Last updated: May 2026
1. General information
This Privacy Policy explains how Crata AI SL collects, uses, stores, and protects the personal data of users who access and interact with our website (www.crata-ai.com).
We strictly comply with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce ("LSSICE").
By accessing and using our website, you acknowledge that you have read and understood this Privacy Policy.
2. Data controller
3. Personal data we collect
When you use our website or interact with us, we may collect the following categories of personal data:
Information you provide directly to us: full name, email address, phone number, company name, job title, and any other information you voluntarily provide through contact forms, resource download requests, or service enquiries.
Information collected automatically: when you browse our website, we may automatically collect IP address, browser type and version, device and operating system information, browsing behaviour and usage data, and cookies (see our Cookies Policy for more information).
We do not collect payment data. Crata AI SL does not process or store any financial information of any kind through its website.
4. Purpose of processing
We process your personal data for transparent and legitimate purposes:
- Managing enquiries and requests: responding to any enquiry or request you make through the website.
- Contract management: when you hire our services, we process your data to formalise and maintain our contractual relationship and deliver the services you requested.
- Commercial follow-up: recording and managing qualified leads in our CRM (HubSpot) to support the sales process.
- Website analytics: analysing user behaviour on the website to improve its performance, content, and usability.
- Digital advertising: measuring the effectiveness of our Google Ads and LinkedIn campaigns, and showing relevant content to users who have previously visited our website.
- Legal compliance: fulfilling the legal and regulatory obligations applicable to Crata AI SL.
- Security: ensuring the security and proper functioning of the website and digital services.
We do not use your personal data for automated decision-making or profiling activities.
5. Legal basis for processing
The processing of your personal data is carried out on the following legal grounds:
- Performance of a contract: when processing is necessary to provide the contracted services or to take pre-contractual steps at your request.
- Consent: when you have expressly given your consent, such as by completing a contact form, downloading a resource, or accepting the use of non-essential cookies.
- Legal obligation: when processing is necessary to comply with a legal obligation applicable to Crata AI SL.
- Legitimate interest: to ensure the security, proper functioning, and continuous improvement of the website and services, provided that your fundamental rights and freedoms are not overridden.
6. Data sharing and third parties
We do not share your personal data with third parties unless strictly necessary. In certain circumstances, we may disclose your information to the following trusted service providers who assist us in delivering our services:
| Provider |
Purpose |
Location |
| Amazon Web Services (AWS) |
Website hosting and storage infrastructure |
EU (Frankfurt, eu-central-1) |
| Google Analytics / Google Ads |
Website analytics and advertising campaign measurement |
EU / EEA |
| Microsoft Clarity |
User behaviour analytics (session recording, heatmaps) |
EU / EEA |
| LinkedIn |
Advertising campaign tracking and conversion measurement |
EU / EEA |
| Calendly |
Meeting scheduling management |
USA (with appropriate safeguards) |
| HubSpot |
CRM for lead management and follow-up |
USA (with appropriate safeguards) |
| Proveedor |
Finalidad |
Ubicación |
| Amazon Web Services (AWS) |
Infraestructura de hosting y almacenamiento del sitio web |
UE (Frankfurt, eu-central-1) |
| Google Analytics / Google Ads |
Analítica web y medición de campañas publicitarias |
UE / EEE |
| Microsoft Clarity |
Analítica de comportamiento de usuario (grabación de sesiones, mapas de calor) |
UE / EEE |
| LinkedIn |
Seguimiento de campañas publicitarias y medición de conversiones |
UE / EEE |
| Calendly |
Gestión de reservas de reuniones |
EE. UU. (con garantías adecuadas) |
| HubSpot |
CRM para gestión y seguimiento de leads |
EE. UU. (con garantías adecuadas) |
All these providers are contractually bound to process your data securely, confidentially, and solely for the intended purposes. Under no circumstances do we sell your personal data to anyone.
We may also disclose your data when required by law or by competent regulatory authorities.
International data transfers
Some of the providers listed above (Calendly, HubSpot) are based in the United States. These transfers are carried out under the appropriate safeguards provided for in the GDPR, including the Standard Contractual Clauses approved by the European Commission, ensuring a level of protection equivalent to that required within the European Union.
7. Data retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data type |
Retention period |
| Contact data of unconverted leads |
24 months from the last contact or interaction |
| Client data (active contractual relationship) |
For the duration of the contract |
| Former client data |
5 years from the end of the contract (fiscal and commercial obligation) |
| Browsing and analytics data |
According to each tool's configuration (maximum 14 months in GA4) |
| Cookie consent data |
1 year from the date consent was recorded |
| Tipo de dato |
Plazo de conservación |
| Datos de contacto de leads no convertidos |
24 meses desde el último contacto o interacción |
| Datos de clientes (relación contractual activa) |
Durante la vigencia del contrato |
| Datos de ex-clientes |
5 años desde la finalización del contrato (obligación fiscal y mercantil) |
| Datos de navegación y analítica |
Según la configuración de cada herramienta (máximo 14 meses en GA4) |
| Datos de consentimiento de cookies |
1 año desde el registro del consentimiento |
Once these periods have elapsed, your data will be securely deleted or irreversibly anonymised.
8. Data security
Protecting your personal information is a priority for us. Crata AI SL implements appropriate technical and organisational measures to safeguard your data against accidental loss, unauthorised access, misuse, or disclosure.
That said, no digital transmission or storage system is completely secure. While we make every effort to protect your data, we cannot guarantee its absolute security.
9. Your data protection rights
As a data subject, you have the following rights regarding the personal information we hold about you:
- Right of access: to obtain confirmation of whether we process your data and to receive a copy of it.
- Right to rectification: to request the correction of inaccurate or incomplete data.
- Right to erasure: to request the deletion of your data when it is no longer necessary for the purposes for which it was collected.
- Right to restriction: to request the restriction of processing in certain circumstances.
- Right to object: to object to the processing of your data, particularly for marketing or advertising purposes.
- Right to data portability: to receive your data in a structured, commonly used format, where processing is based on consent or a contract.
- Right to withdraw consent: at any time, where processing is based on your consent, without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within the legally established timeframe.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if you consider that the processing of your personal data does not comply with applicable regulations. You can do so through their website: www.aepd.es.
10. Changes to this Privacy Policy
Crata AI SL reserves the right to update this Privacy Policy whenever necessary to reflect changes in our practices, regulatory requirements, or for other operational reasons. Any substantial changes will be communicated through our website. We encourage you to review this policy regularly.
Crata AI SL — www.crata-ai.com — [email protected]