Skip to content
hexio
CA ES EN
Book a demo
Legal

Privacy policy

Last updated:

At Hexio, your data matters to us. This policy explains, in plain terms, who handles it, why, for how long and what rights you have. If anything is unclear after reading it, write to privacy@hexio.work.

1. Data controller

Núvol Digital S.L., as the entity operating the Hexio platform.

  • NIF: [NIF placeholder]
  • Address: [address placeholder] (Catalonia, Spain)
  • Privacy contact: privacy@hexio.work
  • Data Protection Officer: contact us if you need direct details.

Damos en el Blanco S.L. collaborates as co-creator of the product but does not act as data controller for this website.

2. What we collect

We only collect the data strictly necessary for the purposes described below:

  • Contact form data: name, email, company, phone (optional), topic and message.
  • Authentication cookies: strictly necessary to keep you signed in to the panel. We don't use third-party analytics cookies.
  • Technical logs: IP address, user-agent, timestamps and errors. Used only for security and diagnostics, never for profiling.
  • Panel data (customers): the data you upload to the platform (clients, invoices, projects, etc.) is processed under a separate data processing agreement — this privacy policy applies only to the public website.

3. Purposes

  • Reply to your enquiries and arrange meetings or demos.
  • Send you the specific information you ask for (quote, spec sheet).
  • Keep the website running, secure and bug-free.
  • Meet legal obligations (tax, commercial) if we end up in a contractual relationship.

We don't use your data for remarketing, and we don't sell it or share it with non-operational third parties.

4. Legal basis

  • Consent (art. 6.1.a GDPR) for the contact form and communications you initiate.
  • Performance of a contract (art. 6.1.b GDPR) once an active commercial relationship exists between you and Núvol Digital S.L.
  • Legitimate interest (art. 6.1.f GDPR) for technical logs and website security.
  • Legal obligation (art. 6.1.c GDPR) for tax retention of invoices.

5. Your GDPR rights and how to exercise them

You have the right to:

  • Access the data we hold about you.
  • Rectify it if it's incorrect.
  • Erase it ("right to be forgotten").
  • Object to or restrict processing.
  • Data portability: receive your data in CSV/JSON to take it to another provider.
  • Not be subject to automated decisions with legal effects.

To exercise these rights, write to privacy@hexio.work with the right you wish to exercise in the subject line. We'll reply within 30 days. If you feel we haven't handled your request properly, you can lodge a complaint with the Catalan Data Protection Authority (apdcat.gencat.cat) or the Spanish AEPD (aepd.es).

6. Retention

  • Contact form with no further commercial relationship: 12 months.
  • Active contractual relationship: for the duration of the relationship + 6 years for tax/commercial obligations.
  • Technical logs: 90 days, after which they're anonymised or deleted.

7. Data processors

To run the service we use European providers acting as processors under contract:

  • OVH SAS (France) and Hetzner Online GmbH (Germany) — hosting and databases.
  • Google LLC — OAuth authentication if you enable "Sign in with Google" (your data stays in the EU; only identity verification passes through Google).
  • Stripe Payments Europe Ltd. (Ireland) — future payments, once enabled.

All of them have processor agreements signed under art. 28 GDPR.

8. International transfers

By default, your data doesn't leave the European Union. Where any provider may process data outside the EU (for example, Google for OAuth), it's done under Standard Contractual Clauses approved by the European Commission and with the additional safeguards required.

9. Security measures

  • Encryption in transit: all traffic over HTTPS with TLS 1.2 or higher.
  • Encryption at rest: databases and backups encrypted with AES-256.
  • Backups: daily, retained for 30 days, in geographically separated locations within the EU.
  • Access control: two-factor authentication mandatory for internal staff. Least privilege.
  • Auditing: access and change logs over sensitive data, retained as the regulation requires.

10. Changes to this policy

If we update this policy, we'll change the "last updated" date at the top of the document and, if the changes are material, we'll let you know by email (if you're a customer) or with a visible notice on the website.

This document is meant to reflect real practice, not legal cover. If anything reads unclear, let us know.