Privacy Policy

Last updated: 04/09/2026

Data Origin, S.L. (hereinafter "DATA ORIGIN") is the owner of the domain https://dataorigin.es/es/ as well as this website and/or the web App and/or any other type of software developed, operated and/or maintained by DATA ORIGIN (hereinafter the "Platform").

Through this document, DATA ORIGIN's Privacy Policy is made available to the User (hereinafter also referred to as "User", "Data Subject" or "you") in order to describe the personal information we collect, the purpose for which we use it and, in general, the processes and ways in which we process it during the course of the use and/or of the Platform by Users (both registered and unregistered depending on the processing) during their navigation through it.

DATA ORIGIN may make this Privacy Policy available to the User in different languages. In such case, this Spanish version shall prevail in the event of any interpretive conflict.

1. WHO IS THE DATA CONTROLLER?

Data Origin, S.L.
Tax ID (N.I.F.): B55398382
Registered address: Calle Poeta Mas y Ros, number 16, door 11, 46021, Valencia
Email: info@dataorigin.es

If you wish to contact us regarding your personal data, you may do so at the address indicated above.

The Data Controller shall be referred to alternatively as "DATA ORIGIN", the "Controller" or "us".

2. WHAT ARE THE DETAILS OF THE PROCESSING OF YOUR DATA?

We collect and process the information that the User provides to us or to which we have access during navigation within our Platform environment, website and through the use of the Services provided through it, or through third parties, under the terms set out in this Privacy Policy. In the following section you will find more details about the data processing carried out, according to its purpose:

3. PROCESSING ACTIVITIES AND PURPOSES FOR WHICH WE PROCESS YOUR DATA

The processing of your personal data is carried out for the following purposes:

3.1 Platform Functionality

Purpose: to enable Users to use and navigate the Platform, ensuring that it functions correctly, allowing technical updates and maintenance, and improving the navigability and performance of the website or app based on anonymized usage data.
Categories of data processed: Traffic data (browsing data, including IP address, browsing habits, usage preferences, language, operating system, approximate location by region and country of access, terminal operating system); Anonymized statistical data; as well as websites visited, time spent, browsing patterns and user interaction in the event of consent to cookies and tracking technologies.
Categories of Data Subjects: Registered and unregistered Users who use the Platform.
Method of collection: shared by the User through navigation within the Platform environment.
Legal bases: Legitimate interest of DATA ORIGIN and consent of the Data Subject when required by DATA ORIGIN.

3.2 Security and Fraud Prevention

Purpose: We collect and analyze traffic data on our website to ensure the security of our users, prevent fraud, conduct timely investigations and use the information for potential claims.
Data processed: Traffic data (IP address, browser type, visit duration, access logs, failed login attempts, suspicious activity and similar information).
Category of Data Subjects: Registered and unregistered Users who use the Platform.
Method of collection: shared by the User through navigation within the Platform environment.
Applicable legal basis: Compliance with legal obligations; and legitimate interest in defense against potential claims.

3.3 Commercial Prospecting

Purpose: to enable Data Subjects to contact DATA ORIGIN to request a meeting or trial of the Platform and to collect basic contact information to manage requests made through DATA ORIGIN's Platform to display products, commercial offers and manage the potential contracting of services.
Categories of data processed: identification data (first and last name); corporate contact data (including email address, phone number); professional data (company, position and trade fair to be attended).
Method of collection: Directly from the User when completing the form.
Categories of Data Subjects: Data of Data Subjects wishing to contract the Services or a trial version. Data of subordinates, workers or those having a dependency relationship with the Data Subject.
Legal bases: the processing is necessary for the performance of a contract to which the Data Subject is party or for the application, at the request of the latter, of pre-contractual measures; as well as the consent of the Data Subject when they provide their consent through a form, where applicable. In the event that the Data Subject contacts DATA ORIGIN directly, we may rely on our legitimate interests upon receiving a request from the Data Subject.

3.4 Provision of Platform Services

Purpose: Provision of Platform services consisting of a tool that enables registered users to create a user profile and access identification and contact information of other users and of professionals and companies that have participated in professional trade fairs (exhibitors, participants, attending companies and sponsors) and have shared their information publicly.

As part of the Services, the Platform may enable automated interaction functionalities, through which the user may send automated communications to other participants of a professional trade fair available on the Platform, on behalf of or on account of the registered User using the service, with the purpose of facilitating professional contact between participants.

These communications may include, among other functionalities, (i) the automated sending of professional contact messages, (ii) the presentation of the registered User's professional profile (including, where applicable, their name, company, position or visible photograph) and (iii) the proposal or scheduling of meetings between trade fair participants through the agenda tools available on the Platform. This functionality shall only be available to registered Users who have an active account linked to the corresponding professional trade fair and in respect of participants who have made their professional information public in the context of such trade fair or professional event.

When the User voluntarily decides to connect the Platform with other channels (such as LinkedIn, or other enabled channels) they will necessarily share their email address, user number and password of such channel, among other data necessary for access to the channel.

Categories of data processed:

Identification and contact data (first name, last name, professional email, phone).
Registered user access data (password and username).
Profile photo or user avatar.
Biography included by the user on the platform.
Tax address.
Professional data: role, position, or job title.
Events attended.
Language.
Link to the User's LinkedIn account.
Banking and payment data (including some digits of their bank card), where necessary to guarantee payment;

Categories of Data Subjects:

Users accessing the Platform.
Data of attendees, representatives, authorized persons, subordinates, workers or those having a dependency relationship with the Client, in respect of whom we shall act as Data Processor.
Attendees at professional trade fairs.

Method of collection:

Registered Users: directly from the User when accessing the Platform.
Through professional trade fairs that make participants' professional information public.

Legal bases:

In relation to Client data: the processing is necessary for the performance of a contract to which the Data Subject is party; where applicable, it may be based on the consent of the Data Subject.
In relation to data of participants in professional trade fairs: they shall be processed on the basis of our legitimate interest, in accordance with article 19 LOPD. You can obtain more information in the section "4. Where does your data come from?" of this Policy.

Processing based on our legitimate interests is carried out in order to ensure the purposes indicated, taking into account that the interests or rights and freedoms of the Data Subject do not prevail over those of the controller and the reasonable expectations of the Data Subjects, bearing in mind that there are no other less invasive means to achieve the purposes; that no impairment of the fundamental rights of the Data Subject occurs, that the personal data is not of a special nature, that DATA ORIGIN does not occupy a dominant position vis-à-vis the Data Subjects, and that the data processed is exclusively professional and contact data publicly shared by the data subject in their professional activity when attending a trade fair.

Retention period:

In relation to User data, it shall be processed for the duration of the Service provision, with a limit of 2 years in the event of inactivity.
In relation to data of participants in professional trade fairs, it shall be processed until they request objection to the processing or erasure of the information.

Upon expiry of the retention period, data may be blocked during the legally prescribed periods to comply with regulatory obligations, including tax, commercial and anti-money laundering regulations, as well as during the statutory limitation periods.

3.5 Sending commercial communications from DATA ORIGIN (personalized and non-personalized) to clients, registered or unregistered Users who subscribe to the newsletter

Purpose: Sending commercial communications, offers, promotions, or similar content, for the products offered by DATA ORIGIN, unless the User objects to such processing or revokes their consent. Likewise, in the event of obtaining the Data Subject's consent, personalized commercial communications may be sent.
Data processed: identification data (first and last name) and contact data (email address) and communication preferences.
Method of collection: directly from the User, through registration in forms, newsletter or through registration on the Platform.
Legal bases:
- In relation to unregistered Users and in the case of personalized communications to registered Users: it shall be based on the consent of the Data Subject.
- In relation to registered Users and/or clients, it may be based on the legitimate interests of DATA ORIGIN in informing Users about its products or relevant information.
- In relation to the sending of commercial communications on the basis of legitimate interest, its legal basis is found in Recital 46 of the GDPR and in article 21.2 LSSI, establishing, in relation to the prohibition of sending commercial communications, that "it shall not apply when there is a prior contractual relationship, provided that the provider has lawfully obtained the contact details of the recipient and uses them to send commercial communications relating to products or services of their own company that are similar to those initially contracted with the CLIENT.
- For its part, Recital (46) establishes that "The legitimate interest of a controller, including that of a controller to whom personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller, such as where the data subject is a CLIENT or in the service of the controller."
- In relation to such legal provisions, in the present case, the sending of commercial communications is carried out (i) under the contractual relationship existing between the Data Subject or participant and the Controller; (ii) following the direct sharing of data by the Data Subjects; (iii) in relation to products or services offered directly by the Controller and; (iv) ensuring that the Data Subject can object to the processing of their data for promotional purposes.
- Likewise, the balancing test has been carried out taking into account the following factors: That there are no other less invasive means to achieve the purpose. That no impairment of the fundamental rights of the Data Subjects occurs; The nature of the personal data being processed: they are not considered specially protected data, in accordance with art. 9 GDPR; That the Controller does not occupy a dominant position vis-à-vis the participating Data Subjects. That the data shall be processed internally by the controller(s).
Retention period: data shall be processed until the User withdraws their consent, objects to the processing or deletes their account. Upon expiry of the period, data may be blocked during the legally prescribed periods to comply with regulatory obligations, including tax, commercial and anti-money laundering regulations, as well as during the statutory limitation periods.
Communication: your data shall not be disclosed to third-party companies, except to those providing IT, technological and/or technical services, and solely for the purpose of ensuring the sending of commercial communications from DATA ORIGIN. Your data shall not be sold to third parties.

3.6 Recruitment

Purpose: To manage the participation of interested parties who take part in personnel selection processes through the Platform, social networks, email or other means through which the offer is published. The processing shall include the receipt of the CV for participation, its evaluation and subsequent communication to accept or reject the application; and likewise the retention of CVs to keep the participant informed about future vacancies (in the event of having obtained their consent) through the communication channels consented to by the Data Subject or applicable by the nature of the selection process.
Categories of data processed: identification data (first and last name); contact data (email address, phone, postal address); professional and educational data; and social media profiles (where applicable). Furthermore, the data subject may voluntarily share other types of personal data not requested by DATA ORIGIN, with their consent.
Categories of Data Subjects: Persons who submit their CV or apply for a job candidacy at DATA ORIGIN.
Method of collection: directly from Users, when they contact DATA ORIGIN directly, or through external providers subcontracted for the management of candidacies.
Legal bases: the consent of the User; the performance of a contract or pre-contractual measures.
Retention period: for the time necessary to guarantee the purposes, 18 months from the receipt of the data or from its update, unless the data subject renews their consent.
Communication: your data shall not be disclosed to third-party companies for this purpose, except to recruitment and/or HR companies that manage job offers on our behalf, where necessary and provided that the User has been previously informed. Your data shall not be sold to third parties.

3.7 Resolution of inquiries made by the User

Purpose: To ensure communication by Users with DATA ORIGIN for customer service inquiries, complaints, or similar matters, through any of the contact points made available to the User, including forms, electronic or postal addresses.
Categories of data processed: identification data (first and last name) and contact data (email address and/or phone number).
Categories of Data Subjects: Registered and unregistered Users who make the inquiry.
Method of collection: directly from Users, when they contact DATA ORIGIN directly, or through external providers subcontracted for this purpose.
Legal bases: consent of Users or legitimate interest in responding to the message or claim after receiving the request.

3.8 Internal analysis, product development and improvement of Services

Purpose: DATA ORIGIN may collect and process anonymized usage data to analyze the behavior and use of the Platform with the purpose of improving DATA ORIGIN's Services or products, the user experience and optimizing functionalities; development of new tools or services, correction of services and similar.
Categories of data: Anonymized data about platform usage, browsing patterns, and functionalities used.
Categories of Data Subjects: Registered and unregistered Users who access or use the Platform (in anonymized format).
Legal bases: legitimate interests of DATA ORIGIN in offering improved products and Services to Data Subjects; after carrying out the due balancing test taking into account the low risk of causing harm to the rights and freedoms of the Data Subjects.
In accordance with the GDPR, Recital (46), which establishes that "The legitimate interest of a controller, including that of a controller to whom personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller, such as where the data subject is a CLIENT or in the service of the controller."
In relation to such provision, the balancing test is carried out on the basis of the following factors: That there are no other less invasive means to achieve the purpose. That no impairment of the fundamental rights of the Data Subjects occurs; The nature of the personal data being processed: they are not considered specially protected data, in accordance with art. 9 GDPR; but rather anonymous or statistical data. That the Controller does not occupy a dominant position vis-à-vis the participating Data Subjects. That the data shall be processed internally by the controller(s).
Method of collection: data shared by the User during the use of the Services.
Retention period: with the aim of fulfilling the indicated purpose, data may be stored and retained indefinitely, always in a dissociated or anonymous form, so that Data Subjects cannot be identified.

3.9 Google account connection

Purpose: when a registered User chooses to connect their Google account to the Platform, DATA ORIGIN requests the OAuth scope https://www.googleapis.com/auth/gmail.send for the sole purpose of sending emails composed and sent by the User from their own Gmail address through the Platform's interface.

Scope of access: the gmail.send scope only permits sending. DATA ORIGIN does not access, read, download or store the User's inbox, sent items, drafts or contacts.

Categories of data processed: OAuth access and refresh tokens issued by Google, the email address of the connected account, and the content of the emails the User chooses to send.

Legal basis: consent of the User, granted through Google's OAuth consent screen.

Retention period: tokens are processed for as long as the connection remains active and are deleted when the User disconnects the Google account from the Platform settings or deletes their DATA ORIGIN account.

Compliance with Google's Limited Use Policy: DATA ORIGIN's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revoking access: the User may revoke DATA ORIGIN's access to their Google account at any time by disconnecting the integration from the Platform settings or by visiting https://myaccount.google.com/permissions and removing DATA ORIGIN.

4. WHERE DOES YOUR DATA COME FROM?

As a general rule, data comes from the Data Subject, either through navigation or use of the Platform; or through a communication made by the User through any of the means available to them.

However, in relation to data of participants in professional trade fairs, it shall be obtained from data published by the trade fair platforms or websites, or through external providers who supply us with the information under a contract. They shall be processed on the basis of our legitimate interest, in accordance with article 19 LOPD, which establishes that "1. Unless proven otherwise, it shall be presumed to fall within the scope of article 6.1.f) of Regulation (EU) 2016/679 the processing of contact data and, where applicable, data relating to the function or position held by natural persons providing services to a legal entity, provided that the following requirements are met: (a) That the processing relates exclusively to the data necessary for their professional location; (b) That the purpose of the processing is solely to maintain relations of any kind with the legal entity in which the data subject provides their services".

5. TO WHOM DO WE DISCLOSE YOUR DATA?

As a general rule, the Controller shall not disclose the User's personal data to third parties, except where the provision of a service involves the need for a contractual relationship and such disclosure is strictly necessary for the management and maintenance of the relationship between the User and the Controller and/or for the fulfillment of the purposes described in this Policy.

In such cases, the disclosure shall be carried out only for the time strictly necessary to enable the achievement of such purposes, and always in accordance with the principles of the General Data Protection Regulation, through the application of appropriate technical and organizational measures to ensure the security and confidentiality of personal data. Among the aforementioned measures is the execution of the corresponding data processing agreements with each provider, which establish obligations equivalent to those assumed by the Controller in the area of data protection. Upon completion of the service provision, providers must return or delete the personal data as stipulated in such agreements.

In this regard, and exclusively to enable the provision of services and in fulfillment of the described purposes, the Controller may disclose personal data to the following recipients:

Essential service providers, including IT and technology services, payment gateway, cloud storage, communications, authentication and security services, analytics services, among other similar services necessary to guarantee the purposes.
Providers to whom, where applicable, we subcontract the development of the Website.
Public authorities, upon judicial request or by legal imperative.
Companies and professional consultants providing services to the Controller to facilitate the management of the Website and compliance with its legal, contractual or administrative obligations, such as legal advice, accounting, technical or IT security services.

You may request additional information about the disclosures made by contacting the Controller through any of the contact points indicated in this Policy.

6. DO WE CARRY OUT INTERNATIONAL DATA TRANSFERS?

As a general rule, no international transfers of personal data to third countries or international organizations ("ITT", hereinafter) are carried out. However, in order to guarantee the purposes, ITT may be carried out to our service providers that are essential to ensure the purpose for which they were collected, regardless of whether DATA ORIGIN does not carry out such ITT directly, but rather through providers.

In such case, the Controller shall engage providers that comply with the GDPR and through the application of some of the safeguards provided for in arts. 44 et seq. GDPR, to ensure an adequate level of security for the processing of personal data, including the adequacy decision (list of countries based on an adequacy decision) or through Standard Contractual Clauses of the European Commission ("SCCs", hereinafter).

Below is the list of providers to whom ITT may be carried out, as indicated:

Provider	Services	Location	Mechanism
Microsoft Corporation (Azure)	Cloud computing, infrastructure hosting and associated services	European Union / USA	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Microsoft Corporation (Clarity)	Web analytics tool for analyzing user behavior through session recordings, heatmaps and browsing statistics. These tools are only used when the user has given prior consent through the website's cookie management system, in accordance with applicable data protection and information society services regulations.	European Union (primary)	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Google	Email services, client communication and meeting management (e.g., Google Workspace, Cloud, Google Analytics, Drive).	European Union / USA	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Hotjar Ltd	User behavior analytics and experience tool (heatmaps, session recordings and browsing analysis)	EU	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Supabase, Inc.	PostgreSQL database hosting	USA; Singapore	SCCs (art. 46.2.c GDPR)
OpenAI	Text, audio, video and task processing through artificial intelligence	USA	SCCs (art. 46.2.c GDPR)
OVH Hispano SL	VPS server hosting services	EU primarily. Due to the international organization of the company, ITT to the USA may occur.	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Hostinger	Servers and transactional email sending via SMTP	EU primarily. Due to the international organization of the company, ITT to the USA may occur.	ITT may occur based on SCCs (art. 46.2.c GDPR)
Stripe, Inc.	Payment gateway for transaction, subscription and payment method management	USA / EU	Where ITT exist, the provider applies SCCs (art. 46.2.c GDPR)
Usercentrics (CookieYes)	Cookie consent management	EU	ITT may occur based on SCCs (art. 46.2.c GDPR)

For more information about international data transfers and the specific safeguards applied, you may contact us through the contact details indicated in this Privacy Policy.

7. DO WE PROCESS SPECIAL CATEGORIES OF PERSONAL DATA?

DATA ORIGIN shall not request or process "special categories of personal data", understood as data revealing "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation", in accordance with articles 9 and 10 of Regulation (EU) no. 2016/679. However, in the event that the user decides to share such information, such processing shall be carried out in accordance with their consent.

8. PROCESSING METHODS

The processing of the data provided is based on the principles of lawfulness, transparency, purpose limitation and storage limitation, data minimization, accuracy, integrity and confidentiality, and shall be carried out, in all cases, subject to the provisions of Regulation EU 2016/679 and of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights. In particular, the processing may be carried out using paper, IT and telematic tools, also in accordance with the provisions of article 29 of Regulation EU 2016/679 and, in all cases, with means adequate to ensure its security and confidentiality in accordance with the provisions of article 32 of that same Regulation EU no. 2016/679.

9. AUTOMATED DECISIONS

No automated decision-making process exists, not even for profiling purposes, pursuant to article 13.2 letter f) of Regulation EU no. 679/2016.

10. COOKIES

In addition to the processing described in this Policy, DATA ORIGIN may also collect personal data through the use of cookies and other analogous or similar tracking technologies, as described in the Cookies Policy accessible through the following link.

11. RETENTION OF YOUR PERSONAL DATA

As a general rule, the Controller shall retain your personal data only for as long as necessary for the purpose for which it was initially collected, and during the maximum periods indicated in each of the processing activities referred to in this Policy.

Retention periods according to the type of data, purposes and applicable regulations:

Type	Description	Regulation	Period
Contractual documentation	Client contracts	Commercial Code	6 years (from end of contractual relationship)
Website users	Identification, contact details, addresses, email	GDPR and LOPDGDD	5 years or until deletion is requested
Traffic data	User ID, IP, phone number, access logs	LSSI	12 months
Cookies	Cookies and analogous technologies	LSSI	18 months
Internal analysis	Anonymized data	Art. 4.1 GDPR, Recital 26 GDPR	Indefinite
Candidates	Identification, contact, education, professional data	Recommendation	18 months
Legal prescription period	General application	Art. 1.967 Civil Code	5 years

Upon expiry of the aforementioned periods, data shall be automatically erased, without prejudice to their subsequent retention in blocked form where necessary for the fulfillment of certain obligations, by legal provisions or liability, or requests and/or orders issued by Public Administrations and/or Supervisory Authorities, for some of the reasons indicated in the preceding sections.

In relation to anonymous and statistical information, the Controller shall apply what is described in Recital 26 of the GDPR, which establishes the following: "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable". Consequently, this Regulation does not affect the processing of such anonymous information, including for statistical or research purposes.

12. WHAT ARE YOUR RIGHTS OVER YOUR DATA?

In accordance with the GDPR, the Data Subject has the following rights in relation to their personal data:

access to their data, which may also be consulted in the "my data" section,
rectification of their data, because we also want to ensure that your information is accurate and up to date,
erasure of their data,
restriction of the processing of data concerning them,
objection to the processing of their data, when the legal basis for the processing of their data is our legitimate interest,
withdrawal of their consent to the processing of their data, when the legal basis for the processing of their data is their consent, and
portability of their data, when the legal basis for the processing of their data is their consent or the performance of a contract.

To exercise their rights, the Data Subject may contact DATA ORIGIN through the designated addresses in this Policy.

Furthermore, the Data Subject has the right to file a complaint with the Spanish Data Protection Agency (AEPD) if they have doubts or are not satisfied with the exercise of their rights or the processing we carry out, whose contact details are:

Spanish Data Protection Agency -Spain- (AEPD).
Calle Jorge Juan, 6 // P.C.: 28004 - Madrid
Phone: +34 901 100 099 // +34 91 266 35 17
https://www.aepd.es/

13. PRIVACY POLICY UPDATES

DATA ORIGIN reserves the right to modify this Privacy Policy at any time. We recommend that you review it occasionally. If DATA ORIGIN makes changes to the Privacy Policy it shall publish the new version on its Platform; and we shall likewise notify you with adequate prior notice. If you have any objection to any of the changes to this Privacy Policy, you must stop using the Services and delete your account.