PRIVACY - EXTENDED INFORMATION
This Privacy Policy forms part of the General Terms and Conditions governing this Website.
Who is responsible for processing your data?
Tupl Spain, S.L.
Tax ID (CIF): B93437358
Registered address: Avenida Louis Pasteur, 47, 1st floor,
Postcode 29010, Málaga, Spain
Email: info@tupl.com
Data Protection: lopd@tupl.com
You may contact us in any way you wish to communicate with us.
If you belong to any of the following groups, please review the corresponding information:
+ WEBSITE OR EMAIL CONTACTS
The data you send us via the contact form or social networks will be jointly processed by Tupl Spain, S.L. and Tupl, Inc. (USA), under a joint controllership agreement, in order to respond to your enquiries.
This joint responsibility involves an international data transfer to the United States, safeguarded by the Standard Contractual Clauses of the European Commission.
What data do we collect through the Website?
We may process your IP address, operating system or browser, and even the duration of your visit, anonymously.
If you provide data via the contact form, you will be identified so that we can contact you if necessary.
For what purposes will we process your personal data?
- To respond to your enquiries, requests or applications.
- To manage the requested service, respond to your request or process your application.
- To send information by electronic means related to your request.
- To send commercial or event-related information by electronic means, provided there is explicit authorisation.
- To carry out analysis and improvements to the Website, our products and services.
- To improve our commercial strategy.
What is the legal basis for processing your data?
Consent of the data subject: In cases where submitting a request requires completing a form and clicking the “submit” button, this action implies that you have been informed and have expressly consented to the content of the clause attached to the form or to the Privacy Policy.
All our forms indicate mandatory fields with an asterisk (*). If you do not complete these fields or do not tick the checkbox accepting the Privacy Policy, the information cannot be sent. The wording is usually as follows:“ I am of legal age and I have read and accept the Privacy Policy.”
You may withdraw your consent at any time.
+ NEWSLETTER CONTACTS
What data do we collect through the newsletter?
On the Website, you may subscribe to the Newsletter by providing an email address to which it will be sent.
We will store only your email address in our database and will send you periodic emails until you unsubscribe or we stop sending emails.
The Newsletter may include a web beacon, which statistically confirms whether you have opened it, at what time, or how many times. This helps us analyse the best sending times and your interests. We will not have personal information about you beyond your email address.
You will always have the option to unsubscribe in every communication.
For what purposes will we process your personal data?
- To manage the requested service.
- To send information by electronic means related to your request.
- To send commercial or event-related information by electronic means, provided there is explicit authorisation.
- To analyze and improve email campaigns in order to improve our commercial strategy.
What is the legal basis for processing your data?
Consent of the data subject: When you subscribe, you must accept a checkbox and click the submit button, which implies that you have been informed and have expressly consented to receiving the newsletter. If you do not tick the checkbox accepting the Privacy Policy, the information cannot be sent.
The wording is usually as follows: “I am over 14 years old and I have read and accept the Privacy Policy.”
You may withdraw your consent at any time.
+ CUSTOMERS
For what purposes will we process your personal data?
- Preparation of quotations and follow-up through communications between both parties.
- Sending information by electronic means related to your request.
- Sending commercial or event-related information by electronic means, provided there is explicit authorisation.
- Managing administrative, communication and logistics services carried out by the Data Controller.
- Carrying out the corresponding transactions.
- Invoicing and declaration of applicable taxes.
- Control and debt recovery procedures.
What is the legal basis for processing your data?
The legal basis is your contractual consent.
+ SUPPLIERS
For what purposes will we process your personal data?
- Sending information by electronic means related to your request.
- Sending commercial or event-related information by electronic means, provided there is explicit authorisation.
- Managing administrative, communication and logistics services carried out by the Data Controller.
- Carrying out the corresponding transactions.
- Invoicing and declaration of applicable taxes.
- Control and debt recovery procedures.
What is the legal basis for processing your data?
The legal basis is the acceptance of a contractual relationship or, failing that, your consent when contacting us or offering your products or services through any channel.
+ PARTNERS / SHAREHOLDERS
For what purposes will we process your personal data?
- Organization of actions necessary to achieve the company’s objectives.
- Internal management and legal compliance.
- Convening of shareholders’ meetings.
- Carrying out the corresponding transactions.
- Declaration of applicable taxes.
What is the legal basis for processing your data?
The legal basis is contractual: acceptance of a share purchase agreement or similar, or participation in the incorporation of the company.
+ SOCIAL MEDIA CONTACTS
For what purposes will we process your personal data?
- To respond to your enquiries, requests or applications.
- To manage the requested service or process your request.
- To interact with you and create a community of followers.
What is the legal basis for processing your data?
Your consent when following or interacting with us, which you may withdraw at any time.
Acceptance of a contractual relationship within the relevant social network environment, in accordance with its Privacy Policies:
Facebook – http://www.facebook.com/policy.php?ref=pf
Instagram – https://help.instagram.com/155833707900388
X – https://x.com/es/privacy
LinkedIn – http://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
Google* – http://www.google.com/intl/es/policies/privacy/
(Google+ and YouTube)
How long will we keep your data?
We can only consult or delete your data in a limited way due to your specific profile. We will process your data for as long as you continue to follow us, remain connected, or click “like”, “follow” or similar buttons.
Any rectification, restriction or limitation of information or publications must be carried out through the settings of your profile or user account on the relevant social network.
+ JOB APPLICANTS
For what purposes will we process your personal data?
Organization of recruitment processes for hiring employees.
Inviting you to job interviews and evaluating your application.
If you have given consent, retaining your CV for future recruitment processes.
What is the legal basis for processing your data?
Your explicit consent when submitting your CV and receiving and signing information relating to the processing to be carried out.
Our legitimate interest.
+ WHISTLEBLOWING CHANNEL
For what purposes will we process your personal data?
Internal detection of possible criminal or administrative offences affecting the legal entity.
Compliance with the code of conduct and compliance policies.
Management of reports.
Reports may be submitted anonymously.
What is the legal basis for processing your data?
Performance of tasks carried out in the public interest or in the exercise of official authority.
Compliance with a legal obligation.
Do we include personal data of third parties?
No. As a general rule, we only process data provided by the data subjects themselves.
If you provide us with third-party data, you must first inform them and obtain their consent. Otherwise, you release us from any responsibility for failing to comply with this requirement.
What about data of minors?
We do not process data of minors under 14 years of age. Please refrain from providing data if you are under this age.
Will we send electronic communications?
Only to manage your request, if this is one of the contact methods you have provided.
If we send commercial communications, these will have been expressly authorised by you in advance.
What security measures do we apply?
You can be assured that we have adopted an optimal level of protection for the personal data we process and have implemented all technical measures available according to the state of the art to prevent loss, misuse, alteration, unauthorised access or theft of personal data.
Who will your data be shared with?
Your data will not be shared with third parties except where legally required. Specifically, data may be shared with the Spanish Tax Agency and banks or financial institutions for the collection of payments for services provided or products purchased, as well as with data processors necessary for the execution of the agreement.
Tupl, Inc. is located in the United States. In certain cases, personal data for which Tupl Spain, S.L. is the data controller may be communicated to or accessed by this entity, involving an international data transfer safeguarded by the Standard Contractual Clauses of the European Commission (Decision (EU) 2021/914), ensuring an adequate level of protection under Article 46 of the GDPR.
In the case of purchases or payments, if you choose an application, website, platform, bank card or other online service, your data will be transferred to or processed within that platform’s environment, always with maximum security.
When instructed by us, our website development and maintenance providers or hosting providers may have access to our website. They are bound by service agreements requiring them to maintain the same level of privacy protection as we do.
We use applications that may involve international data transfers to the United States. These transfers will only be made to entities adhering to the EU–US Data Privacy Framework, or otherwise to entities that have demonstrated compliance with EU data protection regulations and have committed through Standard Contractual Clauses (SCCs).
What rights do you have?
- To know whether we are processing your data.
- To access your personal data.
- To request rectification of inaccurate data.
- To request deletion of your data when it is no longer necessary or when you withdraw consent.
- To request restriction of processing in certain cases.
- To data portability, in a structured, commonly used and machine-readable format.
- To lodge a complaint with the Spanish Data Protection Agency if you believe your rights have not been properly addressed.
- To withdraw consent at any time for any processing activity.
Please inform us of any changes to your data so that we can keep it up to date.
Do you want a form to exercise your rights?
- We have forms available to exercise your rights. Request them by email, or use those provided by the Spanish Data Protection Agency or third parties.
- If we already have your contact details or have communicated with you previously, we will not request your ID.
- If we do not have your contact details or have doubts about your identity, the forms must be electronically signed or accompanied by a copy of your ID or another identifying document. We will always minimise the data requested.
- Forms may be submitted in person, by post, or by email to the address of the Data Controller indicated at the beginning of this document.
How long do we take to respond to rights requests?
Depending on the right exercised, but no later than one month from your request, or two months if the request is particularly complex and you are notified accordingly.
How long will we keep your personal data?
- Personal data will be retained for as long as you remain linked to us.
- Once the relationship ends, personal data will be retained for the legally established periods, including the time during which a judge or court may require them in accordance with statutory limitation periods.
- Where no legal retention period applies, data will be kept until the data subject requests deletion or withdraws consent.
- We will retain all information and communications related to your purchase or the provision of our services for the duration of product or service warranties in order to address potential claims.
| File | Document | Retention Period |
|---|---|---|
| Clients | Invoices | 6 years |
| Forms and coupons | 15 years | |
| Contracts | 5 years | |
| Documents and records of tax relevance | 4 years. General Tax Law, Arts. 66 to 70. | |
| Entities subject to the Anti-Money Laundering Act — documentation evidencing compliance with AML obligations | 10 years. Law 10/2010, Art. 25. | |
| Human Resources | Payroll, TC1, TC2, etc. | 10 years |
| CVs / Résumés | Until the end of the selection process, and up to 1 year. | |
| Severance documents. Contracts. | — | |
| Temporary worker data. Time-tracking records. | 4 years | |
| Employee file | Up to 5 years after termination. | |
| Document or electronic record of compliance with Occupational Risk Prevention (PRL) regulations | 5 years. RDL 5/2000, Art. 4. | |
| Criminal record certificate | During its validity (3 months) and, where applicable, for the entire employment relationship and up to 20 days after termination. | |
| Transport | Digital tachograph: data transfers and memory copies | 1 year. RD 425/2005, paragraph 3, Additional Provision 1. |
| Marketing | Databases or website visitor data | For as long as processing continues. |
| Suppliers | Invoices | 10 years |
| Contracts | 5 years | |
| Access Control and Video Surveillance | Visitor list | 30 days |
| Video footage | 30 days blocking. 3 years destruction. | |
| Schools — common areas, for the protection of minors | 10 days. AEPD Legal Report 475/2014. | |
| Accounting | Accounting books and records. Subsidy documentation. Shareholder and Board of Directors' resolutions, company bylaws, minutes, board regulations and delegated committees. Financial statements, audit reports. | 6 years. Commercial Code. |
| Tax | Records of company management, rights and obligations relating to tax payment. Dividend payments and tax withholdings. | 10 years |
| Information on intra-group transfer pricing | 18 years. For intra-group transactions and pricing agreements: 8 years. | |
| Health and Safety | Employee medical records | 5 years |
| Environment | Information on chemical or substantially hazardous substances | 10 years |
| Environmental permits | 3 years after the end of the activity. 10 years (criminal statute of limitations). | |
| Records of recycling or waste disposal | 3 years | |
| Subsidies for cleanup operations. Rights, obligations and payments. | 4 years | |
| Accident reports | 5 years | |
| Insurance | Insurance policies | 6 years (general rule); 2 years (property damage); 5 years (personal); 10 years (life). |
| Purchasing | Records of supply of goods or provision of services, intra-Community acquisitions, imports and exports for VAT purposes. | 5 years |
| Legal | Intellectual and Industrial Property documents. Contracts and agreements. | 5 years |
| Permits, licences, certificates | 6 years from expiration. 10 years (criminal statute of limitations). | |
| Confidentiality and non-compete agreements | For the duration of the obligation or of the confidentiality. | |
| Data Protection (LOPD) | Personal data processing | 3 years |
| Personal data of employees stored on networks, computers and communication equipment used by them, access controls and internal management/administration systems | 5 years | |
| Whistleblowing Channel | Internal reports. Regulatory compliance programme (corporate criminal liability). | 3 months (general rule), Art. 24.4 LOPD. 10 years (criminal statute of limitations). |