Privacy Policy

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, repealing Directive 95/46/EC (hereinafter, RGPD), Law 34/2002 of 11 July, on information society services and electronic commerce (hereinafter, LSSI-CE) and the Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDyGDD), Carro de Combate (hereinafter, “the Holder”) guarantees the protection and confidentiality of personal data of any kind provided to us by our customers, in accordance with the provisions of the General Regulation on the Protection of Personal Data.

The Data Protection Policy of the Data Controller is based on the principle of proactive responsibility, according to which the Data Controller is responsible for compliance with the regulatory and jurisprudential framework, being able to demonstrate it to the relevant supervisory authorities.

The data provided will be processed in accordance with the terms set out in the GDPR. In this sense, the Holder has adopted the legally required levels of protection and has installed all the technical measures within its reach to prevent the loss, misuse, alteration, unauthorised access by third parties, as set out below. However, the user must be aware that Internet security measures are not impregnable.

Data controller: Who are we?

Owner: Carro de Combate

Impact Hub Madrid, Calle Alameda 22, 28014, Madrid
CIF: G87051884
Correo electrónico[email protected]

Data processing: What data do we process and what is their origin?

Purpose of processing: What will we use your data for?

Contact forms: All the data provided by our visitors on the Holder’s website will be included in the register of personal data processing activities, created and maintained under the responsibility of the Holder, which is essential to resolve any queries or requests for information sent by our visitors. The data will be kept for the maximum period of time established by the law in force. We do not create profiles of the users who contact us, nor do we transfer the data to third parties. No international transfer of data is carried out.

Sending e-mails: The Data Controller guarantees the protection and confidentiality of the personal data that we receive through our e-mail. The content of these communications, as well as that of any attached document, is confidential and is addressed solely to the addressee of the same. In the event that you are not the addressee, we ask you to inform us of this and not to communicate its content to third parties, proceeding to the definitive elimination of the message. The data will be kept for the maximum period of time established by the law in force. We do not pass on the data to third parties, nor is there any international transfer of the data.

Customer service: All data provided by our customers will be included in the register of personal data processing activities, created and maintained under the responsibility of the Holder, essential to provide the contracted services, as well as to resolve any doubts or questions that may arise through our contact channels. The data will be kept for the maximum period of time established by current law. We do not create profiles, nor do we pass your data on to third parties. No international transfer of data is carried out.

Web visitors: We perform anonymised tracking of visitors to the Owner’s website, in order to find out which pages and services are most relevant to our potential customers. The data will be kept for the maximum period of time established by current law. Visitors are not profiled. In the event that the visitor accepts the Google Analytics cookie, some data (anonymised partial IP address and unique device identifier -NID/SID/IDE-) will be transferred, but under no circumstances will the Data Controller transfer personal data to said third party. International transfer of data from “Google Ireland Ltd.” to “Google Inc. (United States), with the authorisation of the AEPD.

Legitimacy of processing: Why do we need your data?

Contractual relationship: It is the one that applies when you contract any of our services.

Legitimate interest: To deal with the queries and complaints you make to us and to manage the collection of amounts owed.

Your consent: If you are a user of our website, by ticking the box on the contact form, you authorise us to send you the necessary communications to respond to your query or request for information.

Recipients: With whom do we share your data?

By default, our policy is not to pass on your personal data to third parties, with the exception of those public or private entities to which we are obliged to provide your personal data in order to comply with any law (e.g., the Tax Law requires us to provide the Tax Agency with certain information on economic transactions exceeding a certain amount).

If, apart from the above, we need to disclose your personal information to other entities, we will ask for your permission beforehand by providing you with clear options that will allow you to decide in this respect, and you will be informed of this in the “Purpose” section above.

Communication: With whom do we share your data?

The data of our customers and potential customers will be communicated to “Substack Inc.”, under a processing order in accordance with the GDPR, for the purpose of sending newsletters and relevant information in the cases indicated in the “Purpose” section.

In all other cases, no data will be disclosed to third parties and no international data transfers will take place.

Retention: How long will we keep your data?

We will only keep your personal data for as long as is necessary to achieve the purposes for which it was collected. In determining the appropriate retention period, we consider the risks involved in the processing, as well as our contractual, legal and regulatory obligations, internal data retention policies and our legitimate business interests as described in the “Purpose” section.

In this regard, the Data Controller will keep the personal data once its relationship with you has ended, duly blocked, for the period of limitation of any actions that may arise from the relationship with the data subject.

Once blocked, your data will be inaccessible, and will not be processed except to make them available to the Public Administrations, Judges and Courts, for the attention of possible liabilities arising from the processing, as well as for the exercise and defence of claims before the Spanish Data Protection Agency.

Security: How do we protect your data?

We use all reasonable efforts to maintain the confidentiality of personal information processed on our systems. We maintain strict levels of security to protect the personal data we process against accidental loss and against unauthorised access, processing or disclosure, taking into account the state of technology and the nature and risks to which the data is exposed. However, we cannot be held responsible for your use of the data (including username and password) you use in our “Client Area”. Our staff follow strict privacy rules and where we employ third parties to provide support services, we require them to abide by the same rules and allow us to audit them for compliance.

What rights can you exercise over your data as a data subject?

We inform you that you may exercise the following rights:

Right of access to your personal data, to know which personal data are being processed and the processing operations carried out on them.

The right to rectify any inaccurate personal data.

The right to erasure of their personal data, where this is possible (e.g. by law).

The right to restrict the processing of your personal data where the accuracy, lawfulness or necessity of the data processing is in doubt, in which case we may retain the data for the purpose of pursuing or defending claims.

The right to object to the processing of your personal data, where the legal basis enabling us to process your personal data is our legitimate interest. The Data Controller will stop processing your data unless it has a legitimate interest or it is necessary for the defence of claims.

The right to the portability of your data, when the legal basis that enables us to process it is the existence of a contractual relationship or your consent.

The right to revoke the consent given to the Data Controller.

To exercise your rights, you may do so free of charge and at any time by writing to us at [email protected], enclosing a copy of your ID card.

Protection of rights: Where can you make a complaint?

If you believe that your rights have been disregarded by our entity, you can file a complaint with the Spanish Data Protection Agency, by any of the following means:

Electronic site:

Postal mail: Agencia Española de Protección de Datos, C. Jorge Juan, 6. 28001, Madrid

Telephone: 910.100.099 or 912.663.517

Making a complaint to the Spanish Data Protection Agency does not entail any cost and you do not need the assistance of a lawyer or solicitor.

Update: What changes may there be to this Privacy Policy?

The Holder reserves the right to modify this policy to adapt it to new legislation or jurisprudence that may affect its compliance.