1. Introduction

We maintain a strong commitment to the privacy of individuals, and therefore the protection of personal data is important to us.

We process personal data in accordance with Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights, and all other applicable regulations currently in force.

This Privacy Policy was reviewed in May 2025 in order to comply with the information and transparency obligations applicable both to the website and, more generally, to the data controller. Its purpose is to provide any type of data subject — not only website users — with the general terms governing the controller’s data protection practices. Variations may occur until the next review.

2. Who is responsible for processing your data?

Data Controller: EL CIRUELO S.L.

Tax ID (NIF/CIF): B30212690

Address: CTRA. ALHAMA – CARTAGENA, KM. 2.5, 30840 ALHAMA DE MURCIA (MURCIA), SPAIN

Email: [email protected]

3. What is the origin and type of data we process?

The information we process may originate from any of the following sources:

• Paper, electronic, or digital forms
• Communication and messaging systems, such as email applications, messaging apps, telephone, etc.
• Other lawful sources of information

Depending on the type of data subject (user, client, supplier, employee, etc.), the nature of the controller’s activity, and the different processing activities carried out, the categories of data we may process include:

• Identification data, for example: name and surname, photo.
• Identification codes or credentials, for example: username, employee ID
• Postal or electronic contact details, for example: telephone number, email address, social media profile
• Personal and professional characteristics, for example: age, date of birth, qualifications, professional experience, curriculum vitae
• Economic, financial and insurance data, for example: bank details, credit card information, etc.
• Payroll-related economic and non-economic data and other employment-related information, for example: job position, payroll document, etc.
• Transaction data, for example: goods and services supplied and received
• Special categories of data, for example: health data, trade union membership, racial origin
• Other data and information necessary or implicit in the development of our activities, services, and corporate purpose

Mandatory or Optional Nature of the Information Provided by the Data Subject

By checking the corresponding boxes and entering data in the fields marked as mandatory (for example, with an asterisk) in the contact form or in download forms, the data subject expressly, freely, and unequivocally accepts that their data is necessary for the controller to process their request. The inclusion of data in the remaining fields is voluntary.

The data subject guarantees that the personal data provided to the controller is accurate and undertakes to notify the controller of any changes thereto. The data requested through the website and marked as mandatory is necessary to provide an optimal service to the data subject. If all required data is not provided, it cannot be guaranteed that the information and services supplied will fully meet their needs.

4. For what purpose do we process your personal data?

In general, personal data is processed in order to successfully carry out the actions inherent in the normal development and management of the controller’s activities. More specifically, the purposes of processing may vary depending on the category of data subject:

Clients and Prospective Clients

Management and maintenance of commercial, pre-contractual and contractual relationships; internal administration; financial management; advertising and marketing; customer service.

Collaborators, Creditors and Suppliers

Management and maintenance of commercial relationships; internal administration and financial management.

Employees

Management, development and maintenance of the employment relationship; human resources management; communications; training activities; occupational risk prevention; working time recording; and other purposes arising from legal obligations and the development of employment relationships.

Candidates

Management of CVs received; management of job offers and recruitment processes.

Website and Social Media Users

User support and management of communications between the parties.

Visitors

Visitor assistance and access control to the facilities.

Any other category of data subject whose information is processed by the controller will be handled within the framework of its activity, in strict compliance with applicable regulations and under the general criteria established in this Privacy Policy.

Additional general purposes that the controller may implement include:

• The creation of a commercial profile in order to improve your experience by personalizing offers and communications. No automated individual decisions will be made based on this profile, and processing will be carried out on the basis of legitimate interest.
• Video surveillance for the security of property and individuals, as well as workplace monitoring, based on legitimate interest.
• Telephone switchboard management, including the recording of communications for security, quality assurance, and service guarantee purposes, based on legitimate interest.
• Financial management and control of monetary obligations. In the case of debtors with certain, due and payable outstanding payments, the controller may communicate this circumstance to credit solvency databases, debtor registers, and debt management or recovery services, among others, based on legitimate interest.
• Communications: development and execution of communications through available contact methods (email, instant messaging, etc.) with internal data subjects (employees) and external data subjects (clients, prospects, collaborators, suppliers, etc.). The purposes of such communications may be informational, organizational, commercial, or advertising, as appropriate, based on informed consent and legitimate interest.
• Other purposes derived from the nature of the controller and justified by the normal development and exercise of its activities, based on a valid legal basis.

5. How long will we retain your data?

In general, personal data will be retained for at least as long as a relationship exists with the data subject, until its deletion is requested, as long as liabilities may arise, or for as long as there is a legal obligation requiring its retention.

With regard to candidate and job applicant data, it will be deleted immediately when it is no longer of interest to the controller.

The data controller maintains, within its data protection plan, a record of retention periods, which it follows in order to manage the different applicable retention timeframes.

Data deletion will in all cases be carried out in a manner that ensures its confidentiality.

6. What is the legal basis for processing your data?

The controller observes and applies the different lawful bases that are applicable to each specific processing purpose. These include:

• The informed consent of the data subject
• Pre-contractual or contractual commitments
• The legitimate interest of the controller
• Applicable legal obligations
• Other legally established lawful bases

7. To whom will your data be disclosed?

Personal data will not be disclosed to third parties by default, except in the following cases:

• a) Auxiliary service providers, authorized data processors, or other necessary third parties involved in the proper provision of goods and services;
• b) Competent public authorities and administrations in the exercise of their functions;
• c) Other legitimate interested parties and third parties as legally provided for.

8. What are your rights when you provide us with and/or we process your data?

As a data subject, you may at any time request the exercise of any of the following rights granted to you under data protection regulations:

• Access: Access to your personal data in order to confirm whether or not we are processing data concerning you and to obtain further information about such processing.

• Rectification or Erasure: Rectification or deletion of personal data concerning you when, among other reasons, it is inaccurate or no longer necessary for the purposes for which it was collected.

• Restriction of Processing: Restriction of the processing of your personal data in certain circumstances, in which case it will only be retained for the establishment, exercise, or defense of legal claims, for the protection of the rights of another person, or for reasons of public interest.

• Data Portability: To receive the personal data concerning you, which you have previously provided to us, in a structured format where possible.

• Objection: To object to the processing of your data in certain circumstances and on grounds relating to your particular situation. The company will cease processing your data unless there are compelling legitimate grounds or it is necessary for the establishment, exercise, or defense of legal claims.

• Withdrawal of Consent: To withdraw your consent at any time, which may result in the termination or cancellation of any existing business or contractual relationship, where applicable. This is without prejudice to processing carried out prior to the withdrawal of consent.

To exercise these rights, you only need to contact us via the email or postal address indicated above.

You may also contact our designated Data Protection Officer or the relevant Data Protection Authority to obtain further information about your rights or to request the protection of those rights by the supervisory authority.

9. Data Security

We implement the necessary technical and organizational measures within our information systems to ensure an appropriate level of confidentiality, integrity, availability, and resilience of personal data, in order to protect the rights and freedoms of data subjects.

The controller complies with the provisions and principles set out in the GDPR, processing data in a lawful, fair, and transparent manner in relation to the data subject, and ensuring that data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

However, to the extent permitted by applicable law, we do not assume liability for damages resulting from alterations that third parties may cause to our information systems. Any security breach will be duly and promptly reported to the competent authority and/or law enforcement agencies.

10. Sending Communications or Information

Our policy regarding the sending of information through electronic means (email, instant messaging, etc.) is limited to sending only communications that we consider to be of interest to our users and stakeholders, in connection with the company’s functions and activities, or communications that you have consented to receive.

If you prefer not to receive such messages, we will provide you, within those communications, with the possibility to exercise your right to unsubscribe and opt out of receiving them, in accordance with the provisions of Title III, Article 22 of Law 34/2002 on Information Society Services and Electronic Commerce.

11. Social Media

The controller may maintain a presence on social media through the corresponding official profiles. This section, together with any legal and privacy terms published on the website, shall apply to the processing of data of users or interested parties who follow or otherwise connect with such profiles.

The purposes of using these profiles by the controller include communication, business development, marketing and advertising, handling inquiries submitted to the controller, customer service, providing information about actions, activities, and events organized by or involving the controller, and interacting through official profiles.

The legal bases set out in Section 6 above are complemented in this context, as the user or data subject may have a profile on the same social network as the controller and has decided to join or connect with the controller’s profile, thereby expressing interest in the information published by the controller. By following the controller’s profiles, the user provides consent for the processing of data available on their profile.

Users may access at any time the privacy policies and terms of the corresponding social network, as well as configure the privacy settings applicable to their profile.

Content published by users may be visible to other users; therefore, users themselves are primarily responsible for their own privacy.

Users who follow and/or participate in our profiles must refrain from:

• Publishing content or information that is contrary to the law, morality, or good faith. Any unlawful, harmful, inappropriate, or disruptive use or behavior that may generate negative opinions on the profile or infringe the rights of individuals is prohibited.
• Acting in a manner contrary to the principles of legality, honesty, responsibility, protection of human dignity, protection of minors, protection of public order, protection of privacy, consumer protection, and intellectual and industrial property rights.

The controller reserves the right to remove, without prior notice, any content considered inappropriate.

Likewise, the controller assumes no responsibility for the security measures implemented by each social media platform; users must familiarize themselves with the legal terms, privacy policies, and conditions of use of the respective platform.

The controller shall be expressly exempt from any liability that may arise from the use of social media by minors or persons with special capacities. The controller’s social media profiles do not knowingly collect personal information from minors.

Therefore, if a user is a minor, they must not register on, use, or provide any personal information through the controller’s social media profiles. In Spain, in particular, the processing of personal data of minors may only be based on consent from the age of 14.

Furthermore, where required by applicable regulations, or in the case of users with special capacities, the intervention of a parent, guardian, or legal representative shall be required, supported by valid documentation evidencing such representation.

12. Employment and Candidate Management

Individuals interested in applying for job opportunities with the controller may provide their data and professional information through different channels, preferably via the available forms, email addresses, and other designated means established for this purpose.

Such data will be processed in accordance with the present Privacy Policy for the purpose of managing applications for potential job vacancies, internships, and training opportunities within the controller entity and any affiliated companies or entities belonging to the same corporate group, where applicable.

Processing will be carried out on the basis of the data subject’s informed consent or another valid legal basis.

If the data provided is not of professional interest to the entity, or once it is no longer necessary for the purposes for which it was collected, it will be deleted, ensuring its confidentiality and anonymization.

Any data subject may withdraw their consent and exercise the rights granted to them under data protection regulations in accordance with the terms set out in this Privacy Policy.

13. Ethics Channel

The data provided by any data subject through the procedures available in our Ethics Channel will be processed on the basis of informed consent, the legitimate interest of the controller, and compliance with legal obligations.

The purpose of processing will be the management and oversight of communications and reports submitted under the conditions established in our Ethics Channel.

The data of any data subject or affected party — including the individual submitting the communication or report, employees, and third parties — will be retained only for the time strictly necessary to determine whether investigative action should be taken.

In any event, the information provided will be deleted, ensuring its confidentiality, once the legally established retention or evidence preservation periods have expired.

No automated decision-making will be carried out, nor will profiling be conducted in relation to the information and data collected.

Data may be disclosed to third parties where necessary for the adoption of disciplinary measures or for the initiation of any applicable judicial proceedings.

Any data subject may exercise their data protection rights under the terms set out in this Privacy Policy.

Users should be aware that the information and data provided are confidential and restricted in nature.