clauses (SCCs) per Formspree's own data processing terms	⚠️ DPF status not independently verified at time of publication · see Formspree Security Page for current status
Cal.com, Inc.	Standard Contractual Clauses (SCCs) per Cal.com Data Processing Agreement · optional EU data residency in Germany	⚠️ DPF status not independently verified at time of publication

You may request a copy of the safeguards in place (DPAs, SCCs, DPF certifications) by emailing the controller at contacto@auditscale.es.

6. Your rights

Under the GDPR and UK GDPR, you have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data ("right to be forgotten") (Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent at any time without affecting prior lawful processing (Art. 7.3)

To exercise any of these rights, email contacto@auditscale.es. We will respond within 30 days as required by GDPR Art. 12.3.

7. Right to lodge a complaint

If you believe we have not adequately addressed a privacy concern, you have the right to lodge a complaint with a supervisory authority:

Spain (lead authority for AuditScale): Agencia Española de Protección de Datos (AEPD)
United Kingdom: Information Commissioner's Office (ICO)
Ireland: Data Protection Commission (DPC)
Netherlands: Autoriteit Persoonsgegevens (AP)
United States · California: California Attorney General · Privacy Enforcement · California Privacy Protection Agency (CPPA)
United States · other states: respective State Attorney General's office (Virginia, Colorado, Connecticut, Utah, Texas, and any state with applicable consumer privacy statutes)

7-bis. Rights of US residents (CCPA / CPRA and similar state laws)

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA) or any other US state with an applicable consumer privacy statute at the time of the request, you may have additional rights including:

Right to know what categories of personal information are collected, used, and disclosed
Right to delete personal information collected from you (subject to statutory exceptions)
Right to correct inaccurate personal information
Right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising (AuditScale does NOT sell or share personal information for advertising — there is nothing to opt out of)
Right to limit the use of sensitive personal information (AuditScale does not collect sensitive personal information in the meaning of CCPA/CPRA)
Right to non-discrimination for exercising your rights
Right to designate an authorised agent to make requests on your behalf

Categories of personal information collected from US residents (CCPA/CPRA terminology): identifiers (name, email), commercial information (firm size and revenue range), professional information (firm name, firm URL), and internet activity information (server logs · IP, browser, timestamp). No sensitive personal information, no biometric data, no precise geolocation, no inferences for profiling.

Sources of personal information: directly from you (form submission, booking) and automatically from your device when you visit the site (server logs only).

Disclosure of personal information: only to the third-party processors listed in §4 (Vercel, Formspree, Cal.com, Google) under written DPAs/SCCs. No sale, no sharing for advertising, no cross-context behavioural advertising.

To exercise any US-state right, email contacto@auditscale.es with subject line "US Privacy Request" and the state of residence. We will respond within 45 days as required by CCPA (extendable to 90 days when justified).

8. AI search crawlers (transparency)

This site explicitly welcomes automated crawlers from generative AI services — including OpenAI's GPTBot, ChatGPT-User and OAI-SearchBot; Anthropic's ClaudeBot, anthropic-ai and Claude-Web; Perplexity's PerplexityBot and Perplexity-User; Google's Google-Extended; Common Crawl's CCBot; Cohere's cohere-ai; and Meta's meta-externalagent — for the purpose of being cited as an authoritative source in AI-generated answers. The complete list is declared in our robots.txt.

These crawlers process only the public marketing content of this site (HTML pages, schema metadata, public assets). They do not receive any personal data about visitors: no form submission data, no booking data, no IP addresses of our visitors, no localStorage contents, no session information. This is a content-licensing decision, not a personal data processing operation, and it does not affect the rights of the data subject under sections 1-7 above.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. We recommend reviewing it periodically.

← Back to home