legal

Privacy Policy

Last updated: April 2025

01

Controller Identity

  • Data Controller: Promptfields ([Full Legal Name of Autónomo])
  • NIF / VAT ID: [ESX1234567Y]
  • Registered Address: [Fiscal Address, Spain]
  • Email: privacy@promptfields.com
  • Website: https://promptfields.com
  • Supervisory Authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
02

Scope

This Policy applies to personal data processed by Promptfields when you:

  • Visit promptfields.com or any associated landing page.
  • Subscribe to the Promptfields newsletter or download a lead magnet.
  • Book a discovery call via Cal.com or a similar scheduling tool.
  • Engage Promptfields as a client for CRM, RevOps, or automation services.
  • Purchase a digital product through Gumroad or a connected platform.
  • Contact Promptfields via email, LinkedIn, or web form.
03

Categories of Personal Data Processed

CategoryExamplesSource
Identification dataFull name, job title, company, countryProvided by you
Contact dataEmail, phone, LinkedIn URL, business addressProvided by you
Billing dataVAT ID, fiscal address, IBAN, invoice recordsProvided by you
Commercial dataDiscovery call notes, project scope, deliverablesProvided by you / generated in delivery
Technical dataIP address, browser type, device, cookiesCollected automatically
Usage dataPages visited, time on page, referral sourceCollected automatically
Marketing dataNewsletter subscription, email engagementProvided by you / generated via tracking

Promptfields does not knowingly collect data from children under 16, nor does it process special categories of data (health, political opinions, religion, biometrics) in the ordinary course of business.

04

Purposes & Legal Bases for Processing

PurposeLegal Basis (GDPR Art. 6)
Providing consulting, CRM, and automation servicesContract performance — Art. 6(1)(b)
Issuing invoices and complying with Spanish tax lawLegal obligation — Art. 6(1)(c)
Responding to inquiries and discovery call requestsPre-contractual measures — Art. 6(1)(b)
Sending newsletters and marketing emailsConsent — Art. 6(1)(a)
Website analytics and performance monitoringLegitimate interest / consent — Art. 6(1)(f) / (a)
Fraud prevention and IT securityLegitimate interest — Art. 6(1)(f)
Legal claims, disputes, and regulatory cooperationLegal obligation / legitimate interest — Art. 6(1)(c)(f)
05

Data Retention

Personal data is retained only as long as necessary for the purpose for which it was collected, plus any period required by applicable law.
  • Invoicing & tax records: 6 years (Spanish Commercial Code, Art. 30) and up to 10 years for anti–money-laundering obligations.
  • Client project data: Duration of the engagement plus 5 years for civil liability claims (Código Civil, Art. 1964).
  • Marketing data: Until consent is withdrawn or after 24 months of inactivity.
  • Website analytics: Up to 14 months.
  • Inquiry emails with no engagement: 12 months.

After expiry, data is securely deleted or fully anonymised.

06

Recipients & Data Processors

Promptfields shares personal data only with carefully selected processors bound by a Data Processing Agreement (DPA) in accordance with GDPR Art. 28.

Promptfields does not sell personal data and does not share it with third parties for their own marketing purposes.

07

International Data Transfers

When data is transferred outside the European Economic Area (EEA), Promptfields relies on one of the following safeguards under GDPR Chapter V:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy Decisions for countries recognised by the EU (e.g., UK, Switzerland).
  • EU–US Data Privacy Framework where applicable.

A copy of the applicable safeguards can be requested at privacy@promptfields.com.

08

Your Rights under GDPR

Under GDPR Articles 15–22, you may exercise the following rights free of charge at any time.
  • Right of accessobtain a copy of your personal data.
  • Right to rectificationcorrect inaccurate or incomplete data.
  • Right to erasurerequest deletion, subject to legal retention obligations.
  • Right to restriction of processinglimit how your data is used.
  • Right to data portabilityreceive your data in a structured, machine-readable format.
  • Right to objectobject to processing based on legitimate interest or direct marketing.
  • Right to withdraw consentat any time, without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-makingthat produces legal or similarly significant effects.

To exercise any right, email privacy@promptfields.com with proof of identity. Requests are answered within 30 days (extendable by 60 days for complex cases per Art. 12(3)).

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es or your local EU supervisory authority.

09

Cookies & Tracking Technologies

The Promptfields website uses the following categories of cookies:

  • Strictly necessary cookiesrequired for site operation (no consent needed).
  • Analytics cookiesanonymised usage statistics (consent required).
  • Marketing cookiesretargeting and campaign measurement (consent required).

You can accept, reject, or update your cookie preferences via the cookie banner or the "Cookie Settings" link in the site footer.

10

Security Measures

Promptfields applies technical and organisational measures proportionate to the risks identified, in line with GDPR Art. 32:

  • Encrypted data in transit (TLS 1.2+) and at rest where supported.
  • Multi-factor authentication (MFA) on all business-critical accounts.
  • Principle of least privilege on client CRM and automation access.
  • Password manager (1Password / Bitwarden) for credential storage.
  • Regular backups and tested restore procedures.
  • Data Processing Agreements (DPAs) with every sub-processor.
  • Incident response plan aligned with the 72-hour breach notification duty (Art. 33).
11

Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, Promptfields will:

  • Notify the AEPD within 72 hours of becoming aware of the breach.
  • Inform affected data subjects without undue delay where the risk is high.
  • Document the breach, its effects, and the remedial actions taken.
12

Automated Decision-Making & AI

Promptfields uses AI tools (including LLMs such as Ollama, OpenAI, and Anthropic models) to support lead scoring, content generation, and workflow automation. These tools:

  • Do not make final decisions that produce legal or similarly significant effects without human review.
  • Are configured to avoid training on client data where provider settings permit.
  • Are covered by the applicable DPA with each AI provider.

You may request human review of any AI-assisted output that affects you.

13

Changes to this Policy

Promptfields may update this Policy to reflect changes in legislation, services, or processors. The current version and its "Last updated" date are always available at promptfields.com/privacy. Material changes will be communicated via email or a prominent notice on the website.

Privacy Policy | Promptfields