Privacy policy
Updated on 13th May 2026
Introduction
This Privacy Policy describes how DALATEA TECHNOLOGIES, S.L. (hereinafter, “DALATEA”), with tax identification number B21850086 and registered office at Calle Limonero 22, 28020 Madrid, Spain, collects, uses, processes and protects the personal data of its users and customers (hereinafter, the "User" or "Customer") in the context of providing its services via the "DALATEA" website and platform (hereinafter, the "Platform").
At DALATEA, we are committed to protecting your privacy and to processing your personal data with the utmost care and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
By using our Platform and services, you accept the practices described in this Privacy Policy. We recommend that you read it carefully.
1. Definition of personal data
‘Personal Data’ refers to any information relating to an identified or identifiable natural person. This includes, amongst other things, the first name, surname, postal and email addresses, and telephone number.
2. Principles of Personal Data Processing
At DALATEA, the processing of personal data is governed by the following principles set out in the GDPR:
1. Lawfulness, fairness and transparency: Data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. Purpose limitation: Data is collected for specified, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.
3. Data minimisation: Data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accuracy: Data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Limitation of storage period: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.
6. Integrity and confidentiality: Data is processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
3. Purposes of Processing, Lawfulness of processing, Retention Periods and Disclosures to Third Parties
Below, we detail the main purposes for which DALATEA processes your personal data, the legal basis legitimising such processing, the applicable retention periods and any disclosures to third parties:
A. Handling enquiries and requests for information (Contact Forms and Emails)
Purpose of Processing
To respond to enquiries, queries or requests for information made by the User via the Platform’s contact forms or by email.
Lawfulness of processing
DALATEA’s legitimate interest in responding to requests from its potential customers and users. Consent of the data subject upon submitting the form or email.
Retention Period
For the time necessary to manage and resolve the enquiry, and subsequently retained for the statutory limitation periods for potential claims.
Disclosures to Third Parties
No disclosure to third parties is envisaged, unless required by law.
B. Provision of DALATEA Platform Services (SaaS)
B.1. Registration and account management
Purpose of Processing
To manage the User’s registration and account on the Platform.
Lawfulness of processing
Performance of a contract or pre-contractual measures at the data subject’s request (Platform subscription).
Retention Period
For the duration of the contractual relationship and, once terminated, for the applicable statutory limitation periods (e.g. 6 years for commercial documentation, 10 years for anti-money laundering purposes).
Disclosures to Third Parties
Cloud infrastructure service providers (e.g. Amazon Web Services, Google Cloud Platform) for hosting the Platform and the data. Where applicable, payment service providers for the management of subscriptions.
B.2. Access to and use of Platform functionalities
Purpose of Processing
To enable access to and use of the Platform’s functionalities (AI-assisted and analyst-validated assessment of the client’s anonymised exposure data to identify potential reclassifications of risk-weighted assets (RWAs) in accordance with applicable provisions, to provide the client with a traceable report detailing: (i) the proposed adjustments, (ii) the regulatory basis for such adjustments, and (iii) the expected impact on the client’s CET1 capital ratio.).
Lawfulness of processing
Performance of a contract.
Retention Period
During the term of the contractual relationship and, once terminated, for the applicable statutory limitation periods.
Disclosures to Third Parties
Cloud infrastructure service providers.
B.3. Technical support and customer service
Purpose of Processing
To provide technical support and customer service for the resolution of incidents and queries relating to the use of the Platform.
Lawfulness of processing
Performance of a contract (subscription to the Platform) and DALATEA’s legitimate interest in maintaining the service’s operational functionality.
Retention Period
For the duration of the contractual relationship and, once it has ended, for the applicable statutory limitation periods.
Disclosures to Third Parties
Suppliers of support and incident management tools.
C. Sending of Commercial and Marketing Communications
Purpose of Processing
Sending commercial communications, news, offers and promotions relating to DALATEA’s services, by electronic or non-electronic means.
Lawfulness of processing
Consent of the data subject (where explicitly requested). DALATEA’s legitimate interest for existing customers, pursuant to Article 21.2 of the LSSI.
Retention Period
Until the data subject withdraws their consent or objects to the processing.
Disclosures to Third Parties
Communication delivery platforms (e.g. email marketing services).
D. Improvement and Maintenance of the Platform
Purpose of Processing
To carry out statistical and usage analyses of the Platform to improve its operation and design and to offer new features.
Lawfulness of processing
DALATEA’s legitimate interest in improving its products and services.
Retention Period
Anonymised or aggregated data indefinitely. Non-anonymised data for the time necessary for analysis and the implementation of improvements.
Disclosures to Third Parties
Web analytics service providers (e.g. Google Analytics), with guarantees of anonymisation or pseudonymisation.
E. Compliance with Legal Obligations
Purpose of Processing
To comply with legal, tax, accounting and administrative requirements.
Lawfulness of processing
Compliance with a legal obligation applicable to DALATEA.
Retention Period
For the periods established by law for each type of obligation (e.g. 4 years for tax obligations, 10 years for anti-money laundering).
Disclosures to Third Parties
Relevant public authorities (Tax Authorities, Social Security, Courts and Tribunals, etc.).
4. Customer Data (DALATEA as Data Processor)
When the Customer enters personal data of its own users, employees or third parties into the DALATEA Platform to obtain an assessment of anonymised exposure data for the purpose of identifying possible reclassifications of risk-weighted assets or the associated report, the Customer acts as the Data Controller of that data and DALATEA acts as the Data Processor, in accordance with Article 28 of the GDPR.
In this case, DALATEA undertakes to:
1. Process personal data only in accordance with the Customer’s documented instructions, including with regard to transfers of personal data to a third country or to an international organisation, unless required to do so under Union or Member State law applicable to DALATEA; in such a case, DALATEA shall inform the Client of that legal requirement prior to processing, unless such law prohibits it on important grounds of public interest.
2. Ensure that persons authorised to process personal data have undertaken to respect confidentiality or are subject to a statutory duty of confidentiality.
3. Adopt all appropriate technical and organisational security measures to ensure a level of security appropriate to the risk, including, but not limited to, the measures described in section 6 of this Policy.
4. Assist the Client, taking into account the nature of the processing, through appropriate technical and organisational measures, wherever possible, so that the Client may fulfil its obligation to respond to requests for the exercise of data subjects’ rights.
5. Assist the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR (security of processing, notification of security breaches, impact assessment, prior consultation).
6. At the Client’s discretion, to erase or return all personal data once the provision of processing services has ended, and to erase existing copies unless the retention of personal data is required under Union or Member State law.
7. Make available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR, as well as to allow and assist in the conduct of audits, including inspections, by the Client or another auditor authorised by the Client.
4.1. Sub-processors
DALATEA may engage other data processors (sub-processors) to provide the services, such as cloud infrastructure providers (e.g. Amazon Web Services). DALATEA shall ensure that these sub-processors assume obligations equivalent to those set out in this Privacy Policy and in the data processing agreement, by entering into contracts in accordance with Article 28(4) of the GDPR.
4.2. International Data Transfers
Should it be necessary to carry out international transfers of personal data to countries outside the European Economic Area (EEA), DALATEA will ensure that such transfers are carried out in accordance with the GDPR, applying appropriate safeguards, such as the Standard Contractual Clauses approved by the European Commission, and adopting additional measures where necessary to ensure a level of protection equivalent to that in Europe.
5. Security of Your Personal Data
DALATEA has implemented and maintains an Information Security Management System (ISMS) based on recognised standards, such as ISO/IEC 27001, to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include:
1. Formalised information security policies.
2. Role-based logical access controls and the principle of least privilege.
3. Secure authentication mechanisms.
4. Encryption of communications and, where appropriate, of stored information.
5. Security incident management procedures.
6. Regular backups and business continuity and disaster recovery plans.
7. Continuous assessment and improvement of security levels.
DALATEA periodically reviews and updates these measures to adapt to evolving risks, the state of the art and applicable regulatory requirements.
6. Use of Cookies
The DALATEA Platform uses cookies to improve the User’s browsing experience, analyse the use of the Platform and offer specific features. Cookies are small text files that are stored on the User’s device when accessing the Platform.
For detailed information on the cookies we use, their purposes, the legal basis for their use, retention periods and how to manage them, please refer to our specific Cookies Policy.
7. Users’ Rights
You have the right to exercise the following rights in relation to your personal data:
1. Right of Access: To obtain confirmation as to whether DALATEA is processing your personal data and, if so, to access it.
2. Right to Rectification: To request the correction of inaccurate or incomplete data.
3. Right to Erasure (Right to be Forgotten): To request the erasure of your personal data where, amongst other reasons, it is no longer necessary for the purposes for which it was collected.
4. Right to Restriction of Processing: To request the restriction of the processing of your data, in which case we will only retain it for the purpose of exercising or defending legal claims.
5. Right to Data Portability: To receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another data controller.
6. Right to Object: To object to the processing of your personal data, in which case DALATEA will cease processing them, except on grounds of compelling legitimate interests or for the establishment, exercise or defence of legal claims.
7. Right to Withdraw Consent: To withdraw your consent at any time, without this affecting the lawfulness of processing based on consent prior to its withdrawal.
To exercise any of these rights, you may send a message to our Data Protection Officer at the email address info@dalatea.com, attaching a copy of your ID card or equivalent identification document. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if you consider that your rights have not been properly addressed.
8. Changes to the Privacy Policy
DALATEA reserves the right to amend this Privacy Policy at any time to bring it into line with new legislation, case law or changes in business practice. Any amendments will be published on the Platform and, in the event of substantial changes, we will notify you electronically (e.g. by email) so that you can review the changes before they come into effect. Your continued use of the Platform following the publication of the changes will constitute your acceptance of them.
9. Contact
If you have any questions or concerns regarding this Privacy Policy or the processing of your personal data, you may contact us via the Data Protection Officer’s email address: info@dalatea.com.