BRAVALTA

Legal

Privacy Policy

Last updated: 11 May 2026

BRAVALTA is operated by Plaza Labs, S.L. ("Plaza Labs", "we", "us"). This policy explains what personal data we collect when you visit bravalta.com or contact us, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD).

1. Data Controller

The data controller is Plaza Labs, S.L., a company incorporated in Spain with registered office in Calpe, Alicante. You can reach our privacy team at privacy@bravalta.com or via the postal address provided at the end of this policy.

2. Scope

This policy applies to personal data processed through the bravalta.com website (including the /es Spanish version) and through any direct communication you initiate with us — for example, the contact form, email, or scheduled calls. It does not apply to data processed under a signed engagement agreement with a client, which is governed by that engagement and any associated Data Processing Agreement (DPA).

3. Personal Data We Collect

We only collect data you actively provide or that is technically necessary to serve the site:

  • Contact form submissions — name, email address, and the optional fields you choose to complete (company, role, company size, budget, timeline, topic, and free-text message).
  • Direct correspondence — any information you include when you write to us by email or in scheduled meetings.
  • Technical logs — IP address, user agent, referring page, and timestamps. These are kept short-term by our hosting and edge providers for security, abuse prevention, and aggregated analytics.
  • Language preference — a single key (kabila_language_preference) stored in your browser's localStorage so the site remembers whether you prefer English or Spanish. This is strictly necessary and is not used for profiling.

We do not use advertising or analytics cookies, we do not run third-party trackers, and we do not buy or enrich personal data from data brokers.

4. Lawful Bases

We process the data above on the following legal grounds (Article 6 GDPR):

  • Performance of pre-contractual measures — when you submit the contact form or otherwise reach out, we process your data to respond to your inquiry and evaluate a potential engagement.
  • Legitimate interest — to operate and secure the website, prevent abuse, maintain server logs, and improve our services. We balance this interest against your rights and freedoms.
  • Legal obligation — to retain records as required by Spanish commercial, tax, and accounting law.
  • Consent — for any optional processing you explicitly opt into (for example, subscribing to insights updates if and when we offer that). You can withdraw consent at any time.

5. How We Use Your Data

We use your personal data to:

  • Reply to your inquiry and, where relevant, prepare a scoping conversation or proposal.
  • Maintain a record of business correspondence and project opportunities.
  • Secure the site, debug technical issues, and detect abuse.
  • Comply with our legal obligations.

We do not use your data to train AI models, and we do not sell personal data.

6. Sub-Processors and Third-Party Recipients

A small set of vetted providers process data on our behalf strictly to deliver the service. Each is bound by GDPR-compliant agreements (Article 28 GDPR):

  • Resend (email delivery) — receives the contents of contact form submissions in order to deliver them to our inbox.
  • Vercel (hosting and edge) — operates the infrastructure that serves the site and produces short-lived request logs.
  • BunnyCDN (image delivery) — serves static media; receives only standard request metadata.
  • Notion (content management) — stores our publicly published Insights articles; does not receive contact form data.
  • Google Workspace (email and calendar) — when correspondence continues by email, your messages are stored in our business email system.

We may also disclose data when required by a competent authority, court order, or applicable law, and to our professional advisors (lawyers, auditors) under a duty of confidentiality.

7. International Transfers

Some of the providers above are established outside the European Economic Area. Where transfers occur, they rely on adequacy decisions of the European Commission, on the EU–U.S. Data Privacy Framework, or on Standard Contractual Clauses (SCCs) together with supplementary technical and organizational measures. You can request a copy of the safeguards in place at privacy@bravalta.com.

8. Retention

We keep personal data only for as long as necessary for the purpose collected:

  • Contact form submissions and email correspondence — up to 24 months from last contact if no engagement is signed, after which records are deleted or anonymized.
  • Records of client engagements — for the duration of the engagement and for up to 6 years afterwards, to meet Spanish commercial and tax obligations.
  • Technical and security logs — typically up to 30 days, longer only where an incident is under investigation.

9. Security

We apply technical and organizational measures appropriate to the risk, including TLS encryption in transit, least-privilege access controls, audit logging, and supplier due diligence. No system is fully invulnerable; if a breach occurs that is likely to result in a risk to your rights, we will notify the competent authority and, where required, you directly within the timeframes set by Article 33–34 GDPR.

10. Your Rights

Under the GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data where one of the GDPR grounds applies.
  • Restriction — ask us to limit processing in certain situations.
  • Portability — receive a structured, commonly used machine-readable copy of data you provided to us based on consent or contract.
  • Objection — object to processing based on legitimate interest.
  • Withdrawal of consent — at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) if you believe your rights have been infringed.

To exercise any of these rights, write to privacy@bravalta.com. We will respond within one month, and may ask for proof of identity before acting on the request.

11. Cookies and Similar Technologies

bravalta.com does not set cookies. The site uses a single localStorage entry (kabila_language_preference) to remember whether you prefer English or Spanish; this is strictly necessary for the language switcher and is not used for advertising, analytics, or profiling. Because no non-essential cookies or trackers are deployed, no cookie consent banner is required under the ePrivacy Directive and Article 22.2 of the Spanish Law 34/2002 (LSSI).

12. Children

BRAVALTA provides B2B services and the website is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top of the page indicates when it was most recently revised. Material changes will be highlighted on the page for a reasonable period.

14. Contact

Plaza Labs, S.L. — Calpe, Alicante, Spain. Privacy inquiries: privacy@bravalta.com. General inquiries: hello@bravalta.com.