LEGAL

Privacy Policy

Last updated: 20 April 2026

Contents

Data controller
Data we collect
Purposes and legal bases
Retention periods
Recipients and processors
International data transfers
Your rights
Security measures
Minors
Changes to this policy

At OSI Global Consulting SL we process personal data of our clients, business contacts and website users in full compliance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights (LOPDGDD) and any other applicable regulation.

1. Data controller

OSI Global Consulting SL
Tax ID (CIF): B22831267
Francisco Alonso, 2 · Office 13
28660 Boadilla del Monte, Madrid, Spain
Email: info@osigc.com
Phone: +34 911 67 17 56

For data-protection-specific queries, write to the same email using "Data Protection" as the subject line.

2. Data we collect

Depending on your relationship with us, we may process:

Contact data: name, company, role, email, phone, country.
Customer and billing data: legal entity name, tax ID, billing address, bank details where applicable.
Platform usage data (e.g. the free trial at test.osigc.cloud, the admin dashboard or the live-support chat): access logs, IP address, session identifier, language preferences, and content created by the user inside their own instance.
Browsing data and cookies: information collected through technical and, where consented, analytics cookies. See our Cookie Policy.
Communications: the content of messages you send us through the contact form, email, chat or phone.

3. Purposes and legal bases

Purpose	Legal basis
Responding to enquiries received through the contact form, email, chat or phone.	Consent (Art. 6(1)(a) GDPR).
Delivering the consulting engagement and/or providing the OSIGC platform you have purchased (CRM, ERP, advanced planning).	Performance of a contract (Art. 6(1)(b) GDPR).
Accounting, tax and administrative management.	Compliance with a legal obligation (Art. 6(1)(c) GDPR).
Sending commercial communications about services similar to those already purchased.	Legitimate interest (Art. 6(1)(f) GDPR; Spanish LSSI Art. 21.2).
Sending newsletters, event invitations or updates to non-client subscribers.	Explicit and unambiguous consent.
Fraud prevention, system security and enforcement of our terms of use.	Legitimate interest.

Where consent is the legal basis, it is always freely given, specific, informed and unambiguous. You may withdraw it at any time by writing to info@osigc.com, without affecting the lawfulness of any processing carried out before withdrawal.

4. Retention periods

Business-prospect data: up to 24 months since the last contact or until you withdraw your consent.
Customer data: for the duration of the contractual relationship and, once terminated, for the applicable statutory periods (up to 6 years under commercial and tax law — Art. 30 of the Spanish Commercial Code and Art. 66 et seq. of the General Tax Law).
Technical and security logs: up to 12 months, unless a longer period is legally required.
Data processed on the basis of consent for marketing: until consent is withdrawn.

5. Recipients and processors

We do not disclose personal data to third parties except where legally required. We do rely on certain providers as processors to operate our business. All of them have signed a GDPR Article 28 data-processing agreement:

Hosting and infrastructure (Hostinger International Ltd, EU).
Transactional and marketing email (Brevo SAS, France).
Operational CRM and ERP based on Odoo (EU infrastructure).
Support and messaging (Chatwoot, self-managed EU infrastructure).
Payments and subscriptions (Stripe Payments Europe Ltd, Ireland).
Online booking (Cal.com Inc., EU-managed instance).
Internal automation tooling (n8n, self-hosted EU infrastructure).

6. International data transfers

OSIGC's core infrastructure is hosted in the European Union. If any of the processors listed above performs processing outside the EEA, it will always rely on one of the safeguards set out in Chapter V of the GDPR (adequacy decision, standard contractual clauses, binding corporate rules, or other appropriate safeguards).

7. Your rights

As a data subject you may at any time exercise your rights to:

Access your data.
Rectify inaccurate data.
Erase your data ("right to be forgotten").
Restrict processing.
Object to processing.
Data portability.
Not be subject to solely-automated decisions.
Withdraw any consent previously given.

To exercise your rights, write to info@osigc.com and include a means of verifying your identity. If you believe we have not handled your request correctly, you may lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.

8. Security measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS 1.2+), database encryption at rest, daily backups, role-based access control, administrator multi-factor authentication and a continuous audit and patching programme.

9. Minors

Our services are directed at business professionals and companies. We do not knowingly collect data from children under 14. If we become aware of data collected from a minor without the legal guardian's consent, we will delete it without undue delay.

10. Changes to this policy

We may update this Privacy Policy to reflect changes in regulation or in our services. The date of the latest revision appears at the top of this document. We recommend reviewing it periodically.