Last updated: July 2026
SummitKernelWorks ("we", "our", "us"), registered at 37002, Plaza Mayor 10, Salamanca, Spain, is committed to protecting your personal data in full compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
1. Data Controller
The data controller responsible for processing your personal data is SummitKernelWorks, reachable at [email protected] and by postal mail at 37002, Plaza Mayor 10, Salamanca, Spain. Our Data Protection Officer contact is available upon formal request to the email address above.
2. Categories of Personal Data Collected
We collect and process the following categories of personal data through our contact forms, service engagement processes, and website analytics:
- Identification Data: Full name, professional title, and organizational affiliation provided through our contact or inquiry forms.
- Contact Data: Email address, telephone number, and postal address provided for service communication and delivery.
- Technical Data: IP address, browser type and version, operating system, device identifiers, referring URLs, and page interaction events collected automatically through essential cookies.
- Service Data: Project specifications, technical requirements, and business context voluntarily provided during service engagement scoping.
- Financial Data: Transaction records related to service payments, processed through our certified third-party payment processor (Stripe). We do not store credit card numbers, CVVs, or full banking credentials on our servers.
3. Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6(1) GDPR:
- Consent (Art. 6(1)(a)): For marketing communications, newsletter subscriptions, and non-essential cookie deployment where explicit opt-in consent has been obtained.
- Contractual Necessity (Art. 6(1)(b)): For processing personal data required to perform a contract with you or to take pre-contractual steps at your request, including service delivery, project communication, and account management.
- Legitimate Interest (Art. 6(1)(f)): For website analytics, security monitoring, and fraud prevention, where such processing does not override your fundamental rights and freedoms.
4. Purpose of Processing
Your personal data is processed for the following specific purposes:
- Responding to your inquiries and establishing service engagement channels.
- Delivering contracted digital engineering services and managing the associated project lifecycle.
- Processing payments and maintaining accurate financial records as required by Spanish tax law.
- Maintaining website functionality, security integrity, and performance optimization.
- Complying with legal obligations, including tax reporting, data retention requirements, and regulatory audits.
5. Data Retention
Personal data is retained only for the duration necessary to fulfill the purposes for which it was collected:
- Contact form data: Retained for 24 months from the date of submission, or until the associated service engagement is concluded, whichever is later.
- Service engagement data: Retained for the duration of the contractual relationship plus 6 years as required by Spanish commercial and tax record-keeping obligations.
- Financial transaction records: Retained for 5 years in compliance with Spanish General Tax Law (Ley General Tributaria) requirements.
- Website analytics data: Aggregated and anonymized after 26 months. Identifiable data is not retained beyond this period.
6. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request confirmation of whether we process your personal data and obtain a copy of such data.
- Right to Rectification (Art. 16): Request correction of inaccurate personal data or completion of incomplete data.
- Right to Erasure (Art. 17): Request deletion of your personal data where processing is no longer necessary, consent is withdrawn, or processing is unlawful.
- Right to Restriction (Art. 18): Request restriction of processing in specific circumstances, including pending verification of accuracy or objection to processing.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to Object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es.
7. International Data Transfers
Some of our technology service providers may be located outside the European Economic Area (EEA). When personal data is transferred internationally, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to jurisdictions recognized as providing adequate data protection under Article 45 GDPR.
8. Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include TLS encryption for data in transit, AES-256 encryption for data at rest where applicable, access controls with least-privilege principles, regular security audits, and staff training on data protection obligations.