Privacy policy
Revision: June 2026 — DRAFT, pending legal review (#403). Informative only; not the final, binding text.
1. Controller and contact
For personal data of agency users (accounts, billing, support) the controller is the entity that operates lapromos.io: [LEGAL NAME — to be completed], tax ID [NIF/CIF — to be completed], registered office [REGISTERED ADDRESS — to be completed], Spain. Privacy & data-protection contact: [email protected]. The bracketed details are placeholders to be completed with the registered company data and, where appointed, the Data Protection Officer’s contact before launch. This policy is drafted under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).
2. Roles: agencies and participants
For personal data of promotion participants, the agency running each promotion is the controller and lapromos.io acts as processor under a data-processing agreement (Art. 28 GDPR). Participants should address their requests to the promoting agency; we assist the agency in fulfilling them. This policy describes our processing as controller (agency users) and, transparently, the processing we perform on the agencies’ behalf.
3. Data we process and purposes
Agency account data (identity, email, role) to provide and operate the service; billing data to invoice and meet accounting obligations; participant data collected by each promotion’s form (e.g. email, phone, entry answers) to run that promotion (entry validation, one-time-code verification, winner contact, prize fulfilment); technical logs, security and anti-fraud events to protect the service and tenants; contact-form data to answer enquiries.
4. Legal basis (Art. 6 GDPR)
Each purpose relies on a specific basis: providing the service to agencies and managing accounts — performance of a contract (Art. 6(1)(b)); invoicing, tax and accounting records — legal obligation (Art. 6(1)(c)); security, anti-fraud, tenant isolation and service improvement — our legitimate interest (Art. 6(1)(f)); analytics and marketing tags on the corporate site — your consent (Art. 6(1)(a)), withdrawable at any time. For participant data we process on an agency’s behalf, the lawful basis is determined and declared by that agency as controller.
5. Recipients and sub-processors
Infrastructure and service providers acting as processors/sub-processors: hosting and databases (Railway), CDN, security and bot mitigation (Cloudflare, incl. Turnstile), payments (Stripe), transactional email (Resend) and SMS (Twilio / AWS SNS); analytics/marketing tags (Google) only load on the corporate site after consent. We do not sell personal data, nor share it for third-party advertising without consent. An up-to-date list of sub-processors is available on request.
6. International transfers
Some providers may process data outside the European Economic Area (e.g. US-based services). Where that happens, transfers are covered by an adequacy decision where one applies, or otherwise by the European Commission’s Standard Contractual Clauses (SCCs) together with supplementary measures (such as encryption in transit and at rest). You may request information about the safeguards in place by writing to [email protected].
7. Retention
Participant data is kept only while the promotion needs it: a platform-wide retention ceiling applies after each promotion closes, each promotion may only shorten it, and due data is erased irreversibly by an automated daily process. Account data is kept while the organisation is active; billing and tax records are kept for the legally mandated fiscal periods. Suppression entries (do-not-contact) are kept as a salted hash so they survive data erasure.
8. Security
Contact data (email, phone) is encrypted at rest with AES-256-GCM; tenant isolation is enforced at the database layer (PostgreSQL row-level security); one-time codes live only in Redis, hashed and short-lived; access is protected with rate limiting and bot challenges (Turnstile); audience exports for ad platforms are hashed with SHA-256 only within that export. We log access to sensitive actions.
9. Your rights
You may exercise access, rectification, erasure, restriction of processing, portability and objection, and withdraw consent at any time, by writing to [email protected] (proof of identity may be requested). If you are a promotion participant, your request is forwarded to the controlling agency, which decides on it. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or your local supervisory authority.
10. Automated decisions
We do not make decisions producing legal or similarly significant effects based solely on automated processing, nor do we carry out profiling for that purpose. Prize draws and instant-win outcomes are run by deterministic, auditable mechanics defined by each promotion; they do not profile participants. AI features (copy assistance and translation) operate on promotion text, not on participant profiling.
11. Cookies
The corporate site uses a consent banner aligned with Google Consent Mode v2: analytics and marketing tags only load after consent. See our Cookie policy for the full list; you can re-open your preferences from the “Cookie settings” link in the footer.