Skip to content

Privacy Policy

Last updated: May 1, 2025

In compliance with Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), we inform the users of the Ardilla platform about the processing of their personal data.

1. Who is the Data Controller? Who is the Data Controller?

Company name: José Núñez Fernández
CIF/NIF: 44178269F
Registered office: C/ Sant Adrià, 28
Contact email: jnunez@ardilla.ai
Commercial name: becasardilla.com

2. What personal data do we process? What personal data do we process?

At Becas Ardilla, we handle the personal data that users provide us directly, the data generated as a result of using the platform, and those found in the documents managed through our services. In particular, we may process the following categories of data:

  • Registration data: username and email address.
  • Tax data (optional): NIF, in case the user decides to include it in their profile to facilitate the identification of issued or received invoices.
  • Technical identifiers: IP address, access logs, browser type, operating system, and device used.
  • Content of the documents: information included in invoices and receipts managed by the user, such as the supplier’s name, NIF/CIF, amounts, concepts, dates, references, and any other data included in the PDF files.
  • Communication data: emails received through the personalized mailbox under the domain @becasardilla.com.

3. For what purposes do we process the data?

Personal data is processed for the following purposes:

  • Provision of document management and classification services, including the provision of a personalized email inbox.
  • Generation, storage, and organization of electronic documents.
  • Sending operational and support communications.
  • Technical and functional improvement of the platform.
  • Compliance with legal obligations.

4. What is the legal basis that legitimizes the processing?

We process your data based on the following legal grounds:

  • Execution of a contract: to provide the requested service (art. 6.1.b GDPR).
  • Compliance with legal obligations: billing, accounting, etc. (art. 6.1.c GDPR).
  • Consent: in cases of commercial communications or the use of non-technical cookies (art. 6.1.a GDPR).
  • Legitimate interest: to prevent abuse, improve security, or conduct internal analysis (art. 6.1.f GDPR).

5. Where and how is the data stored? Where and how is the data stored?

  • Electronic documents (such as invoices and receipts in PDF) are stored on secure servers located in data centers within the European Economic Area.
  • The data automatically extracted through artificial intelligence is stored in encrypted databases hosted on proprietary servers, managed exclusively by Ardilla.

All data is stored using appropriate technical and organizational security measures, including encryption at rest and in transit, access control, two-factor authentication, and periodic backups.

6. How long do we keep the data?

Personal data will be retained as long as the user’s account remains active. Once the account is canceled, they will be securely deleted within a reasonable period, unless there are technical or legal reasons that justify their temporary retention.

The documents stored on the platform and the data extracted from these documents, and stored in our databases, can be deleted by the user at any time from their control panel.

7. To whom are the data communicated?

We do not share personal data with third parties, except in the following cases:

  • Technological providers necessary for the provision of the service, including processing services using language models (LLM) for tasks such as classification, information extraction, and functionality enhancement. These providers act as data processors, under contracts that guarantee confidentiality and compliance with the GDPR.
  • Compliance with legal obligations or in case of judicial requirements.

International transfers:
Some of our technology providers are located outside the European Economic Area. In these cases, we ensure that adequate safeguards are in place in accordance with Article 46 of the GDPR, such as standard contractual clauses approved by the European Commission.

8. What are the rights of users?

Users can exercise, at any time, the following rights in relation to the processing of their personal data:

  • Access: knowing what data is being processed.
  • Rectification: correcting inaccurate or incomplete data.
  • Deletion: removing your data when it is no longer needed.
  • Portability: download the documents stored in a structured and commonly used format.
  • Objection: to oppose the processing of their data for reasons related to their particular situation.
  • Withdrawal of consent: revoke the consent granted for specific treatments, such as the sending of commercial communications.

9. Information security

We implement appropriate technical and organizational measures to protect personal data against loss, unauthorized access, alteration, or destruction, including encryption, environment segregation, firewalls, encrypted backups, and granular access control.

10. Changes to this policy

We reserve the right to modify this Privacy Policy at any time. The modifications will be published on this same page and will be communicated by email if they are significant.