INDEX
Objective of the Privacy Policy
Definitions
Identity of the Data Controller
Applicable laws and regulations
Principles applicable to the processing of personal data
Data processing activities carried out
Required and up-to-date information
Personal data of minors
Technical and organisational security measures
Data subjects’ rights
Complaints to the Supervisory Authority
Acceptance of and changes to the Privacy Policy

1. OBJECTIVE OF THE PRIVACY POLICY

The purpose of this Privacy and Data Protection Policy is to set out the conditions governing the collection and processing of personal data by GRADISOFT, making every effort to safeguard the fundamental rights, honour and freedoms of individuals whose personal data are processed, in compliance with the applicable data protection laws and regulations of the European Union and the Spanish Member State, and specifically those referred to in the section “Data Processing Activities” of this Privacy Policy.

Accordingly, this Privacy and Data Protection Policy informs users of the Website https://gradisoft.com of all relevant details regarding how these processes are carried out, for what purposes, which other entities may have access to their data, and what rights users have.

2. DEFINITIONS

“Personal data”: Any information relating to an identified or identifiable natural person (“the Website user”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

“Processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Restriction of processing”: The marking of stored personal data with the aim of limiting their processing in the future.

“Profiling”: Any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Pseudonymisation”: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Filing system”: Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

“Controller” or “Data Controller”: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“Processor” or “Data Processor”: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Recipient”: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“Third party”: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“Data subject’s consent”: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Personal data breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Genetic data”: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

“Biometric data”: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

“Data concerning health”: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

“Main establishment”:
a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions shall be considered the main establishment;
b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if it has no central administration in the Union, the establishment of the processor in the Union where the main processing activities take place.

“Representative”: A natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under the Regulation.

“Enterprise”: A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

“Supervisory authority”: An independent public authority established by a Member State pursuant to Article 51 of the GDPR. In Spain, this is the Spanish Data Protection Agency (Agencia Española de Protección de Datos).

“Cross-border processing”:
a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

“Information society service”: Any service provided, normally for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

3. IDENTITY OF THE DATA CONTROLLER

The Data Controller is the natural or legal person, public or private, or administrative body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of the processing are determined by European Union law or Spanish Member State law.

For the purposes set out in this Data Protection Policy, the identity and contact details of the Data Controller are:

Gradisoft Technology Systems S.L. – NIF: B25926981
Parc Agrobiotech, Ed. FP Empren, Office 8, 25003, Lleida, Spain

Email: info@gradisoft.com
Tel.: +34 973 98 44 88

4. APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy is based on the following laws and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

• Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

• Spanish Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSICE).

5. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this Website will be processed in accordance with the following principles:

• Lawfulness, fairness and transparency: All processing of personal data carried out through this Website shall be lawful and fair. It shall be clear to the user when personal data concerning them are being collected, used, consulted or otherwise processed. Information relating to the processing carried out shall be provided in advance, in an easily accessible form and in clear and plain language.

• Purpose limitation: All data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

• Data minimisation: The data collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

• Accuracy: The data shall be accurate and, where necessary, kept up to date. All reasonable steps shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

• Storage limitation: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing of personal data.

• Integrity and confidentiality: Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

• Accountability: The entity owning the Website shall be responsible for, and be able to demonstrate compliance with, the principles set out in this section.

6. DATA PROCESSING ACTIVITIES

Below are the data processing activities carried out through the Website, specifying each of the following aspects:

• Activity: Name of the data processing activity

• Purposes: Each of the uses and processing operations carried out with the data collected

• Legal basis: The legal grounds justifying the processing of the data

• Data processed: Types of data processed

• Source: Where the data come from

• Retention: Period for which the data are stored

• Recipients: Third parties to whom the data are disclosed, where applicable

• International transfers: Cross-border transfers of data outside the European Union

6.1. MAIN PROCESSING ACTIVITIES

These are data processing activities whose purposes are necessary and essential for the provision of the services.

(To be completed, if applicable, with the specific main processing activities.)

6.2. OPTIONAL PROCESSING ACTIVITIES (where the user has given consent)

These are personal data processing activities whose purposes are not essential for the provision of the service and which are only carried out if the user has given their consent (e.g. by ticking “YES” for such processing).

Activity: Website management

• Legal bases

  • Article 6.1(a) GDPR – Data subject’s consent

  • Article 6.1(f) GDPR – Legitimate interest of the Data Controller or third parties

  • Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD)

  • Regulation (EU) 2016/679 on the protection of personal data

• Purposes
  Management and communication with users. The data requested through the contact form, sent by email or provided via the telephone number published on our website will be used to respond to your enquiry and send you information about our organisation and services.
  The consequence of not providing these data will be the impossibility of contacting you and providing an answer to your request. You have the right to receive an answer to any question, query or clarification deriving from this form or from the other contact methods published on the corporate website, whether by calling us, sending us an email or visiting our facilities.

• Categories of data and data subjects
  Website users (identification data).

• Source of the data
  The data subject or their legal representative.

• Categories of recipients
  We do not disclose your data to any third party, but we may allow their processing by third parties solely for technical, legal and/or service provision reasons.

• International transfers
  None are envisaged.

• Retention period
  We store your data only for the time necessary to handle the request for information or where there is a legal obligation or legitimate interest to retain them.

• Security measures
  The security measures implemented are those described in the documents that make up the organisation’s Data Protection and Information Security Policy.

7. REQUIRED AND UP-TO-DATE INFORMATION

All fields marked with an asterisk (*) in the Website forms are mandatory, meaning that failure to complete any of them may result in it being impossible to provide you with the requested services or information.

You must provide truthful information so that the data supplied are always up to date and free of errors. You must notify the Data Controller as soon as possible of any changes or corrections to your personal data by sending an email to: info@gradisoft.com.

By clicking the “I accept” button (or equivalent) included in the forms, you declare that the information and data you have provided are accurate and truthful, and that you understand and accept this Privacy Policy.

8. MINORS’ DATA

In accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD, only persons over 14 years of age may lawfully give their consent to the processing of their personal data by GRADISOFT.

Therefore, minors under 14 years of age may not use the services available through the Website without the prior authorisation of their parents, guardians or legal representatives, who shall be solely responsible for all acts performed through the Website by the minors in their care, including completion of any electronic forms with the minors’ personal data and, where appropriate, ticking the boxes that accompany them.

9. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Data Controller adopts the necessary organisational and technical measures to ensure the security and confidentiality of your data, and to prevent their alteration, loss, unauthorised processing or access, taking into account the state of the art, the nature of the stored data and the risks to which they are exposed.

Among others, the following measures are noteworthy:

• Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

• Restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident.

• Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure processing security.

• Pseudonymising and encrypting personal data where sensitive data are involved.

In addition, the Data Controller has decided to manage its information systems in accordance with the following principles:

• Compliance principle: All information systems shall comply with the applicable legal, regulatory and sectoral requirements that affect information security, especially those relating to the protection of personal data, and the security of systems, data, communications and electronic services.

• Risk management principle: Risks shall be minimised to acceptable levels, seeking a balance between security controls and the nature of the information. Security objectives shall be set, reviewed and aligned with the information security requirements.

• Awareness and training principle: Training programmes, awareness-raising and communication campaigns on information security shall be implemented for all users with access to information.

• Proportionality principle: The implementation of controls to mitigate the security risks of assets shall seek a balance between security measures, the nature of the information and the level of risk.

• Responsibility principle: All members involved in the Data Controller’s activities shall be responsible for their conduct regarding information security, complying with the established rules and controls.

• Continuous improvement principle: The effectiveness of security controls implemented in the organisation shall be regularly reviewed in order to increase its ability to adapt to the constant evolution of risks and the technological environment.

10. DATA SUBJECTS’ RIGHTS

Current data protection regulations grant the user a series of rights regarding the use of their data. Each of these rights is personal and non-transferable, which means they can only be exercised by the data subject, after verification of their identity.

The rights of Website users are as follows:

• Right of access: The right of the Website user to obtain confirmation as to whether or not the Data Controller is processing personal data concerning them, and, where that is the case, access to the personal data and information on the processing carried out or to be carried out, including, among others, the information available on the origin of the data and the recipients of any disclosures made or envisaged.

• Right to rectification: The right of the Website user to obtain the rectification of inaccurate personal data concerning them, or the completion of incomplete data, taking into account the purposes of the processing.

• Right to erasure (“right to be forgotten”): The right of the Website user, where the law does not provide otherwise, to obtain the erasure of personal data concerning them when the data are no longer necessary for the purposes for which they were collected or otherwise processed; when the user withdraws consent on which the processing is based and there is no other legal ground for the processing; when the user objects to the processing and there are no overriding legitimate grounds for the processing; when the personal data have been unlawfully processed; or when the personal data have been collected in relation to the offer of information society services directly to a child under 14 years of age. In addition to erasing the data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps to inform other controllers processing the personal data of the data subject’s request to erase any links to, or copies or replications of, those personal data.

• Right to restriction of processing: The right of the Website user to obtain restriction of processing where they contest the accuracy of the personal data; where the processing is unlawful and the user opposes the erasure of the personal data; where the Data Controller no longer needs the personal data for the purposes of processing, but the user needs them for the establishment, exercise or defence of legal claims; or where the user has objected to processing pending the verification whether the legitimate grounds of the controller override those of the user.

• Right to data portability: Where processing is carried out by automated means, the Website user has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller. Where technically feasible, the Data Controller shall directly transmit the data to the new controller.

• Right to object: The right of the user to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, including profiling, in which case the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds.

• Right not to be subject to automated individual decision-making, including profiling: The right of the Website user not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless otherwise provided by law.

• Right to withdraw consent: The right of the Website user to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The Website user may exercise any of the above rights by contacting the Data Controller and after prior identification, using the following contact details:

Controller: VASILE APINTILIOAIEI
Address: Turó de Gardeny S/N, Ed. FP Empren, Office 8, 25003, Lleida (Lérida), Spain
Telephone: +34 973 98 44 88
Email: info@gradisoft.com
Website: https://gradisoft.com

11. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY

The user is informed of their right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos) if they consider that a breach of data protection legislation has occurred in relation to the processing of their personal data.

Contact details of the supervisory authority:

Agencia Española de Protección de Datos
Email: info@aepd.es
Telephone: +34 900 293 183
Website: https://www.aepd.es
Address: C/ Jorge Juan, 6, 28001, Madrid, Spain

12. ACCEPTANCE OF AND CHANGES TO THE PRIVACY POLICY

It is necessary for the Website user to have read and agree with the data protection conditions contained in this Privacy Policy, and to accept the processing of their personal data so that the Data Controller can proceed with such processing in the manner, for the periods and for the purposes indicated.

The Data Controller reserves the right to modify this Privacy Policy at its own discretion, or as a result of a legal, case law or doctrinal change by the Spanish Data Protection Agency. Any changes or updates to this Privacy Policy that affect the purposes of processing, retention periods, data disclosures to third parties, international data transfers, or any rights of the Website user will be explicitly communicated to the user.

Version dated 24 November 2025