This notice explains what personal data we collect through stradiax.com, what we use it for, who we share it with, and the rights you have over it. Written to be understood on the first read, without small print.
1. Data controller
The data controller is Stradiax Executive, S.L., a Spanish company, 100% Spanish-owned, headquartered in Madrid. Founded in 2007.
- Postal address: Madrid, Spain (full address available on request for legal requests)
- General contact: info@stradiax.eu
- Data Protection Officer (DPO): dpo@stradiax.eu
2. What we collect and why
We only process data you provide yourself when you interact with the site. We do not use third-party analytics, marketing pixels, or profiling tools.
2.1 Contact form
- Data: name, email, company (optional), phone (optional), subject, message.
- Purpose: to handle your request, reply by email, and if relevant, propose an initial meeting.
- Legal basis: your consent when you submit the form, and pre-contractual steps at your request (Article 6(1)(a) and 6(1)(b) GDPR).
- Retention: for the duration of the commercial relationship and for any applicable legal retention periods afterwards, up to a maximum of 5 years unless a longer legal obligation applies.
2.2 Newsletter subscription
- Data: email address and preferred language.
- Purpose: to send occasional content about technology strategy, Advisory, and Stradiax updates.
- Legal basis: your explicit consent via the checkbox (Article 6(1)(a) GDPR).
- Retention: until you unsubscribe. Every email includes a one-click unsubscribe link.
2.3 Initial meeting booking
- Data: name, email, company (optional), phone (optional), meeting topic, chosen date and time.
- Purpose: to create the calendar event, send you the invite, and prepare the session.
- Legal basis: your consent and pre-contractual steps (Article 6(1)(a) and 6(1)(b) GDPR).
- Retention: calendar data is kept for the duration of the relationship. After the meeting, the data may be retained in our internal CRM under the same timelines as the contact form.
2.4 Chat assistant (chatbot)
- Data: the messages you type into the assistant. We do not ask for name or email. A temporary session identifier is stored in your browser's session storage (removed when you close the tab).
- Purpose: to answer your questions about Stradiax, our services, and our products. The assistant uses a language model hosted by a third-party provider (see section 4).
- Legal basis: legitimate interest in providing the service and your consent when you start the conversation (Article 6(1)(a) and 6(1)(f) GDPR).
- Retention: messages are not persistently stored on our servers. Your conversation history lives only in your browser (sessionStorage) and is removed when you close the tab. Messages are forwarded to OpenRouter to generate the response and are not used to train models.
2.5 Technical server data
- Data: IP address, user-agent, requested URL, timestamp, stored in web server logs.
- Purpose: service security, abuse detection, and technical debugging.
- Legal basis: legitimate interest in keeping the site secure (Article 6(1)(f) GDPR).
- Retention: 30 days maximum, unless a security incident is detected.
3. Data recipients
We do not sell personal data. We only share data with the vendors we need to make the site and its services work, under data processor agreements (Article 28 GDPR):
- Amazon Web Services EMEA SARL (hosting, region eu-west-3 Paris, France).
- Google Ireland Limited (Google Workspace: email, Sheets, Calendar). Processes contact form, newsletter, and booking data.
- OpenRouter, Inc. (routes the chat assistant to Anthropic's language model). Processes chatbot messages solely to generate the response.
- Microsoft Corporation (Microsoft Clarity: product analytics via heatmaps and anonymous session recording). Loaded only if you explicitly accept in the consent notice; if you choose "Essentials only", Clarity is not loaded. Full details in the cookie policy.
4. International transfers
Some of the providers above are based in or operate infrastructure outside the European Economic Area. Specifically, OpenRouter, Google LLC and Microsoft Corporation operate from the United States. These transfers rely on the following GDPR mechanisms:
- EU-US Data Privacy Framework for certified providers.
- Standard Contractual Clauses (SCC) approved by the European Commission in the remaining cases.
You can request a copy of these safeguards by writing to dpo@stradiax.eu.
5. Your rights
You have the following rights over your personal data under GDPR and the Spanish LOPDGDD:
- Access: know what data of yours we hold.
- Rectification: correct inaccurate data.
- Erasure: ask us to delete your data ("right to be forgotten").
- Objection: object to processing on grounds relating to your particular situation.
- Restriction: restrict the use of your data.
- Portability: receive your data in a structured format and transmit it to another controller.
- Withdrawal of consent: revoke any consent you've given us, without retroactive effect.
- Not to be subject to automated decision-making with significant legal effects.
To exercise any of these rights, write to dpo@stradiax.eu stating which right you want to exercise and attaching a copy of your ID. We reply within one month.
6. Supervisory authority
If you believe we haven't handled your data according to the law, you can file a complaint with the Spanish Data Protection Agency (AEPD), the competent supervisory authority in Spain, through its electronic office at www.aepd.es.
7. Security
We apply reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or alteration. All site traffic is encrypted in transit via HTTPS (TLS 1.2/1.3). Integration secrets and API keys live in the server-side backend, never in the browser. Backups and logs are kept to the minimum operationally necessary.
8. Changes to this policy
If we update this policy we'll change the date at the top. Substantive changes will be communicated through the usual channels (newsletter or on-site notice) with reasonable notice.
