Privacy Policy

In compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, GDPR) and Article 11 of Organic Law 3/2018 of December 5, 2018, on the protection of personal data and the guarantee of digital rights, we inform you of the following:

The User must carefully read this Privacy Policy, which is written in clear and accessible language for ease of understanding. This is intended to allow the User to freely, in an informed, and voluntary manner determine whether they wish to provide their personal data or that of third parties to NATURBOOST (hereinafter, the Entity).

Data Controller and contact details of the Data Protection Officer (DPO):
> NATURBOOST
> Adress: Pº Independencia 23 pral. izq. 50001 Zaragoza (ZARAGOZA)
> NIF: B06948079
> Phone:
> E-mail:

Purposes and retention period

The Entity will process the personal data provided by the User for the following purposes and for the retention periods indicated below:

  • Manage the provision and execution of the contracted services and/or products. The personal data provided in the contracts, offers, and/or service proposals, as well as that of any other person whose intervention is necessary, will be retained for the duration of the contracted services.
  • Manage any type of request, suggestion, complaint, and/or petition that the User makes through the contact form on the website or the email address provided for this purpose. Personal data will be retained for the time necessary to fulfill this purpose.
  • Manage the sending of informative communications by email regarding services similar to those already contracted by the Client. Personal data will be retained until the User revokes their consent.
  • Where applicable, manage the sending of commercial communications (mailings). Personal data will be retained until the User revokes the consent given through the newsletter subscription form.
  • Manage the voluntary collection or submission of your CV (self-application) through the website or contact email. Personal data will be retained until your consent is revoked or, at most, for a period of one year from the date of receipt of your CV.
  • Ensure the security of the facilities and personnel through the video surveillance systems installed. Personal data will be retained for a maximum period of 30 days or, where appropriate, for the time essential to comply with legal obligations applicable to the data controller.
  • Comply with the professional relationship established with our suppliers for the management of the services contracted by the Entity. Personal data will be retained for the time necessary to manage the contracted service and for the time essential to comply with legal obligations applicable to the data controller.
  • Manage and control the operation of the internal mechanisms, policies, and procedures established by the Entity for regulatory compliance purposes. Personal data will be retained for the time necessary to comply with legal obligations applicable to the data controller.
  • Manage requests received through the Data Protection Channel enabled. Personal data will be retained for the time necessary to comply with legal obligations applicable to the data controller.
  • Manage and respond to communications submitted by whistleblowers through the Internal Information System, in accordance with Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption. Data relating to information received and internal investigations will be retained for the necessary and proportionate period to comply with the Whistleblower Protection Law, in no case exceeding ten years. Three months after receipt, communications will be deleted, except in the case of retention to accredit and provide evidence of the existence and operation of the System and/or based on other regulatory compliance requirements with which the information is associated. The whistleblower’s identity will be anonymized in an independent area with appropriate security measures.
  • Comply with the legal provisions applicable to the Entity. Personal data will be retained for the time necessary to comply with the legal obligations applicable to the data controller.

Legitimation of treatment

The processing of personal data collected by the Entity is carried out on the basis of various legitimations:

  • Execution of a contract: Processing is necessary for the execution of a contract to which the data subject is a party, such as the management of requested services or the management of the contract signed between suppliers and the Entity.
  • Compliance with a legal obligation: The Entity processes data to comply with applicable legal obligations or to manage requests to exercise rights received through the data protection channel and internal information system.
  • Legitimate interest of the Entity: The Entity may process personal data when necessary to satisfy its own legitimate interests, provided that the fundamental rights and freedoms of the data subject do not prevail. These interests include ensuring the security of the facilities through video surveillance systems or sending informative communications related to products or services similar to those previously contracted by the User.

Data recipients

The Entity may communicate your personal data to the following recipients:

  • If necessary, to data processing companies that provide services to the Entity, with whom the corresponding data processing contract has been signed and who have appropriate security measures in place.
  • Any other third party necessary for compliance with a legal obligation.

Rights

You may exercise your data protection rights at any time:

  • Right of access: You have the right to know if the Entity is processing your personal data.
  • Right to rectification: You have the right to request the correction of inaccurate data.
  • Right to erasure: You have the right to request the deletion of your personal data when it is no longer necessary for the purpose collected.
  • Right to restriction of processing: You have the right to request that the use of your data be restricted, with the data being retained only for the defense of legal claims.
  • Right to object: You have the right to object to the processing of your personal data, except when there are legitimate reasons or when it is needed for the defense of legal claims.
  • Right to portability: You have the right to receive the data in a structured and readable format for transfer to another controller, whenever possible.
  • Right to revoke consent: You have the right to withdraw the consent given at any time, except when processing is protected by law or is necessary for a contracted service, without retroactive effect.
  • Right not to be subject to automated decisions: You have the right not to be subject to automated decisions based on personal data that significantly affect you, such as profiling.

In the event of any dispute with the Entity regarding the processing of your data, you also have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es).

Security and control measures

The Entity will process personal data using appropriate technical, legal, organizational, and security measures to ensure the confidentiality and integrity of the information it manages in accordance with current regulations.

Cybersecurity

As a specific and complementary concept to the above, the Entity applies cybersecurity measures to prevent and manage potential attacks and fraud by cybercriminals that violate the privacy and protection of the data that our Entity processes and accesses within the scope of its activities and operations.

In this regard, we wish to warn that in the event of potential risk situations due to communications whose content and/or format raise doubts about their authenticity, we recommend disregarding them and contacting the Entity through the contact information indicated in this Privacy Policy.

Likewise, any request you receive from our Entity regarding changes to payment methods, requests for data or contact persons, or confidential (non-public) information, bank and/or credit card details, and/or other official data should not be addressed without direct confirmation from our Entity through another alternative means.

We appreciate and need your cooperation in communicating and reporting any notifications regarding these types of requests and other potential cyberattack risk situations in which our Entity may be used, as well as any potential security risks you may be aware of.