Privacy Policy

RAXAR (hereinafter "RAXAR" or "we") is the controller of personal data collected through this website (raxar.es) and the RAXAR Empresas platform. — Name: RAXAR (entity in constitution process as S.L.) — Tax ID (CIF): Pending assignment. — Contact email: privacidad@raxar.es — Website: https://raxar.es

We collect the following categories of personal data: — **Contact data:** name, email, phone (contact form, customer registration). — **Company data:** company name, sector, size, tax ID (when hiring services). — **Platform usage data:** interactions, actions performed, configuration preferences. — **AI Chat (ARIA):** content of conversations with our virtual assistant. Processed by third-party AI models to generate responses. No personally identifiable info is sent to these providers beyond the conversation message. — **Analytics data:** pages visited, session duration, device, country. Collected aggregated and anonymized via PostHog (EU servers). Does not identify individual users. — **Payment data:** processed exclusively via external payment providers. RAXAR does not store card or bank account data.

We process your data for the following purposes: — **SaaS service provision** — contracted automations and dashboards (Art. 6.1.b GDPR — contract execution). — **Account management** — authentication, configuration, platform access (Art. 6.1.b GDPR). — **Billing and service communications** — invoice sending and operational notifications (Art. 6.1.b GDPR). — **Service improvement** — aggregate analysis of platform usage (Art. 6.1.f GDPR — legitimate interest). — **Legal compliance** — tax, accounting, and commercial obligations (Art. 6.1.c GDPR). — **Commercial communications** — newsletter and offers, only with your prior consent (Art. 6.1.a GDPR). Revocable any time. — **Customer support** — query resolution and technical support (Art. 6.1.b / 6.1.f GDPR). — **Fraud prevention** — anomalous activity detection and platform protection (Art. 6.1.f GDPR). We do not process your data for purposes beyond those indicated without your prior consent.

Your data is not sold or assigned to third parties for commercial purposes. We share data with the following technology providers (processors) providing services under our instructions: — **Hostinger International Ltd.** — VPS hosting. Servers in EU. — **PostHog Inc.** — Web analytics. EU Cloud servers. Does not identify individual users. — **Anthropic PBC** (USA) — Natural language processing for ARIA assistant. Data protected via EU-approved Standard Contractual Clauses (SCCs). — **Groq Inc.** (USA) — Natural language processing for ARIA assistant and automated analysis. Data protected via SCCs. — **Public authorities** — When legal obligation exists. Transfers to providers outside the European Economic Area (Anthropic, Groq) are made with appropriate GDPR safeguards, including SCCs in force post-Schrems II.

RAXAR uses AI models as part of its services, specifically: — **ARIA (virtual assistant):** Generates conversational responses from messages you input. Messages sent to AI providers for real-time response. No PII stored linked to your identity at provider servers. — **Automated analysis:** Email classification, lead scoring, report generation. These generate recommendations, but final decisions are always reviewed by humans. — **Local models (privacy_mode):** For clients that require it, sensitive data is processed exclusively on AI models hosted on RAXAR infrastructure (own hardware · no external transfer). Activated by contractual agreement or tenant configuration. Per GDPR Art. 22, no automated processing produces legal effects or significantly affects data subjects without human intervention. You have the right to: — Obtain information about the logic applied in any automated analysis. — Request human intervention in any decision. — Express your point of view and contest the decision. **Compliance with Regulation (EU) 2024/1689 (AI Act):** Our AI systems are mostly classified as **limited risk** or **minimal risk** under the AI Act taxonomy. We comply with applicable transparency obligations: — Users are informed when interacting with an AI system (ARIA is clearly identified). — AI-generated content is identified when it could be mistaken for human content. — Active guardrails prevent prohibited content generation. — Regular bias, robustness, and accuracy evaluations. To exercise these rights, contact privacidad@raxar.es.

We retain your data for the following periods: — **Active customer data:** Contract duration + 6 years (tax and commercial obligations). — **Platform user data:** Contract duration + 3 months. — **Non-converted inquiries:** Maximum 12 months since last contact. — **Commercial communications:** 24 months or until consent revoked. — **Access logs and analytics:** 12 months. — **Cookies:** Per configuration of each type (see Cookie Policy). After these periods, data is deleted or irreversibly anonymized.

Under GDPR (Arts. 15-22), you have the right to: — **Access** (Art. 15): know what personal data we hold on you. — **Rectification** (Art. 16): correct inaccurate or incomplete data. — **Erasure** (Art. 17): request deletion when data is no longer needed. — **Processing restriction** (Art. 18): limit data use in certain circumstances. — **Portability** (Art. 20): receive your data in structured, commonly used, machine-readable format. — **Object** (Art. 21): oppose processing based on legitimate interest. — **Not to be subject to automated decisions** (Art. 22): not be subject to decisions based solely on automated processing with legal effects. To exercise any of these rights, write to privacidad@raxar.es indicating the right you want to exercise. We'll respond within 30 days maximum (extendable to 60 in complex cases, with reasoned notification). **Identity verification procedure:** To protect your data against fraudulent requests, we may require you to prove your identity via: (i) confirmation from the email linked to your account, (ii) copy of ID document (DNI/NIE/passport · unnecessary fragments can be redacted), or (iii) in-app verification if already authenticated. We do not request excessive documentation. **Portability format (Art. 20):** Data delivered in structured JSON (default) or CSV, with documented schema. Large sizes (>100MB) delivered via secure link with 72h expiration. If you believe your rights have not been properly addressed, you can file a claim with the Spanish Data Protection Agency (AEPD) at www.aepd.es or at their HQ: Calle Príncipe de Vergara, 108 — 28002 Madrid.

We implement appropriate technical and organizational measures to protect your data (GDPR Art. 32), including: **Technical:** — **TLS 1.3** encryption in transit (min TLS 1.2) with HSTS on all domains. — **AES-256** encryption at rest for sensitive database data. — Multi-tenant isolation via **Row Level Security (RLS)** in PostgreSQL, with access policies verified in independent audit. — **AI guardrails** active: PII, prompt injection, and secrets filtering on all model calls. — Quarterly rotation of operational credentials and tokens (immediate on incident). — Sandboxing and strict allowlist for AI-generated command execution. — Complete **security headers**: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. **User authentication:** — **MFA/2FA** mandatory for admin roles · optional but recommended for users. — Passwords min 12 characters, bcrypt hash with factor 12. — Session expiration after 24h inactivity. — Account lockout after 5 consecutive failed attempts. **Organizational:** — Role-based access control (**RBAC**) · 4 roles: superadmin, raxar_internal, raxar_team, client. — Minimum privilege principle applied. — Servers hosted in **European Union** (Hostinger · ISO 27001 certified datacenter). — Automatic daily **backups** with offsite replication (geographically separated tower · cron 04:00 UTC). — 24/7 monitoring (Uptime Kuma · GlitchTip · Monitorización 24/7) with Telegram alerts on anomalies. — Documented incident response procedure. — GDPR and security training for internal team.

In case of a personal data security breach affecting rights and freedoms of data subjects, RAXAR commits to: — **Notify Spanish Data Protection Agency (AEPD)** within **72 hours** from knowledge, per GDPR Art. 33. — **Communicate to affected data subjects** without undue delay when the breach poses high risk to rights and freedoms (GDPR Art. 34). — **Notify the client (controller)** within **48 hours** of knowledge when the breach affects data processed on their behalf (stricter contractual term). Every breach is logged internally in our security incident register, available for review by supervisory authorities and controller clients.

RAXAR services are directed exclusively to persons over 18 (B2B clients · professionals and companies). We do not intentionally collect minor data. If we detect minor data collection, we will proceed to immediate deletion.

This website uses technical and analytics cookies. For more info, consult our Cookie Policy at raxar.es/cookies.

RAXAR is not required to appoint a Data Protection Officer (DPO) per GDPR Art. 37 (activity does not constitute large-scale systematic observation or large-scale processing of special categories). Nevertheless: — We have a dedicated channel for privacy matters: **privacidad@raxar.es**. — Requests are handled by the management team with direct responsibility for data protection. — If our processing volume requires it in the future, we will formally appoint a DPO and update this policy.

We may update this policy to reflect legal or service changes. The last update date appears at the top of this page. If changes are significant, we will notify you via email if you have an active relationship, and/or via prominent notice on the platform for 30 days.