Privacy Policy of SOCIALO

1. Introduction

At SOCIALO we work to offer the user the best possible experience through our mobile application. In some cases, it is necessary to collect information to achieve this.

Therefore, and for the purposes of the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter, “GDPR”) relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data, and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”), SOCIALO, S.L. informs the user about the processing of their personal data in accordance with this policy.

This privacy policy is available both within the application itself and in the application stores (App Store, Google Play), so that you can consult it before installing the application or at any time during its use.

2. Data Controller

SOCIALO may act as a data controller or as a data processor, depending on the type of data and the relationship with the data subject.

2.1. SOCIALO as Data Controller

SOCIALO shall act as data controller with respect to the personal data of its clients (organisations) and their representatives or contact persons (for example, administrators, employees or collaborators of the organisations).

Data controller details:

Identity: SOCIALO, S.L.
Address: Paseo de la Castellana, 194, Bajo B, 28046 Madrid, Spain
NIF: B26602979
Contact email: dpo@socialo.live

What data do we process?

Identification and professional contact data (name, surname, professional email, telephone, position, company).
Data derived from the contractual relationship (services contracted, communications, billing, support).

For what purposes do we process this data?

Management of the contractual relationship with organisations.
Administrative, accounting and billing management.
Customer service and technical support.
Sending commercial communications related to similar services.

What is the legal basis?

Performance of a contract (Art. 6.1.b GDPR).
Legitimate interest for the management of the professional relationship and communications (Art. 6.1.f GDPR).
Compliance with legal obligations (Art. 6.1.c GDPR).

How long do we retain the data?

For the duration of the contractual relationship and, subsequently, for the statutory limitation periods for legal liabilities.

2.2. SOCIALO as Data Processor

The SOCIALO application is used by organisations (halls of residence, institutions, communities), which act as data controllers of the personal data of their members (students, residents, etc.).

In this case, SOCIALO acts as a data processor on behalf of these organisations, in accordance with Article 28 of the GDPR, processing personal data exclusively in accordance with their instructions.

If you are an end user (student, resident or member), your personal data is processed under the responsibility of the organisation to which you belong.

SOCIALO has appointed a Data Protection Officer within its organisation (José Javier Román Camacho). If you wish to make an enquiry regarding the processing of your personal data, you may contact us at the email address indicated above or contact the data controller of your organisation.

3. Collection and Processing of Personal Data

3.1. Categories of Personal Data

The following are the categories of personal data that may be processed in the application, to the extent that your organisation enables them:

a) Identification data: Name, surname, identity document (DNI, NIE, passport or other identification document), photograph.

b) Contact data: Email address (personal and institutional), mobile and landline telephone number, postal address, professional social media profiles.

c) Organisational context data: Academic, professional or other context information relevant to the community (for example: university degree, institution, department, professional area, specialisation, position, function or role within the organisation).

d) Location or assignment data: Location, assigned space or information about belonging within the organisation (for example: room number, building, office, area, section, group, team or unit), dates of entry and expected departure where applicable.

e) Participation and activity data: Activities in which you participate, events you attend, activity preferences, declared personal interests, groups or committees to which you belong, comments and reviews.

f) User profile data: Personal biography, interests, hobbies, languages, skills, notification and communication preferences.

g) Platform usage data: Access log, date and time of connection, pages visited within the platform, interactions with content.

3.2. Purposes of Processing

Personal data shall be processed for the following purposes:

User management and access control: Registration, sign-up and access to the platform.
Internal communication: Facilitating communication between community members and with the organisation’s administration.
Activity organisation: Organisation and promotion of the organisation’s activities, events and services.
Community participation: Improving the participation and engagement of community members.
Notifications: Sending notifications and service-related communications.
Maintenance and support: Maintenance, technical support and improvement of the platform.
Statistics: Preparation of aggregated and anonymised statistics on platform usage.
User support: Management of enquiries and support.

3.3. Special Categories of Data (Sensitive Data)

SOCIALO does NOT under any circumstances process special categories of personal data as defined in Article 9 of the GDPR, which include:

Data revealing racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data for the purpose of uniquely identifying a natural person.
Data concerning physical or mental health.
Data concerning sex life or sexual orientation.

Data relating to criminal convictions and offences pursuant to Article 10 of the GDPR is also not processed.

In the event that the processing of these categories of data is accidentally detected, the data controller shall be notified so that appropriate measures may be taken in accordance with their instructions.

4. Legal Basis for the Processing of Your Data

The legal basis justifying the processing of the aforementioned data is:

For end users:

The legal basis is that determined by the Organisations responsible for the processing in accordance with Article 6 GDPR (usually performance of the legal relationship with the Organisations or legitimate organisational interest).
For processing where SOCIALO acts as controller: performance of a contract, legitimate interest and compliance with legal obligations, as indicated in Section 2.1.
Legitimate interest: where SOCIALO processes data for the purpose of improving the service as a technology provider, it shall do so on the basis of aggregated or anonymised data or, where applicable, on the basis of its duly balanced legitimate interest.
Compliance with legal obligations for communication with public authorities and compliance with legal requirements.

5. Retention of Your Personal Data

Personal data is only retained for as long as necessary for the purposes for which it was collected, to satisfy your needs or to comply with legal obligations.

5.1. Retention Periods

Account data: For as long as the account is active and you maintain your relationship with the organisation.
Activity data: For the time necessary to manage the activity and, subsequently, for the applicable limitation periods.
Data for legal obligations: For the periods legally established under applicable legislation.

5.2. End of Relationship

When your relationship with the organisation ends or your account is deactivated:

You shall have a period to request the download of your data through the established channels.
Data shall be deleted or, where applicable, returned to the data controller (your organisation).

5.3. Blocking Period

In accordance with Article 32 of the LOPDGDD, personal data may be retained duly blocked during the limitation periods for possible liabilities arising from the processing, in accordance with applicable legislation.

During the blocking period, the data may not be accessed or processed, except for being made available to:

Courts and Tribunals
The Public Prosecutor’s Office
The competent Public Administrations
The Ombudsman (Defensor del Pueblo)
The Court of Auditors (Tribunal de Cuentas)
The Spanish Data Protection Agency (AEPD) or other data protection authorities

5.4. Definitive Deletion

Once the blocking period has elapsed without the need for retention, the data shall be definitively deleted by secure procedures that prevent their recovery, or anonymised so that the user can no longer be identified.

6. Recipients to Whom Your Data is Communicated

Data shall not be communicated to third parties except where required by law or for the provision of services by data processors.

6.1. Data Recipients

Your organisation (Data Controller): If you are an end user (student, resident, member), your data is accessible by the administrators of your organisation, who are the data controllers of your data.
Service providers (Sub-processors): SOCIALO may engage service providers that access personal data exclusively for the provision of the service (such as hosting, communications, analytics and other auxiliary technical services), always in accordance with the controller’s instructions. All sub-processors are contractually bound to comply with the GDPR and to maintain the confidentiality of the data.

6.2. Communication to Authorities

In some cases, the law may require that personal data be communicated to public bodies or other parties (Courts and Tribunals, Public Administrations, Law Enforcement Agencies, etc.). Only what is strictly necessary for compliance with such legal obligations shall be communicated.

6.3. Provider Information

For information on the specific providers that access your personal data, you may send an email to dpo@socialo.live

7. Storage and International Data Transfers

7.1. Storage Location

As a general rule, personal data is stored on servers located within the European Union.

7.2. International Transfers

In the event that the processing of your data involves an international transfer of data outside the European Economic Area (EEA), SOCIALO guarantees that the safeguards provided for in Chapter V of the GDPR shall be met, through one of the following mechanisms:

Adequacy decisions: Transfers to countries that the European Commission has declared to offer an adequate level of protection.
Standard contractual clauses: Contracts incorporating the model clauses approved by the European Commission.
Other legally recognised mechanisms: Such as binding corporate rules or specific certifications.

7.3. Transfer List

SOCIALO maintains an up-to-date list of all providers that carry out international transfers, specifying the destination countries and the protection mechanisms applied. This information is available upon request. At the time of the last update of this policy, international transfers are carried out in accordance with the mechanisms indicated above.

7.4. Further Information

For further information on service providers and international transfers, contact: dpo@socialo.live

8. Exercise of Rights and How You Can Exercise Them

8.1. How to Exercise Your Rights

If you are an end user (student, resident, member), you may exercise your rights:

By contacting the data controller of your organisation directly.
Through dpo@socialo.live, who shall forward your request to the relevant controller immediately and, in any event, within a maximum period of one working day. In this case, SOCIALO shall act solely as a communication channel and shall not directly resolve the request unless it acts as controller in the specific processing.

If you are an administrator of an organisation, you may direct your communications to: dpo@socialo.live

Under the GDPR (Articles 15 to 22) you may exercise the following rights:

Right of access (Art. 15): You may request information as to whether your personal data is being processed and, if so, obtain a copy thereof and information about the processing.
Right to rectification (Art. 16): You may request the correction of inaccurate personal data or the completion of incomplete data.
Right to erasure / “Right to be forgotten” (Art. 17): You may request the deletion of your personal data when, among other reasons, it is no longer necessary for the purposes for which it was collected.
Right to restriction of processing (Art. 18): You may request the restriction of the processing of your personal data in certain circumstances.
Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used and machine-readable format (for example: JSON, CSV, XML), and to transmit it to another controller.
Right to object (Art. 21): You may object to the processing of your personal data, including profiling.
Right not to be subject to automated individual decisions (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. SOCIALO does not make automated decisions of this type without human intervention.

8.3. Response Time

Requests to exercise rights shall be processed within a maximum period of one month from receipt. This period may be extended by a further two months in the case of complex or numerous requests, and you shall be informed of such extension within one month of receipt of the request.

8.4. Limitations

In some cases, the request may be denied if you request the deletion of data necessary for:

Compliance with legal obligations.
The establishment, exercise or defence of legal claims.
Reasons of public interest in the area of public health.

8.5. Complaint to the Supervisory Authority

If you consider that your rights have not been duly addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD):

Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid
Telephone: 901 100 099 / 91 266 35 17

9. Responsibility for the Accuracy and Veracity of Data

The user is solely responsible for the veracity and accuracy of the data provided, exonerating SOCIALO from any liability in this regard. Users warrant and are responsible for the accuracy, currency and authenticity of the personal data provided, and undertake to keep it duly updated.

SOCIALO reserves the right to terminate the services contracted with users if the data provided is false, incomplete, inaccurate or not up to date.

10. Security Measures

SOCIALO has adopted the necessary technical and organisational security measures to ensure the protection of personal data, in accordance with Article 32 of the GDPR. These measures enable:

Confidentiality: Ensuring that only authorised persons have access to personal data.
Integrity: Ensuring that personal data is not altered in an unauthorised manner.
Availability: Ensuring that personal data is available when needed.
Resilience: The ability of systems to recover from physical or technical incidents.

10.1. Technical Measures Implemented

Encryption in transit: The application uses secure connections with TLS certificate, encrypting all information transmitted via HTTPS protocol.
Encryption at rest: Stored data is protected by encryption techniques.
Pseudonymisation: Where possible, pseudonymisation techniques are applied to reduce risks.
Access control: Authentication and authorisation systems to limit access to data.
Backups: Regular backup procedures to ensure data recovery.
Monitoring: Incident detection and response systems.

10.2. Organisational Measures

Training: Staff with access to personal data receive specific training in data protection.
Confidentiality: All staff are subject to written confidentiality commitments.
Periodic assessments: Regular checks and evaluations of the effectiveness of the security measures implemented.

10.3. Security Breach Notification

In the event of a personal data security breach that may pose a high risk to your rights and freedoms, you shall be informed without undue delay, in accordance with Article 34 of the GDPR, so that you can take the necessary precautions.

11. Processing of Minors’ Data

11.1. Minimum Age

In accordance with Article 7 of the LOPDGDD, the processing of personal data of minors may only be based on their consent when they are over 14 years of age.

11.2. Under 14 Years of Age

The processing of personal data of minors under 14 years of age shall require the consent of the holder of parental authority or guardianship. In such cases, the organisation (data controller) must verify that consent has been given by the holder of parental authority or guardianship over the minor.

11.3. Responsibility of the Organisation

It is the responsibility of the organisation (data controller) to ensure that age and consent requirements are met for the processing of data of minors who use the platform.

12. Modification of the Privacy Policy

This privacy policy may be modified to adapt to regulatory, jurisprudential or interpretive changes by the Spanish Data Protection Agency, as well as to changes in the configuration of the platform.

In the event of substantial modifications affecting the processing of your personal data, we shall inform you through the application or by email before they take effect, so that you may be aware of the changes and, where applicable, exercise your rights.

We recommend that you review this policy periodically to stay informed about how we protect your data.

Date of last review: January 2026

13. Additional Information

13.1. Application Permissions

When the application requests permissions to access features on your mobile device (camera, image gallery, notifications, etc.), such access shall be used exclusively for the purposes described in this privacy policy. You may manage these permissions at any time from your device settings.

13.2. Cookies and Similar Technologies

The application may use cookies and similar technologies to improve the user experience. For more information on the use of cookies, please see our Cookie Policy.

13.3. Contact

For any enquiry related to this privacy policy or the processing of your personal data:

Email: dpo@socialo.live
Address: Paseo de la Castellana, 194, Bajo B, 28046 Madrid, Spain

This privacy policy has been drafted in accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD).

This document is a translation provided for informational purposes only. In the event of any discrepancy or conflict between this version and the Spanish original, the Spanish version shall prevail.