Privacy Policy

Version 2026-04-29 · Last updated: April 29, 2026

1. Data controller identification

Company name: UTILIA SERVICIOS IA S.COOP.CAN

Tax ID: F75452102

Registered office: Calle Teniente Coronel Castillo Olivares 26, 16th floor, Aº2, Las Palmas de Gran Canaria, Spain

General email: info@utilia.ai

Privacy email: compliance@utilia.ai

2. Personal data we process

2.1. Data you provide via the contact form

  • Mandatory: full name, email address, subject and content of the inquiry.
  • Optional: company, position, phone and any additional data you choose to include in your message.

If you do not provide the data marked as mandatory, we will not be able to handle your inquiry.

2.2. Data automatically collected when you submit the form

  • IP address of the device from which you submit the form (the IP address is considered personal data under CJEU case law — Breyer judgment, C-582/14 — and the Spanish DPA).
  • Browser information (User-Agent), including browser and operating system.
  • Source page (referer) and the URL from which you submit the inquiry.
  • UTM parameters if you arrive from a campaign.
  • Exact date and time of submission.
  • Consent snapshot: version of this policy, exact text shown, IP, browser, and integrity hash. This information evidences consent under Art. 7.1 GDPR.

2.3. General navigation data on the website

  • Cookies and similar technologies as described in our Cookie Policy.
  • Aggregated analytics data collected through Google Analytics 4, subject to your cookie consent.

3. Processing purposes and legal basis

Purpose Legal basis
Handle and respond to your inquiry Performance of pre-contractual measures (Art. 6.1.b GDPR) and legitimate interest (Art. 6.1.f GDPR) in handling the request you have sent us
Store your data in our internal CRM (UTILIA OS) for commercial follow-up and communication history Legitimate interest (Art. 6.1.f GDPR) in managing commercial opportunities, with documented balancing test and right to object
Processing by AI systems under human supervision Express, prior and separate consent (Art. 6.1.a GDPR), revocable at any time
Sending commercial communications about UTILIA news Express, prior and separate consent (Art. 6.1.a GDPR and Art. 21 LSSI-CE), revocable at any time
Compliance with legal obligations (commercial, tax and evidentiary) Legal obligation (Art. 6.1.c GDPR)
Aggregated navigation analysis and site improvement Consent (managed via the cookie banner)

Automated decisions (Art. 22 GDPR): we do not make solely automated decisions with legal or significant effects on you. Any communication or decision regarding your inquiry is reviewed and approved by a member of the UTILIA team before being executed.

4. Retention period

We keep your data only for as long as necessary for each purpose:

  • Inquiry without follow-up or continuation: 12 months from the last contact. After that period, data is deleted or anonymised.
  • Active or initiated commercial relationship: up to 5 years from the last effective contact, aligned with the limitation period for personal actions (Art. 1964 Spanish Civil Code).
  • Commercial communications: until you revoke consent or unsubscribe.
  • Accounting and tax obligations: 6 years (Art. 30 Spanish Commercial Code) and 4 years (Art. 66 Spanish General Tax Act) where applicable.
  • Aggregated analytics: 26 months, per Google Analytics 4 configuration.
  • Consent snapshot: while we retain the associated data, as documentary evidence under Art. 7.1 GDPR.

You may request early deletion of your data at any time by writing to compliance@utilia.ai.

5. Recipients and sub-processors

To deliver the service we work with the following providers. All have a signed data processing agreement (DPA) under Art. 28 GDPR:

Provider Purpose Location Safeguards
Hetzner Online GmbH Hosting of the website and internal CRM Germany (EU) Art. 28 GDPR DPA
Resend, Inc. Sending email notifications to UTILIA United States EU-U.S. Data Privacy Framework + Standard Contractual Clauses (Decision 2021/914) + DPA
OpenAI, LLC (only if you authorise the use of AI) Processing by AI assistants under human supervision United States EU-U.S. Data Privacy Framework + Standard Contractual Clauses + DPA with no-training clause
Anthropic, PBC (only if you authorise the use of AI) Processing by AI assistants under human supervision United States EU-U.S. Data Privacy Framework + Standard Contractual Clauses (automatically incorporated in their Commercial Terms of Service) + no-training clause
Google LLC Web analytics (Google Analytics 4) if you accept analytics cookies United States EU-U.S. Data Privacy Framework + Standard Contractual Clauses

Commitment: we do not sell, rent or transfer your personal data to third parties for their own commercial purposes.

6. International data transfers

Some of our providers (Resend, OpenAI, Anthropic and Google) are located in the United States. International transfers are made with double safeguards:

  • EU-U.S. Data Privacy Framework (Adequacy Decision 2023/1795 of the European Commission), with periodic verification of each provider's adherence at dataprivacyframework.gov.
  • Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914), as a subsidiary safeguard.
  • Data Processing Agreements (DPAs) signed with each provider, including specific clauses against use for model training.

7. Processing by artificial intelligence systems

As an AI-specialised company, in some internal processes we may use generative AI models to better prepare the response to your inquiry. This processing takes place only if you expressly authorise it when submitting the form.

Functionalities covered

  • Drafting and summarisation assistant: an AI copilot helps the commercial team generate response drafts and summarise the inquiry history.
  • Assistants connected to the CRM: via secure protocols with authentication and audit logging, authorised employees can consult the lead context from external AI tools.
  • Commercial profile enrichment: queries to AI models with public information about the data subject's company.

AI providers used

  • OpenAI, LLC (United States): adhered to the EU-U.S. Data Privacy Framework, with signed SCCs and contractual clause prohibiting the use of your data for training models.
  • Anthropic, PBC (United States): adhered to the EU-U.S. Data Privacy Framework, with SCCs automatically incorporated in their Commercial Terms of Service and contractual clause prohibiting the use of your data for training models.

Commitments and clarifications

  • No training: our AI providers do not use your data to train their models, per the DPAs signed with UTILIA.
  • Brief security retention: OpenAI and Anthropic may retain inputs and outputs for up to 30 days for the sole purpose of abuse prevention and security, except in flows where zero-retention has been activated.
  • Meaningful human supervision: no response or decision regarding your inquiry is executed without review and approval by a member of the UTILIA team. There are no solely automated decisions in the sense of Art. 22 GDPR.
  • Transparency (Art. 50 EU Regulation 2024/1689 — AI Act): when you interact with content prepared or assisted by generative AI, we inform you in advance.
  • Right to revoke: you can withdraw consent to AI use at any time by writing to compliance@utilia.ai, without affecting the handling of your inquiry.

8. Data subject rights

Under the GDPR and Spanish LOPDGDD, you have the following rights:

Access

Confirmation of whether we process your data and a copy of it.

Rectification

Request correction of inaccurate or incomplete data.

Erasure

Request deletion of your data when no longer necessary.

Objection

Object to processing based on legitimate interest, including CRM commercial follow-up.

Restriction

Request restriction of processing in specific cases.

Portability

Receive your data in a structured, commonly-used format.

Withdraw consent

Revoke at any time consent to AI use or commercial communications.

Not be subject to automated decisions

Per Art. 22 GDPR; UTILIA does not make solely automated decisions with legal effects.

How to exercise your rights

Send an email to:

Email: compliance@utilia.ai

To verify your identity we may request a copy of your identification document.

Response time: one month from receipt of the request, extendable up to two additional months in particularly complex cases, with prior notice to the data subject (Art. 12.3 GDPR).

Right to lodge a complaint with the supervisory authority

If you believe the processing of your data infringes the law or that you have not received satisfaction in the exercise of your rights, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).

Web: www.aepd.es

Electronic office: sedeagpd.gob.es

9. Security measures

We apply appropriate technical and organisational measures to protect your data:

  • SSL/TLS encryption for all communications.
  • Restricted access to personal data under the principle of least privilege.
  • Strong authentication and audit logging in internal systems.
  • DPAs signed with all sub-processors.
  • Continuous staff training on data protection and AI literacy (Art. 4 AI Act).
  • Periodic audits and review of measures as the state of the art evolves.

10. Cookies and similar technologies

This website uses cookies and similar technologies to improve experience and analyse traffic. Consent management is handled via the cookie banner under Art. 22 LSSI-CE.

For details, see our Cookie Policy.

11. Protection of minors

Our services are directed to businesses and professionals.

We do not knowingly collect personal information from children under 14. If we discover we have collected data from a minor without the required parental consent, we will delete that information immediately.

12. Updates to this policy

We may update this policy periodically to reflect changes in our practices or for legal reasons. The current version is identified at the top of the document.

We will notify you of any significant change through:

  • Prominent notice on the website.
  • Email to the contact address you have provided, where applicable.

If you have given your consent to a previous version, we keep the corresponding snapshot as documentary evidence and, if the changes affect the scope of consent, we will request it again.

13. Contact

For any question related to this policy or the processing of your data:

General email: info@utilia.ai

Privacy email: compliance@utilia.ai

Back to Home