Privacy Policy
Last updated: April 2026
1. Data controller
The controller responsible for processing your personal data is:
2. Data we collect
We collect only the data necessary for the purposes described:
- →Contact data: name, email address, company name (optional), and message, when you fill out the contact form.
- →Booking data: name and email when you book a discovery call through Cal.com.
- →Aggregate usage data: page visited, traffic source, device type, and country — fully anonymised and without identifying individual users — via Plausible Analytics.
- →Technical data: IP address temporarily retained by the web server (Vercel) for security and abuse prevention. Not stored permanently.
We do not collect special category data (health, racial origin, biometric data, etc.).
3. Purpose and legal basis
We process your data for the following purposes and legal bases (GDPR Art. 6):
| Purpose | Legal basis |
|---|---|
| Responding to your inquiry or information request | Art. 6.1.b — Performance of a contract or pre-contractual measures |
| Managing a discovery call booking | Art. 6.1.b — Pre-contractual measures at your request |
| Measuring website performance and usage (analytics) | Art. 6.1.f — Legitimate interest (analytics without cookies or personal data) |
| Security, spam and abuse prevention | Art. 6.1.f — Legitimate interest in protecting service integrity |
| Commercial communications (only with explicit consent) | Art. 6.1.a — Consent |
4. Retention periods
- →Contact form data: 3 years from the last contact, or until you request deletion.
- →Booking data (Cal.com): per Cal.com's retention policy, available at cal.com/privacy.
- →Client data (active contracts): during the contractual relationship and, thereafter, for the legally required periods under Spanish commercial and tax law (minimum 5 years, up to 10 years for tax obligations).
- →Analytics data: Plausible data is aggregated, non-personal, and retained indefinitely as site statistics.
- →IPs for abuse prevention: less than 1 hour (sliding window rate limiting).
5. Recipients and data processors
To provide the service, we share data with the following providers. All act as data processors under contractual agreement:
| Provider | Function | Data |
|---|---|---|
| Vercel (vercel.com) | Web hosting and CDN | IPs (temporary), HTTP request data |
| Sanity (sanity.io) | CMS for blog content | Editorial content only, not visitor data |
| Resend (resend.com) | Transactional email delivery | Sender name, email |
| Upstash (upstash.com) | Rate limiting (anti-spam) | IP temporarily anonymised |
| Cal.com (cal.com) | Call booking | Requester name, email |
| Plausible (plausible.io) | Privacy-first web analytics | No personal data, no cookies |
We do not sell, rent, or share personal data with third parties for their own commercial purposes.
6. International transfers
Some of our providers are based or process data outside the European Economic Area (EEA):
- →Vercel, Resend, Upstash, Cal.com: US-based. All have signed EU Standard Contractual Clauses (SCCs) as a lawful transfer mechanism under GDPR Art. 46.2.c.
- →Plausible Analytics: Estonian company, data hosted exclusively in the EU (Frankfurt, Germany). No transfers outside the EEA.
- →Sanity: Norwegian company, data hosted in the EEA. No EEA transfers for visitor data.
7. Your rights (GDPR)
As a data subject, you have the following rights under Regulation (EU) 2016/679 (GDPR):
- →Access (Art. 15): Obtain confirmation of whether we process your data and a copy of it.
- →Rectification (Art. 16): Correct inaccurate or incomplete data.
- →Erasure / Right to be forgotten (Art. 17): Request deletion of your data when it is no longer necessary or you withdraw consent.
- →Restriction of processing (Art. 18): Request we suspend processing while you contest its accuracy or lawfulness.
- →Portability (Art. 20): Receive your data in a structured, machine-readable format.
- →Objection (Art. 21): Object to processing based on legitimate interest.
- →No automated decision-making (Art. 22): We do not make automated decisions with legal effects about you.
- →Withdraw consent (Art. 7.3): At any time, without affecting the lawfulness of prior processing.
8. How to exercise your rights
To exercise any of the above rights, send an email to:
Include in your request: (1) your full name, (2) the right you wish to exercise, and (3) a copy of your ID to verify your identity. We will respond within a maximum of 30 days.
9. Right to lodge a complaint
If you consider that the processing of your data does not comply with GDPR, you have the right to lodge a complaint with the competent supervisory authority:
- →Spain: Spanish Data Protection Agency (AEPD) — www.aepd.es
- →Colombia: Superintendence of Industry and Commerce (SIC) — www.sic.gov.co
We encourage you to contact us first at hello@neocompas.com — we handle all requests diligently.
10. Rights under Colombian law
For data subjects in Colombia, Law 1581 of 2012 and Decree 1377 of 2013 recognise the following additional rights:
- →Know, update, rectify, and delete personal data.
- →Request proof of the consent granted.
- →Be informed about the use made of your data.
- →File complaints with the SIC for violations of the law.
- →Revoke authorisation and/or request deletion of the data.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. Measures in place include:
- →Encrypted transmission via TLS/HTTPS on all communications.
- →Access to data limited to necessary personnel only.
- →Use of providers with recognised security certifications (SOC 2, ISO 27001 where applicable).
- →Rate limiting on the contact form to prevent abuse.
12. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. The date of the last update appears at the top of this document. For material changes, we will notify affected users by email or through a notice on the website.