Prolio

Privacy policy

Last updated: 2026-04-22

This is an informational translation. The Spanish version at /es/legal/privacidad prevails in case of any discrepancy.

1. Data controller

The legal entity is currently being set up; until registration completes, the service promoter is the data controller for RGPD purposes. Final identification details will be published as soon as registration is complete.

  • Controller: [TODO-LEGAL-ENTITY] (entity in formation — see notice in the footer).
  • Tax ID: [TODO-NIF]
  • Registered address: [TODO-ADDRESS]
  • Privacy email: privacidad@prolio.co
  • No DPO appointed: Prolio does not carry out large-scale processing of special categories nor systematic monitoring under Art. 37 GDPR. This will be reviewed as the product grows.

2. Data we process

  • Pre-loaded professional listings (unclaimed): business or professional name, activity, city, office address, professional phone and email, website, licence or public-registry number where available, approximate coordinates and public ratings. Sources: official professional bodies (colegios), BORME, regional open data, OpenStreetMap, Google Places.
  • Claimed listings: the above plus account email, hashed password, voluntary data (description, photo, schedule, services) and the evidence supplied to claim the profile.
  • Lead submissions: name, email, optional phone, message.
  • Website visitors: strictly necessary technical data (IP, user-agent, event) and, only with consent, analytics metrics.

3. Minimisation and pre-claim visibility reduction

We apply Art. 5.1.c GDPR data minimisation. For unclaimed listings: (a) only professional data strictly necessary for identification; (b) email and phone are shown only after an explicit "Show contact" click to deter automated scraping; (c) we do not publish personal tax IDs of self-employed individuals; (d) we only publish office addresses, never residential; (e) listings are removed immediately when the subject requests opt-out.

4. Purposes and legal basis (Art. 6 GDPR)

  • Running the public professional directory (unclaimed listings) — legitimate interest (Art. 6.1.f). A legitimate-interest assessment is documented (see section 5).
  • Routing lead requests to professionals — performance of a service (Art. 6.1.b) and legitimate interest of the receiving professional.
  • Authentication, claim, and profile management by the professional — contract (Art. 6.1.b).
  • Abuse prevention and security — legitimate interest (Art. 6.1.f).
  • Traffic and product analytics (GA4, PostHog) — explicit consent (Art. 6.1.a), via the cookie banner.
  • Legal obligations (invoicing, lawful requests) — legal obligation (Art. 6.1.c).

5. Legitimate-interest assessment (LIA)

For pre-loaded professional listings sourced from public records, we have documented the following three-step LIA, available to the AEPD on request:

  • Purpose: provide a reliable directory of regulated professionals in Spain, reduce information asymmetry for consumers, and give visibility to self-employed and SMEs without SEO resources. Lawful, real and specific interest.
  • Necessity: initial critical mass requires pre-loading already-public data; without this nucleus the service would not be useful to either side.
  • Balancing test: data is professional (not private-sphere), sourced publicly, minimal, and subjects have robust objection/erasure/one-click opt-out mechanisms. No automated decisions with legal effects, no sensitive profiling.
  • Safeguards: hidden-behind-click contact, no ads or remarketing, permanent opt-out link in every outbound email, public rights form, one-month statutory response commitment, definitive erasure on request (not just unpublish).

6. Retention

  • Unclaimed listings: while the data remains relevant or until objection/erasure — immediate unpublication, full deletion within 30 days.
  • Claimed listings: duration of the relationship plus applicable limitation periods (up to 6 years for tax/commercial records).
  • Leads: 24 months.
  • Opt-out tokens: 90 days.
  • Cookie consent logs: 24 months (AEPD evidence).
  • Technical and security logs: 12 months.
  • Billing data (once Stripe is active): 6 years.

7. Processors

  • Supabase (DB + auth) — Frankfurt / Ireland (EEA).
  • Vercel Inc. (hosting) — USA, SCCs.
  • Google LLC (Places API) — USA, SCCs.
  • Google Analytics 4 (consent-gated) — USA, SCCs.
  • PostHog Inc. at us.i.posthog.com (consent-gated) — USA, SCCs.
  • Stripe Payments Europe Ltd. (when active) — Ireland, USA sub-processor under SCCs.
  • Resend, Inc. (when active) — USA, SCCs.
  • Anthropic PBC (when active) — USA, SCCs; prompts never include end-user PII.

8. International transfers

Several processors sit outside the EEA (mostly USA). We rely on EU Standard Contractual Clauses (June 2021) and, where applicable, the EU-US Data Privacy Framework for certified vendors, plus TLS in transit, encryption at rest and EU region choice where available.

9. Your rights

You have the right to access, rectification, erasure, objection, restriction, portability, and withdrawal of consent at any time — without affecting the lawfulness of prior processing. Exercise via privacidad@prolio.co or /en/ejercer-derechos. We reply within one month (extendable by two further months in complex cases, with notice).

Identity verification: to prevent impersonation we may ask for reasonable proof of identity when the request involves data not already associated with the sender email. The request will be proportionate (e.g. confirmation from the published professional email).

You may lodge a complaint with the Spanish Data Protection Agency (AEPD, C/ Jorge Juan 6, 28001 Madrid; www.aepd.es).

10. Security and breach notification

We apply reasonable and proportionate technical and organisational measures (Art. 32 GDPR): role-based access, TLS 1.2+, encryption at rest by the DB provider, host-managed secrets, least-privilege API keys, audit logs, updated dependencies.

Breach notification: AEPD within 72 hours (Art. 33) and affected subjects when risk is high (Art. 34).

11. Automated decisions

We do not take decisions based solely on automated processing that produce legal effects or significantly affect subjects. Directory rankings are informational and based on aggregate signals.

12. Minors

Prolio is not directed at under-14s. We remove any such data on discovery.

13. Changes

We may update this policy. Material changes re-trigger consent for non-strictly-necessary cookies.