Last updated: 13/06/2025

Both data privacy and information confidentiality are important aspects for IThinkUPC. This data protection policy outlines how we process personal data obtained through this website or through our business or professional relationships with our clients, commercial contacts, suppliers, and collaborators. It may change over time due to possible legislative or jurisprudential developments or the criteria followed by the Spanish Data Protection Agency and/or the relevant authority at any given time. Therefore, we reserve the right to modify this policy to adapt it to applicable legislative or jurisprudential changes at the time the website is accessed.

1. Who is responsible for processing your data?

The data controller is ITHINKUPC, SL, SOCIETAT UNIPERSONAL.
Tax ID: B66869033
Address: c/ Gran Capità, 2-4, Nexus I building, ground floor, 08034 Barcelona, Spain.
Contact email: privacyithinkupc.com

2. For what purpose do we process your data, on what legal basis, and for how long do we keep it?

Data subjects are informed that ITHINKUPC only collects the data necessary to handle requests and manage the established professional relationships. The data collected is appropriate, relevant, and limited to what is necessary for the purposes for which it is processed.

To keep your data accurate and up to date, we kindly ask that you notify us of any changes or modifications via email to privacyithinkupc.com.

At ITHINKUPC, we process personal data for the following purposes:

2.1 DATA OBTAINED THROUGH OUR WEBSITE

We process personal data to:
a. Respond to any inquiries sent through the forms provided on the website or via any other means of contact.
b. Manage subscriptions that users sign up for.
c. Conduct statistical analyses, measurements, and market research on the company’s products and services, users and their needs, trends, interests, and preferences.
d. Send commercial communications: when personal data is collected, we request the user’s consent to send them information about the company’s products and services. Users may withdraw their consent at any time by following the instructions provided in the footer of each commercial communication sent.

Legal Basis: The legal basis for this processing is consent, which is considered granted when the corresponding checkbox has been marked.
Data retention period: The data will be deleted once the request has been processed. If the data subject has given consent to receive commercial communications, their data will be stored indefinitely, unless they request its deletion.

2.2 DATA OBTAINED FROM OUR PROFESSIONAL RELATIONSHIPS

2.2.1 CONTACTS AND POTENTIAL CLIENTS: We process the data of contacts and potential clients for commercial prospecting, managing offers and quotes, contracts, and ongoing commercial follow-up.
Legal Basis: (1) The existence of a commercial and pre-contractual relationship, and (2) the legitimate interest of the company in offering its products and services.
Retention Period: Data is kept unless the user requests its deletion.

2.2.2 CLIENTS: We process the data of our clients to manage the contracted service, as well as for administrative, financial, and accounting management.
Legal Basis: The existence of a contractual relationship for the provision of the requested services.
Retention Period: Data is retained for the duration of the contractual relationship and afterward for the legal periods established in civil law regarding the limitation of contractual obligations and in accounting and tax legislation.

2.2.3 SUPPLIERS: We process the data of suppliers and collaborators to manage the established professional relationships, including contracts, orders, and payments, as well as to maintain a contact database for potential future contracts and/or collaborations.
Legal Basis: The existence of a contractual relationship.
Retention Period: Data is retained for the duration of the contractual relationship and afterward for the legal periods established in civil law and in accounting and tax legislation.

2.2.4 CANDIDATES SUBMITTING A CV: We process the personal data of job applicants for the following purposes:
– For staff selection during active recruitment processes held by the company.
Legal Basis: The adoption of pre-contractual measures.
– Spontaneous applications: To maintain a file of CVs from candidates with profiles that match the company’s characteristics.
Legal Basis: Consent granted by voluntarily submitting the CV.
Retention Period: CV data received will be kept for a maximum of 2 years. However, the company may retain your name, surname, and contact email for future collaborations, without prejudice to your rights, which can be consulted in the “Rights” section of this data protection policy.
If you have participated in a selection process, your data will be deleted once it ends, unless you have authorized us to keep it.

2.3 COMMERCIAL AND MARKETING ACTIONS
The company processes contact data to send commercial communications when prior consent has been obtained or there is an existing contractual relationship.
Legal Basis: The legal basis for this processing is consent. When personal data is collected, the data subject is asked for their consent to receive information via email, post, SMS, or any other channel about the company’s products and services. The data subject can withdraw their consent at any time by notifying the company that they no longer wish to receive commercial communications, following the instructions provided at the bottom of each communication sent by the company.
If the data subject is already a client and/or supplier of the company, the legal basis for processing is the established contractual relationship, supported by the Law on Information Society Services and Electronic Commerce. Communications are sent electronically, and an option to unsubscribe is included in each message.
Retention Period: Data is retained indefinitely unless a request for deletion is made.

3. Who will your data be shared with?

The company will share your personal data with third parties in the following cases:
3.1. Legal obligation: With the tax authorities for the payment of taxes, and with judges and courts upon judicial request.
3.2. To execute contracted services: With financial institutions to process payments and collections, insurance companies for insurance management, debt collection agencies for outstanding payments, and logistics companies.
3.3. On the basis of legitimate interest: IThinkUPC may share your CV with companies with which it has service agreements or with entities with which it maintains collaboration agreements, with the aim of facilitating the internal management of candidate search and selection processes, and only when it is necessary to assess in advance the profile of the person who will be providing the services.

4. What are your data protection rights?

Everyone has the right to obtain information about what personal data is being processed. Below is a list of user rights:
1. Right of access to personal data.
2. Right to request rectification of inaccurate data or request deletion when, among other reasons, the data is no longer necessary for the purposes it was collected.
3. Right to request restriction of processing under certain circumstances. In this case, data will only be retained for the exercise or defense of legal claims.
4. Right to object to the processing of data under certain circumstances and based on your particular situation. The company will stop processing your data unless there are compelling legitimate reasons or for the exercise or defense of possible legal claims.
5. Right to data portability: You have the right to receive the personal data concerning you, provided to IThinkUPC, in a structured, commonly used, and machine-readable format, when:
a) the processing is based on consent or a contract, and
b) the processing is carried out by automated means.
6. Right to lodge a complaint with the supervisory authority (AEPD: www.agpd.es) if your rights have not been properly addressed.

• To exercise the above-mentioned rights, the data subject may contact IThinkUPC by postal or email address as specified in section 1.
  The request must include the following information:
  Applicant’s details (full name)
• Contact address
• The right they wish to exercise
• Specific data related to the request

Your request will be processed within a maximum of one month, and the result will be communicated using the same method you initially used.

5. Security in Data Processing

Taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing as well as the varying risks in terms of probability and severity to the rights and freedoms of natural persons the company will apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will prevent the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, as well as unauthorized access to or disclosure of such data.
An important point in this regard is that our services are certified by Aenor with ISO 27001, which ensures the maintenance and continuous improvement of an information security management system. This management system and its associated security controls protect the confidentiality, integrity, and availability of information by applying risk management processes, thereby offering stakeholders trust and peace of mind.