Privacy Policy
Last updated:
This Privacy Policy describes how PARROT PARTNERS, SOCIEDAD LIMITADA. (hereinafter "Data Controller", "we", or "us") collects, processes, and protects personal data in connection with the Helios software-as-a-service platform (hereinafter "Service").
This policy is issued in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Spain's Organic Law 3/2018, of 5 December, on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), and other applicable data protection legislation.
1. Data Controller
Corporate Name: PARROT PARTNERS, SOCIEDAD LIMITADA.
Tax Identification Number (CIF): B75733972
Economic Activity: Marketing and digital consulting services (CNAE 7311)
Registered Office: Calle Cristofor Colom, 4-6, 43001 Tarragona, Spain
Data Protection Contact: [email protected]
2. Categories of Personal Data Collected
2.1 Data Provided by the Data Subject
| Category | Data Elements |
|---|---|
| Identification Data | Full name, email address, company name, professional title |
| Account Data | Username, password (stored in encrypted form), account preferences |
| User Content | Brand guidelines, keywords, product information, and other materials submitted for processing |
| Communications | Correspondence, support requests, feedback submissions |
2.2 Data Collected Automatically
| Category | Data Elements |
|---|---|
| Technical Data | IP address, browser type and version, device type, operating system |
| Usage Data | Pages accessed, features utilised, session duration, interaction patterns |
| Generated Content | AI-generated advertising copy produced through the Service |
2.3 Data Obtained from Third Parties
Where the data subject connects third-party accounts (including Google Ads), the Data Controller may receive campaign data, keyword information, and performance metrics as authorised by the data subject.
3. Purposes and Legal Bases for Processing
| Processing Purpose | Legal Basis (GDPR Article 6(1)) |
|---|---|
| Provision of the Service, including account management and AI content generation | Performance of contract (Art. 6(1)(b)) |
| Administration of waitlist registrations and beta programme invitations | Consent (Art. 6(1)(a)) |
| Response to enquiries and provision of technical support | Performance of contract (Art. 6(1)(b)) |
| Service improvement, analytics, error correction, and feature development | Legitimate interest (Art. 6(1)(f)) |
| Security measures, fraud prevention, and protection of Service integrity | Legitimate interest (Art. 6(1)(f)) |
| Transmission of marketing communications (where consent obtained) | Consent (Art. 6(1)(a)) |
| Compliance with legal and regulatory obligations, including tax requirements | Legal obligation (Art. 6(1)(c)) |
Where processing is based on legitimate interest, the Data Controller has conducted a balancing test to ensure that such interests are not overridden by the fundamental rights and freedoms of data subjects.
4. Data Recipients
Personal data may be disclosed to the following categories of recipients:
| Recipient Category | Processing Purpose |
|---|---|
| Infrastructure Providers | Hosting, content delivery, and cloud computing services |
| AI Service Providers | Provision of artificial intelligence capabilities for content generation |
| Email Service Providers | Transmission of transactional and marketing communications |
| Analytics Providers | Analysis of Service usage (aggregated and anonymised where possible) |
| Third-Party Platforms | Integration services as authorised by the data subject (e.g., Google Ads) |
| Legal and Regulatory Authorities | Compliance with legal obligations and protection of legal rights |
All data processors are bound by Data Processing Agreements in accordance with Article 28 GDPR. The Data Controller does not sell personal data to third parties.
5. International Data Transfers
Personal data may be transferred to recipients located outside the European Economic Area (EEA), including the United States and other third countries. Such transfers are conducted in compliance with Chapter V of the GDPR and are subject to appropriate safeguards, including:
- Transfers to countries benefiting from an adequacy decision pursuant to Article 45 GDPR;
- Transfers subject to Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR;
- Transfers to organisations certified under the EU-US Data Privacy Framework.
Data subjects may request a copy of the applicable transfer safeguards by contacting [email protected].
6. Data Retention Periods
Personal data shall be retained for the following periods:
| Data Category | Retention Period |
|---|---|
| Waitlist registration data | Until withdrawal of consent or two (2) years from last interaction |
| Account and profile data | Duration of contractual relationship plus five (5) years |
| User-submitted content | Duration of contractual relationship plus thirty (30) days |
| Financial and billing records | Six (6) years (pursuant to Spanish tax legislation) |
| Usage analytics data | Twenty-six (26) months, thereafter anonymised |
| Security and access logs | Twelve (12) months |
Upon expiry of the applicable retention period, personal data shall be securely deleted or irreversibly anonymised.
7. Data Subject Rights
Pursuant to Articles 15-22 GDPR and Title III LOPDGDD, data subjects are entitled to the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation of processing and access to personal data |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of personal data where applicable grounds exist |
| Restriction (Art. 18) | Request limitation of processing in specified circumstances |
| Data Portability (Art. 20) | Receive personal data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| Withdraw Consent | Withdraw previously granted consent at any time without affecting lawfulness of prior processing |
7.1 Exercise of Rights
Requests to exercise data subject rights shall be submitted to [email protected] and must include: (i) identification of the data subject; (ii) specification of the right(s) to be exercised; (iii) contact details for response. The Data Controller shall respond within one (1) month, which may be extended by two (2) additional months for complex requests.
8. Automated Decision-Making
The Service utilises artificial intelligence to generate advertising content based on data subject inputs. This processing does not constitute automated decision-making within the meaning of Article 22 GDPR, as:
- Generated content constitutes draft material for human review;
- The data subject retains full control over review, modification, and approval of content;
- No decisions producing legal effects or similarly significant effects concerning the data subject are made automatically.
9. Cookies and Similar Technologies
The Service utilises cookies and similar technologies for the following purposes:
- Strictly Necessary Cookies: Essential for Service functionality and security. No consent required pursuant to Article 22(2) LSSI-CE.
- Analytics Cookies: Collection of usage statistics for Service improvement. Deployed only upon obtaining valid consent.
Cookie preferences may be managed through the consent mechanism provided on the Service or through browser settings.
10. Data Security
The Data Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS) and at rest;
- Cryptographic hashing of authentication credentials;
- Access control mechanisms and authentication procedures;
- Regular security assessments and vulnerability testing;
- Confidentiality obligations for personnel with access to personal data.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, the Data Controller shall notify the Agencia Española de Protección de Datos (AEPD) within seventy-two (72) hours and inform affected data subjects without undue delay where required by Article 34 GDPR.
11. Minimum Age
The Service is provided exclusively on a business-to-business basis and is intended for use by professionals aged eighteen (18) years or older. The Data Controller does not knowingly collect or process personal data of minors.
12. Modifications to This Policy
The Data Controller reserves the right to modify this Privacy Policy. Material modifications shall be communicated to data subjects via email or prominent notice on the Service no less than thirty (30) days prior to the effective date. Continued use of the Service following notification constitutes acknowledgement of the modified policy.
13. Supervisory Authority
Data subjects have the right to lodge a complaint with a supervisory authority. The competent authority in Spain is:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es
14. Contact
For enquiries regarding this Privacy Policy or the processing of personal data:
Email: [email protected]
Post: PARROT PARTNERS, S.L.
Data Protection
Calle Cristofor Colom, 4-6
43001 Tarragona, Spain