Privacy policy.

1. Who we are.

The controller of your personal data is Simbiotica, S.L. ("Vizzuality"), a company with tax ID (CIF) B85781052, headquartered at Calle Fuencarral 123, 28010 Madrid, Spain.

At Vizzuality, we are committed to your right to the protection of personal data. This Privacy Policy describes how we process personal data in the context of our website (vizzuality.com), our services, and our recruitment activities, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD).

2. Privacy contact.

For any question related to the processing of your personal data, or to exercise your rights (Section 10), you can contact us at: hello@vizzuality.com.

Data Protection Officer: Vizzuality has not appointed a Data Protection Officer, as it is not required to do so under Art. 37 GDPR or Art. 34 LOPDGDD given its size and the nature of its processing activities. All privacy-related enquiries are handled through the contact address above.

3. What personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

Data you provide to us directly

Identification and contact data: full name, email, telephone, postal address, country of residence.
Content of your enquiries: the text of messages you send us through the contact form or by email.
Professional data, where applicable: organisation, role, sector of activity.
Candidate data: CV/resume, cover letter, education, work history, certifications, languages, portfolio and professional profile links (LinkedIn, GitHub, etc.) — see Section 9.
Any other data you voluntarily provide to us.

Data collected automatically

Browsing data collected through cookies and similar technologies (Section 11): IP address, device and browser information, pages visited, referring URL, approximate location derived from the IP address.

Data obtained from third parties

Where we receive information about you from a third party — for example, a recruitment agency, an employee referral, a public professional profile such as LinkedIn, or a client who has introduced you to us — we will inform you at the earliest opportunity and will identify the source of the data.

We ask that you do not share with us any special categories of personal data (health, religion, political opinions, trade union membership, sexual orientation, racial or ethnic origin, biometric data) unless strictly necessary — for example, to request reasonable accommodations for an interview. Where you do, we will process such data on the basis of your explicit consent (Art. 9.2.a GDPR) and solely for the purpose for which you provided it.

4. Why we process your data and on what legal basis

We process your personal data for the purposes set out below. Each purpose has its own specific legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR for special categories of data):

Purpose	Legal basis (GDPR)	Retention
Responding to contact form enquiries and maintaining pre-contractual communications.	Art. 6.1.b — pre-contractual measures taken at your request.	Up to 1 year after the last interaction, unless a contractual relationship is established.
Provision of services to clients and management of the contractual relationship.	Art. 6.1.b — performance of a contract to which you are party.	Duration of the contract, plus the periods required under applicable law (typically 6 years for accounting records per Art. 30 of the Spanish Commercial Code; up to 10 years under Ley 10/2010 where anti–money-laundering obligations apply).
Recruitment and selection of candidates (see also Section 9).	Art. 6.1.b — pre-contractual measures at your request; Art. 6.1.a — consent, where a separate consent is given for specific purposes (talent pool, reference checks).	Up to 1 year after the end of the selection process; up to 2 years if you consent to the talent pool; longer if you are hired (see Section 9).
User research, product feedback and voluntary interviews.	Art. 6.1.a — your consent, obtained at the time of participation.	Until you withdraw your consent or for the duration of the specific research project, whichever is shorter.
Sending informational or commercial communications about Vizzuality's services to existing clients, in relation to similar services.	Art. 6.1.f — legitimate interest, subject to a documented balancing test and your right to object at any time; Art. 21.2 LSSI-CE.	Until you object, unsubscribe or withdraw consent.
Website security, fraud prevention, logging and debugging.	Art. 6.1.f — legitimate interest in maintaining the security and integrity of our systems, subject to a documented balancing test.	Access logs retained for up to 12 months.
Compliance with legal, tax, social security and accounting obligations.	Art. 6.1.c — compliance with a legal obligation to which we are subject.	As required by the applicable legislation.

Electronic commercial communications: unsolicited commercial communications sent by electronic means to individuals who are not existing clients will only be sent with your prior, express and informed consent, in accordance with Art. 21 of Law 34/2002 on Information Society Services (LSSI-CE). Vizzuality does not currently send such communications.

5. Recipients of your data

We share your personal data only with the following categories of recipients, all of whom are bound by written agreements and, where they act as processors, by Data Processing Agreements that meet the requirements of Art. 28 GDPR:

Service providers acting as processors

Google LLC (United States) — provider of Google Workspace (email and documents used for internal communications), Google Meet (used for remote interviews), Google Analytics (website audience measurement) and Google reCAPTCHA (anti-bot protection on forms). Transfers to the United States are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

Bamboo HR LLC (United States) — provider of our Applicant Tracking System, used for recruitment purposes (see Section 9). Transfers to the United States are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

Webflow, Inc. (United States) — provider of our website hosting and content management platform. Transfers to the United States are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

Cloudflare, Inc. (United States) — provider of content delivery, security and anti-bot services (Turnstile) for our website. Transfers to the United States are covered by the EU–US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

Finsweet Pty Ltd (Australia) — provider of Consent Pro, our cookie consent management tool. Transfers to Australia rely on Standard Contractual Clauses where required.

A current list of processors is available on request.

Other recipients

Vizzuality staff involved in the relevant process (for example, hiring managers, team leads, People Operations or client account managers) may access your data on a need-to-know basis, bound by strict confidentiality obligations.

Public authorities (tax and social security authorities, courts, law enforcement) may receive your data where disclosure is required by law. Such authorities act as independent controllers.

We do not sell, rent or otherwise make your personal data available to any third party for marketing purposes.

6. International data transfers.

Some of our processors — notably Google LLC, Bamboo HR LLC, Webflow, Inc. and Cloudflare, Inc. — are located in the United States. Transfers of personal data to the United States are therefore carried out under the following safeguards:

The EU–US Data Privacy Framework, where the recipient is certified under it;
Standard Contractual Clauses adopted by the European Commission, together with supplementary technical and organisational measures appropriate to the risk.

You may request a copy of the applicable safeguards by writing to hello@vizzuality.com.

7. Automated decision-making and artificial intelligence.

We do not make decisions about you based solely on automated processing that produces legal or similarly significant effects. All decisions that affect you in a material way — including, in particular, hiring decisions — involve meaningful human review.

We may use anonymised or aggregated data (which cannot be used to identify you) to improve our services or to evaluate and develop algorithms, including AI models used for internal analysis. Where we use third-party AI services on content that may contain personal data, we do so under contracts that restrict further use of that data by the provider, and subject to the safeguards set out in Sections 5 and 6.

8. Security and confidentiality.

Vizzuality holds ISO/IEC 27001 certification for its Information Security Management System. We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, including access controls, encryption in transit and at rest where appropriate, logging, staff training and supplier due diligence.

All processors listed in Section 5 are bound by written agreements requiring equivalent security standards and assisting us with our obligations under Arts. 32 to 36 GDPR.

9. Recruitment and selection of candidates.

This section applies specifically to personal data processed when you apply for a position at Vizzuality — whether through our careers page, our applicant tracking system (BambooHR), by emailing us directly, via recruitment agencies, or through referrals.

9.1 Data we process

Identification and contact data: full name, email, telephone, postal address, nationality.
Professional data: CV/resume, cover letter, education, work history, certifications, languages, portfolio and professional profile links (LinkedIn, GitHub, etc.).
Application responses: answers to questions in our application form.
Interview data: notes taken during interviews, assessment and technical test results, and recordings of Google Meet sessions only where you have been informed in advance and have consented.
Reference data: only where provided by you, and with your prior consent to contact your referees.
Right-to-work documentation: where relevant at the offer stage.

We ask candidates not to include special category data in their applications unless strictly necessary (see Section 3).

9.2 Purposes and legal bases

We process your personal data as a candidate for the following purposes:

Managing your application for a specific role — including reviewing your CV, organising interviews, evaluating your suitability and communicating with you. Legal basis: Art. 6.1.b GDPR (pre-contractual measures at your request).
Conducting reference checks — only where relevant, and solely after you have given your prior consent to us contacting your referees. Legal basis: Art. 6.1.a GDPR (your consent).
Retaining your profile in our talent pool for future openings — subject to a separate opt-in checkbox distinct from the application itself. Legal basis: Art. 6.1.a GDPR (your consent).
Defending against potential legal claims arising from the selection process. Legal basis: Art. 6.1.f GDPR (our legitimate interest), subject to a documented balancing test.
Compliance with labour, tax and social security obligations if you are hired. Legal basis: Art. 6.1.c GDPR (compliance with a legal obligation).

9.3 Retention

If you are not selected, we retain your application data for up to one (1) year after the end of the selection process, for the purpose of defending against potential claims.
If you consent to the talent pool, we retain your CV for up to two (2) years, after which we will either ask you to renew your consent or delete your data. You may withdraw your consent at any time.
If you are hired, your data will migrate to your employment file and be retained in accordance with applicable labour, tax and social security legislation (typically 4 to 10 years depending on the document type).
Interview recordings, where made, are deleted within 30 days of the conclusion of the selection process.

9.4 Recipients

For recruitment purposes, we share your data with BambooHR (our applicant tracking system) and Google LLC (for remote interviews and internal communications), as described in Section 5. Internally, your data is accessed by the hiring manager, team leads involved in the selection and People Operations staff, all bound by confidentiality obligations.

9.5 Sources

We collect candidate data primarily from you. Where we receive information about you from a third party — recruitment agency, employee referral, or a public professional profile such as LinkedIn — we will inform you at the earliest opportunity.

10. Your rights

You have the following rights in relation to your personal data:

Access: obtain confirmation of whether we process your personal data and, if so, access to that data and information about the processing.
Rectification: have inaccurate personal data corrected or incomplete data completed.
Erasure: have your data deleted ("right to be forgotten") where the legal conditions are met.
Restriction: request that we restrict the processing of your data in certain circumstances.
Objection: object to processing based on our legitimate interests (Art. 6.1.f), including for direct marketing purposes.
Portability: receive your data in a structured, commonly used and machine-readable format, where the processing is based on consent or contract and is carried out by automated means.
Withdraw consent: withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before withdrawal.
Not to be subject to solely automated decisions that produce legal or similarly significant effects.

You may exercise these rights free of charge by writing to hello@vizzuality.com or to the postal address in Section 1, identifying the right you wish to exercise. In marketing communications, you may also unsubscribe using the link provided in each message.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), www.aepd.es.

‍

11. Cookies

Consent is obtained before any non-essential cookie is set. When you visit our website for the first time, a cookie banner allows you to accept all cookies, reject all non-essential cookies, or configure your preferences. The "Reject all" option is presented with the same prominence as "Accept all". You can change your cookie preferences at any time using the cookie settings link in the footer of our website.

Strictly necessary cookies, which are required for the website to function, do not require your consent and cannot be disabled.

11.1 What is a cookie?

A cookie is a small file that is downloaded to your device when you access certain websites. Cookies, and similar technologies (local storage, pixels, tags), allow a website to store and retrieve information about a user's device and browsing activity. Depending on the information they contain and how you use your device, they can be used to recognise the user.

11.2 What cookies we use

The cookies set on our website fall into the following categories. A full and current inventory is always available in our Cookie Settings panel, accessible from the footer of every page.

Strictly necessary

Required for the website to function and to store your cookie consent preferences. These cookies do not require consent and cannot be disabled.

Cookie	Provider	Purpose	Duration
fs-cc	Finsweet Pty Ltd (Consent Pro)	Stores your cookie consent preferences.	Up to 1 year
_cfuvid	Cloudflare, Inc.	Identifies the visitor session for security and rate-limiting purposes (bypasses Cloudflare's caching).	Session

Additional security-related cookies may be set temporarily when you interact with specific features — for example, anti-bot challenges (Cloudflare Turnstile, Google reCAPTCHA) when submitting a form.

Statistics

Help us understand how visitors use our website, on an aggregated basis. These cookies are set only if you give your consent.

Cookie	Provider	Purpose	Duration
_ga, _ga_#	Google LLC (Google Analytics)	Distinguishes unique users and sessions for traffic analysis.	Up to 2 years

Marketing and embedded third-party content

Some pages on our website include content embedded from third-party services — notably YouTube video players (from Google LLC), served through the youtube-nocookie.com domain where possible. When you interact with such content, the third party may set cookies on your device to measure playback, remember preferences, and estimate engagement. These cookies are controlled by the third party, not by Vizzuality; the specific cookies set depend on whether you are logged in to the third-party service and on your interaction with the embedded content.

‍

These third-party cookies are loaded only after you have given your consent for the Marketing category. For full details, please refer to the cookie policies of the respective providers (in particular, Google's Privacy & Terms).

11.3 Managing cookies

You can manage cookies through our Cookie Settings panel, accessible from the footer of every page, or through your browser settings. Most browsers allow you to view, manage, delete and block cookies. If you block all cookies, some parts of the website may not function as intended.

12. Children's privacy

Our services and website are not directed to individuals under the age of 14 (the minimum age under Spanish law for valid consent to the processing of personal data by information society services, per Art. 7 LOPDGDD). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected such data, we will delete it promptly.

13. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities or in applicable law. When we do, we will update the "last updated" date at the top of this document and, where the changes are material, we will notify you by a reasonable means (for example, a notice on our website or, where we have your contact details, by email).

‍

This Privacy Policy was last revised on April 2026.

‍

Cookie preferences