Privacy Policy
Last updated: 1 July 2026
1. Data Controller
- Controller: Innovation Campus SL
- NIF (Tax ID): B02740918
- Registration details: Commercial Registry of Málaga — Sheet (Hoja) MA-157833, Volume (Tomo) 5981, Folio 39
- Address: Calle Álamos 7, 29012 Málaga (Spain)
- Sole director / legal representative: Emanuele Sisti
- Email for privacy matters: [email protected]
2. Applicable Law
This policy complies with Spanish and European data protection legislation, in particular:
- Regulation (EU) 2016/679 (GDPR);
- Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (LOPDGDD);
- Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE).
3. Data Processed and Its Source
The data processed comes directly from the data subject (Website forms, registration, contact, subscription to services) or from use of the Website (browsing data via cookies, subject to consent — see our Cookie Policy).
The categories of data processed are identifying and contact data (e.g. name, surname, email, phone) and, where applicable, billing data necessary to provide the services. No special categories of data within the meaning of Article 9 GDPR are processed.
4. Purposes and Legal Basis of Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Management of the contractual relationship: bookings, access to spaces, provision of coworking/training services, invoicing | Performance of a contract (Art. 6(1)(b)) |
| Responding to requests, quotes and enquiries submitted through the forms | Pre-contractual measures / consent (Art. 6(1)(b) / 6(1)(a)) |
| Sending newsletters and marketing communications | Consent (Art. 6(1)(a)) |
| Analytics and advertising cookies | Consent (Art. 6(1)(a)) — see Cookie Policy |
| Accounting, tax and legal obligations | Legal obligation (Art. 6(1)(c)) |
| Website security and prevention of fraud/abuse | Legitimate interest of the controller (Art. 6(1)(f)) |
The data subject may withdraw consent at any time, as easily as it was given; withdrawal does not affect the lawfulness of prior processing.
5. Recipients of the Data and Processors
To provide its services, the controller relies on suppliers acting as processors within the meaning of Article 28 GDPR. The main ones are:
| Supplier | Service | Type of data processed |
|---|---|---|
| Google LLC — Google Cloud | Hosting / infrastructure | Data hosted on the Website and connected systems |
| Google LLC — Google Analytics | Browsing statistics | Website usage data (subject to consent) |
| Google LLC — Google Ads | Advertising and conversion measurement | Browsing/marketing data (subject to consent) |
| Brevo (Sendinblue SAS) | Email, newsletters, CRM | Contact data of subscribers/clients |
| Stripe (Stripe Payments Europe, Ltd) | Payment processing | Payment and billing data |
| Office RnD | Coworking management software (members, bookings, invoicing) | Identifying, contact and billing data of members |
| Immanu Grupo Asesor SL | Accounting and tax advisory (gestoría) | Billing data |
Data may also be disclosed to the competent public authorities where required by a legal obligation. Save for the above, personal data will not be transferred to third parties for purposes other than those stated, nor sold.
6. International Data Transfers
Some suppliers may process data outside the European Economic Area (EEA):
- The Google services (Cloud, Analytics, Ads) are provided by Google LLC (United States). The transfer is covered by the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (SCCs).
- Brevo processes data within the European Union (France/Germany).
- Stripe is provided by Stripe Payments Europe, Ltd (Ireland, EU); any transfers to Stripe, Inc. (USA) rely on the EU-US Data Privacy Framework and/or the Standard Contractual Clauses (SCCs).
- Office RnD is based in the United Kingdom, a country covered by an adequacy decision of the European Commission.
For further details on the safeguards applied, you may contact the controller using the details above.
7. Retention Periods
Personal data is kept only for as long as necessary for the purposes for which it was collected:
- Contact/marketing data: 24 months or until a request for erasure / withdrawal of consent;
- Contractual and billing data: for the periods required by Spanish civil and tax law (generally up to 6 years under the Commercial Code, and as required by applicable tax legislation).
8. Rights of the Data Subject
The data subject may at any time exercise the following rights under the GDPR and the LOPDGDD: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection and the right not to be subject to automated decision-making, including profiling.
To exercise them, simply send a request to [email protected], stating the right to be exercised and enclosing a document that allows the requester's identity to be verified.
The data subject also has the right to lodge a complaint with the supervisory authority: in Spain, the Spanish Data Protection Agency (AEPD) — www.aepd.es.
9. Personal Data of Minors
In accordance with Articles 8 GDPR and 7 LOPDGDD, only those aged 14 or over may lawfully give consent to the processing of their personal data. For children under 14, the consent of a parent or guardian is required.
10. Data Security
The controller adopts technical and organisational measures appropriate to the level of risk, in order to ensure the security of the data and prevent its destruction, loss, alteration or unauthorised access. The Website uses an SSL certificate that encrypts data transmission. In the event of a personal data breach posing a high risk to the rights and freedoms of data subjects, the controller will carry out the notifications required by Articles 33 and 34 GDPR.
11. Changes to This Policy
The controller may amend this policy to reflect legislative or case-law developments or AEPD criteria. Users are advised to consult this page periodically. Material changes will be communicated through the Website.