Privacy Policy

This text constitutes the binding Privacy Policy of abionori.com. It is provided to explicitly detail the categories of personal data subject to collection, the corresponding legal and operational justifications for such processing, and the statutory rights granted to you as a user.

To ensure complete clarity, capitalized terms used in this policy (such as 'User', 'Owner', or 'Personal Data') are defined in the final section of this document under 'Definitions and legal references'.

Policy Status

Effective Date: 01.05.2026
Last Modified: 01.05.2026

Version: 1.1

This Privacy Policy is an active legal document. The Data Controller maintains comprehensive internal logs of all prior versions and amendments.

Summary
Owner and Data Controller
Types of Data collected
Mode and place of processing the Data
The purposes of processing
Detailed information on the processing of Personal Data
Cookie Policy
Further Information for Users in the European Union
Further information for Users in Switzerland
Additional information about Data collection and processing
Definitions and legal references

Summary

Automatically Processed Data

Technical information is gathered without active user input as a direct result of accessing the abionori.com infrastructure.

Browser information
Date of the message
Device information
Device logs
Essential Technical Telemetry (Server Logs)
IP address
Language
Operating systems
Time the message was sent
Technical Security Identifiers (e.g., bot-management cookies)

Authorized Third-Party Processors

Cloudflare, Inc.: Traffic optimisation, CDN distribution, and edge security.
Hostinger International Ltd.: Platform services and core web hosting.
Meta Platforms Ireland Limited: Managing support and contact requests (via WhatsApp)

How we use them

Managing support and contact requests
Platform services and hosting
Traffic optimisation and distribution

Manage your privacy preferences HERE.

Data you give to us

We collect the data you give to us for example when you fill in a form.

Company name
Contents of the email or message
Data communicated while using the service
Email address
First name
Last name
Phone number
Profession
Any other Personal Data freely provided by the User within the message body of the contact form

Trusted third parties help us to process it

Google Ireland Limited
Hostinger International Ltd.
Meta Platforms Ireland Limited

How we use them

Contacting the User
Handling activities related to productivity
Managing support and contact requests
Managing web conferencing and online telephony

Owner and Data Controller

Abionori S.L.U.

Carrer Gremi de Sabaters 21, 2º - B 24

07009 Palma de Mallorca

Illes Balears, Spain

Registro Mercantil de Palma de Mallorca

NIF: B22648554

Owner contact email:[email protected]

Note: The Data Controller has formally evaluated the requirement to appoint a Data Protection Officer (DPO) and determined that, given the specific volume, scope, and nature of the data processed, it is not legally mandatory under Art. 37 of the GDPR or Art. 34 of the Spanish LOPDGDD.

Type of Data we collect

The categories of Personal Data processed by this Website, whether gathered directly by our systems or via integrated third-party services, include the following:

Any other Personal Data freely provided by the User within the message body of the contact form.
Browser information
Company name
Contents of the email or message
Data communicated while using the service
Date of the message
Device information
Device logs
Email address
Essential Technical Telemetry (Server Logs)
First name
IP Address
Language
Last name
Operating systems
Phone number
Profession
Technical Security Identifiers (e.g., bot-management cookies)
Time the message was sent

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection. Personal Data may be freely provided by the User, or, in the case of technical telemetry, collected automatically when using this Website.

The automatic collection of essential technical telemetry (such as IP addresses and browser information) is strictly necessary for this Website to function securely and load properly on the User's device.

However, any Personal Data provided via contact forms, emails, or messaging applications is provided entirely voluntarily by the User. Users are free not to communicate this Data without any consequences to their ability to browse the Website, though failure to provide such Data may make it impossible for us to respond to inquiries or schedule consultations.

We provide digital business cards for our employees hosted on our own servers. When you click 'Save Contact' or 'Play Video,' no data is shared with third-party providers like Google or YouTube. We process only the necessary technical data to deliver the file to your device.

We do not store or process profile images from third-party platforms (WhatsApp/Google). Such images are only visible as part of the interface provided by the respective platform.

Users who are uncertain about which Personal Data is mandatory for specific requests are welcome to contact us through the provided email.

Any use of Cookies or other local storage technologies by this Website is limited strictly to technical delivery, network security, and (subject to explicit User consent) optional statistical analysis, in strict accordance with our privacy-by-design architecture. Detailed specifications are available in our Cookie Policy.

We use only strictly necessary security cookies (Cloudflare) and additionally, we offer optional, privacy-focused analytics (Amplitude) which are deactivated by default and only activated upon your explicit consent. No advertising or cross-site tracking cookies are used. [Link to Section 10: Detailed Cookie Table].

Mode and Place of Processing, and International Data Transfers

Methods of Processing and Cybersecurity Architecture

The Data Controller processes User Data employing stringent, enterprise-grade security protocols designed to strictly prevent unauthorized access, disclosure, modification, or unlawful destruction of the Data. The processing is executed utilizing advanced IT and telematics infrastructure, strictly following organizational procedures and logical modes directly tethered to the stated operational purposes. In addition to the Controller, Data may be accessible to formally authorized internal personnel (administration, sales, legal, system administration) or vetted external technical entities (hosting providers, cybersecurity networks, communications agencies) legally appointed as Data Processors.

Primary Place of Processing (EU/EEA)

The core processing and hosting of Personal Data occur at the Data Controller’s registered operating offices in Spain and within the localized data centers of our primary infrastructure providers situated strictly within the European Union and the European Economic Area (EEA), such as Hostinger International Ltd. Cyprus.

Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

International Data Transfers (Outside the EEA)

To ensure global network security, low-latency content delivery, and the functionality of specific enterprise communication tools, certain data may be transferred to and processed by specialized third-party providers located in third countries outside the EEA (specifically the United States, utilizing providers such as Cloudflare, Inc., Google LLC, and Meta Platforms, Inc.).

Statutory Safeguards for International Transfers

The Data Controller absolutely guarantees that any transfer of Personal Data outside the EEA is executed in strict, uncompromising compliance with Chapter V of the GDPR. Such cross-border transfers are legally anchored on the following statutory mechanisms:

Adequacy Decisions: Transfers to US-based entities actively certified under the EU-US Data Privacy Framework (DPF), which has been formally recognized by the European Commission as providing an adequate level of data protection (https://www.dataprivacyframework.gov/).

Standard Contractual Clauses (SCCs): Where an Adequacy Decision does not apply, or as an additional fail-safe, transfers are safeguarded by binding Data Processing Agreements (DPAs). These agreements incorporate the Standard Contractual Clauses explicitly approved by the European Commission (Implementing Decision (EU) 2021/914), coupled with supplementary technical measures (such as robust SSL/TLS encryption in transit and at rest) to shield European data from unauthorized foreign access.

Furthermore, the Data Controller conducts internal Transfer Impact Assessments (TIAs) to validate the efficacy of these safeguards.

The purposes of processing

Personal Data is processed by the Owner to ensure the effective delivery of the Service, fulfill statutory legal requirements, address formal enforcement inquiries, and safeguard the rights and legitimate interests of the Website, its Users, and associated third parties. Furthermore, Data is utilized to identify and prevent fraudulent or malicious activities, in addition to the following operational objectives:

Contacting the User
Handling activities related to productivity
Managing support and contact requests
Managing web conferencing and online telephony
Platform services and hosting
Spam and bots protection
Traffic optimisation and distribution

Detailed information on the processing of Personal Data

Contacting the User

Direct Inquiry via Contact Form

Users may initiate direct communication with the Data Controller utilizing the digital contact forms provided on this Website or via official generic email addresses. The Controller processes the transmitted Personal Data for the exclusive purpose of organizing, addressing, and resolving the User's specific inquiry.

Commercial Electronic Communications (LSSI-CE Compliance)

In strict accordance with Art. 21 of the Spanish LSSI-CE and the European GDPR, we will not send promotional or commercial communications via email unless explicitly requested or expressly authorized by the User.

Users may withdraw their consent to receive commercial communications at any time, free of charge. To ensure this withdrawal is as easy as the initial consent (Art. 7(3) GDPR), our commercial mailings include an automated "Unsubscribe" link for immediate removal. Alternatively, or for direct 1-on-1 business communications, Users may simply reply to the email with the word "BAJA" or "UNSUBSCRIBE". Such manual requests are honored and processed promptly without undue delay.

Personal Data processed

The exact scope of data depends entirely on the User's input. We adhere strictly to the principle of data minimization:

Mandatory Data: Email Address. (Without this, we are technically unable to process or respond to the inquiry).
Voluntary Data: First Name, Last Name, Company Name, Phone Number, and any additional Personal Data the User freely elects to include within the message body of the contact form. (Provision of this data is strictly optional and intended only to facilitate a more tailored response).

Operations Management and Productivity

Services in this category enable the Owner to coordinate internal tasks, facilitate professional collaboration, and manage business workflows. When these services are utilized, User Data is processed and retained strictly as required by the specific nature of the business activity. These platforms may interface with other third-party services mentioned in this policy to allow for the secure transfer, import, or export of information necessary for project fulfillment.

Google Workspace

Google Workspace is a professional suite of cloud-based productivity and collaboration tools. We utilize this infrastructure for secure communication and document management. In strict compliance with privacy standards, data within these services (including Gmail) is not scanned or utilized by the provider for advertising purposes, nor is it harvested to create marketing profiles.

Personal Data processed:

Data communicated while using the service
Email address

Statutory Legal Basis for Processing:

Contractual Necessity (Art. 6(1)(b) GDPR): For processing data directly related to the fulfillment of client IT integration projects and consulting agreements.
Legitimate Interest (Art. 6(1)(f) GDPR): For general internal administration, secure document storage, and corporate communication.

Service provided by:

Google Ireland Limited (Ireland) – Privacy https://cloud.google.com/terms/cloud-privacy-notice

Platform services and hosting

Services within this classification supply the fundamental technical architecture required to host, execute, and maintain the core components of this Website. By utilizing these platforms, the Owner is able to deliver a secure, unified, and highly available online presence. To ensure network security, monitor server performance, and facilitate the reliable transmission of web content, the hosting provider automatically processes specific technical telemetry and network data on behalf of the Data Controller.

Hostinger

We utilize Hostinger, supplied by Hostinger International Ltd., as our primary web hosting and server infrastructure provider.

Personal Data processed:

Browser information
Device information
Device logs
Essential Technical Telemetry
IP Address
Language
Operating systems

Service provided by:

Hostinger International Ltd. (Cyprus) – Privacy Policy https://www.hostinger.com/legal/privacy-policy

Network Performance, Security Routing, and Content Delivery

Services within this architectural tier are engineered to globally distribute Website content via geographically decentralized server networks, thereby minimizing latency and optimizing overall platform performance. Crucially, these systems function as an essential reverse proxy and security filter between the User’s client (browser) and the primary hosting infrastructure. The specific scope of Personal Data processed is dictated by the technical requirements necessary to establish secure connections, mitigate cyber threats, and deliver encrypted content.

Cloudflare

We implement Cloudflare, supplied by Cloudflare, Inc., as our primary Content Delivery Network (CDN) and edge security proxy. By design, all inbound traffic to this Website is routed through Cloudflare’s infrastructure to proactively filter malicious requests, ensure SSL/TLS encryption, and accelerate data delivery.

Personal Data processed:

Browser information
IP Address
Technical Security Identifiers (e.g., bot-management cookies)

Service provided by:

Cloudflare, Inc. (United States) – Privacy Policy https://www.cloudflare.com/privacypolicy/

Cloudflare DNS

Cloudflare DNS is utilized as an enterprise-grade Managed Domain Name System (DNS). This service translates domain requests into IP addresses, ensuring that network traffic is routed with maximum cryptographic security and operational resilience.

Personal Data processed:

Essential Technical Telemetry

Service provided by:

Cloudflare, Inc. (United States) – Privacy Policy https://www.cloudflare.com/privacypolicy/

Managing web conferencing and online telephony

Purpose of Processing

We utilize digital telecommunications and video conferencing infrastructure to conduct online meetings, client consultations, and business negotiations. These services facilitate real-time, cross-border communication and may interface with our internal administrative tools (e.g., calendar scheduling and CRM management).

No Recording Guarantee

We explicitly state that audio and video streams conducted via these platforms are not recorded, saved, or archived by the Data Controller unless an explicit, separate consent agreement is executed in advance of a specific meeting.

Google Meet

We deploy Google Meet, a secure video conferencing platform provided by Google Ireland Limited, as our primary online meeting infrastructure.

Categories of Personal Data Processed

The scope of data processed depends on the User’s interaction with the platform and the information voluntarily disclosed during the session.

User Information: Email Address. Additional data, such as First Name, Last Name. Company Name and Profession, are processed strictly on a voluntary basis, dependent upon the information the User explicitly elects to share or has publicly configured within their Google account profile.
Communication Content: Any textual data shared within the in-meeting chat function, and the transient audio/video streams generated during the live call.
Technical Metadata (Processed by Google): To facilitate the encrypted connection, Google processes necessary technical telemetry, including IP addresses, device type, operating system version, meeting duration (join/leave timestamps), and connection quality metrics.

Statutory Legal Basis for Processing

Contractual & Pre-Contractual (Art. 6(1)(b) GDPR): For meetings conducted to negotiate, establish, or fulfill a business contract with the User.
Legitimate Interest (Art. 6(1)(f) GDPR): For general communications, support, and the efficient administration of digital business meetings.

Service Provider & Data Processor:

Google Ireland Limited (Ireland) – Privacy Policy https://policies.google.com/privacy

Note: International data transfers associated with this service are legally safeguarded primarily by Google's active certification under the EU-US Data Privacy Framework (DPF) and, residually, by Standard Contractual Clauses (SCCs) incorporated within our formal Data Processing Agreement.

Managing support and contact requests

Services within this category equip the Owner with the necessary infrastructure to securely process, organize, and reply to User inquiries. We provide multiple distinct channels for communication (including email, direct phone, and contact forms). The exact scope of Personal Data processed is inherently dependent upon the communication medium the User explicitly chooses to utilize and the specific information they voluntarily disclose.

WhatsApp Business

We offer WhatsApp Business as an entirely optional, real-time communication interface. Communication via WhatsApp occurs on an external platform. By clicking the WhatsApp link, you leave our Website and interact directly with Meta Platforms. We do not control the technical telemetry Meta collects during that transition. When a User voluntarily elects to bypass standard channels and contact us via this platform, the interaction and associated message content are routed through the provider's infrastructure strictly to resolve the inquiry.

Personal Data processed:

Contents of the message
Data communicated while using the service
Date of the message
First name
Last name
Phone number
Time the message was sent

Service provided by:

Meta Platforms Ireland Limited (Ireland) – Privacy Policy https://www.whatsapp.com/legal/privacy-policy-eea

Statutory Legal Basis for Processing

Consent (Art. 6(1)(a) GDPR): The initiation of the WhatsApp chat relies entirely on the User's explicit, voluntary action (Consent) to click the designated contact link, having been provided with a pre-click warning regarding the transfer to an external platform.
Contractual Necessity (Art. 6(1)(b) GDPR): Once the chat is initiated, the processing of the actual message content to resolve the User's inquiry is based on pre-contractual or contractual necessity.

External Links and Third-Party Platforms

This Website contains direct hyperlinks to external platforms, applications, and social media networks. By clicking these links, you intentionally leave our digital ecosystem. We explicitly state that we have no technical or legal control over the data processing, tracking cookies, or telemetry deployed by these third-party operators once you exit our Website. We advise reviewing the respective privacy policies of those external platforms upon arrival.

External Corporate Presences and Social Media Profiles

Modular Applicability to Social Media Profiles

This Privacy Policy functions as a modular framework for our external corporate profiles. The provisions regarding Social Media Joint Controllership (Art. 26 GDPR) are triggered exclusively by the presence of an active link from a specific social media profile to this document.

Data processing under this section is strictly limited to the platforms actively maintained by the Controller. Users can identify our active platforms via the "Social Media Coverage Checklist" located in the Annex at the bottom of this document. For any platform listed below that is NOT marked as 'Active' in said Annex, no data processing is conducted by the Controller, and no Joint Controllership agreement is in effect.

Purpose and Scope of Processing

If you interact with an active corporate profile (e.g., by commenting, liking, or sending a direct message), we process the data you voluntarily provide to answer your inquiry or engage with your feedback.

Statutory Legal Basis for Processing by the Data Controller

Legitimate Interest (Art. 6(1)(f) GDPR): Our operation of these profiles is based on our legitimate interest in modern corporate communication, brand visibility, and target-audience engagement.
Contractual Necessity (Art. 6(1)(b) GDPR): If your interaction aims at concluding a contract or requesting specific customer support, this forms the legal basis for processing your message.

Data Processing by the Platform Operators (Third-Party Risk)

We strictly point out that we do not have full control over the overarching data processing operations of these social media platforms. When you visit our profiles, the platform operators (e.g., Meta, LinkedIn, Google) use cookies and tracking technologies to collect extensive behavioral data, create user profiles, and deploy targeted advertising, regardless of whether you are logged into a platform account. We hold no liability for the primary data harvesting conducted by these platform operators.

Joint Controllership (Art. 26 GDPR) and Analytics

For specific analytical data provided to us by the platforms (commonly referred to as "Page Insights"), we operate as a Joint Controller alongside the respective platform operator, as mandated by the European Court of Justice (CJEU). Where a platform is marked as active in our Annex, the following Joint Controller agreements apply:

Meta (Facebook & Instagram): We have executed a Joint Controller Addendum with Meta Platforms Ireland Ltd., which defines that Meta holds the primary responsibility for fulfilling Data Subject Rights regarding Insights data. (View Meta's Joint Controller Agreement).
LinkedIn: A similar Joint Controller arrangement exists with LinkedIn Ireland Unlimited Company for "Page Insights" data. (View LinkedIn's Page Insights Addendum).
TikTok: We act as a Joint Controller with TikTok Technology Ltd. under their Jurisdiction-Specific Terms. (View TikTok's Page Insights Addendum).
X (formerly Twitter): We act as a Joint Controller with Twitter International Unlimited Company. (View X's Page Insights Addendum).
YouTube & Google Maps: We act as a Joint Controller with Google Ireland Ltd. under their Controller-Controller terms. (View Google's Page Insights Addendum).

International Data Transfers

Because many of these platform operators are subsidiaries of US-based corporations, your data may be transferred to and processed in the United States. Such transfers are safeguarded by the EU-US Data Privacy Framework (DPF) certifications held by the parent companies, or via Standard Contractual Clauses (SCCs) implemented by the platform operators.

Platform Privacy Policies and Rights Exercise

For comprehensive details on how each operator processes your data, their exact storage periods, and how to exercise your right to object (Opt-Out) directly against their tracking, please consult their respective privacy policies:

Meta (Facebook & Instagram): Meta Platforms Ireland Ltd. – Privacy Policy
LinkedIn: LinkedIn Ireland Unlimited Company – Privacy Policy
Alphabet (YouTube & Google Maps): Google Ireland Ltd. – Privacy Policy
X (formerly Twitter): Twitter International Unlimited Company – Privacy Policy
TikTok: TikTok Technology Ltd. – Privacy Policy

ANNEX: Social Media Coverage Checklist

The following platforms are actively maintained by this Data Controller and are legally subject to the Joint Controllership provisions detailed in this Privacy Policy:

[X] LinkedIn
[ ] Meta (Facebook / Instagram)
[ ] TikTok
[ ] X (formerly Twitter)
[X] YouTube / Google Maps Business

Implementation of Cookies and Tracking Technologies

This digital infrastructure utilizes cookies and similar tracking technologies to safeguard network security, ensure core server functionality, and monitor statistical usage.

Strictly Necessary Technical Cookies

These cookies are technically essential for the Website to function securely and load properly. Pursuant to the ePrivacy Directive and the Spanish LSSI-CE, explicit user consent is not required for these strictly necessary cookies. For Users in Germany: The storage and access of information via technical cookies is conducted pursuant to § 25 para. 2 no. 2 TDDDG.

Name: __cf_bm

Provider: Cloudflare / via Zyrosite on Hostinger Infrastructure

Purpose: Essential edge security cookie deployed dynamically by our hosting infrastructure to distinguish between legitimate human visitors and malicious bot traffic.

Duration: 30 minutes

Type: Technical / Necessary

Name: cc_cookie

Provider: Abionori (First-Party)

Purpose: Stores the User's explicit consent preferences regarding the deployment of optional cookies

Duration: 6 months

Type: Technical / Necessary

Optional Platform Analytics (Amplitude)

Our hosting infrastructure provider (Hostinger) requests the use of optional analytical technologies to aggregate pseudonymous statistical data, which helps us analyze platform usage and improve the digital ecosystem.

Technology: Amplitude Analytics (Hostinger)
Legal Basis: These analytical trackers are strictly disabled by default and are only deployed if the User provides explicit, voluntary consent (Art. 6(1)(a) GDPR) via our Privacy & Infrastructure Settings module. Users may withdraw this consent at any time via the same module. In accordance with German law (TDDDG), for users in Germany, this consent also constitutes authorization under § 25 para. 1 TDDDG for the access and storage of information on the terminal device.

Name: AMP_*

Provider: Amplitude Analytics / Hostinger

Purpose: These analytical trackers are strictly disabled by default. They are only deployed if the User provides explicit, voluntary consent (Art. 6(1)(a) GDPR) via our Privacy & Infrastructure Settings banner. Users may withdraw or modify this consent at any time.

Duration: 1 Year

Type: Analytical / Statistics / Optional

Statutory Rights and GDPR Compliance Framework for Users in the European Union

Legal Bases for Processing

In strict accordance with Article 6 of the General Data Protection Regulation (GDPR), the Data Controller processes User Personal Data exclusively when at least one of the following statutory conditions is met:

Explicit Consent: The User has provided unambiguous, informed consent for one or more specific processing operations (Art. 6(1)(a) GDPR).
Contractual Necessity: The processing is strictly necessary for the execution of a contract with the User, or to take pre-contractual steps at the User's explicit request (Art. 6(1)(b) GDPR).
Legal Obligation: The processing is required to ensure compliance with a binding statutory or regulatory obligation to which the Controller is subject (Art. 6(1)(c) GDPR).
Legitimate Interests: The processing is necessary to pursue the legitimate operational interests of the Controller or a third party, provided these are not overridden by the fundamental rights and freedoms of the Data Subject (Art. 6(1)(f) GDPR).

Transparency Guarantee: Upon formal request, the Data Controller will readily provide clarification regarding the specific legal basis applied to any processing activity, including whether the provision of data is a statutory requirement, a contractual necessity, or a prerequisite to entering into an agreement.

Data Minimization and Statutory Retention Periods

Personal Data is retained strictly for the duration necessary to fulfill the specific operational purposes for which it was originally collected.

Data processed for the fulfillment of a contract is retained until that contract has been fully executed and all subsequent statutory limitation periods have expired. Specifically, this generally refers to 5 years for contractual liability (Spanish Civil Code) and 6 to 10 years for tax and commercial accounting records.
Data processed based on legitimate interests is retained only as long as necessary to achieve those operational objectives.

Exceptions for Extended Retention: The Controller may retain data for a longer duration if the User has granted valid consent (until such consent is formally withdrawn), or if an extended retention period is mandated by law (e.g., commercial or tax retention codes) or by a binding order from a competent regulatory authority.

Expiration of Rights: Upon the expiration of the applicable retention period, all associated Personal Data will be securely and permanently eradicated. Consequently, the rights to access, erasure, rectification, and data portability cannot be legally enforced after this expiration date.

Data Subject Rights (Under the GDPR)

Users maintain comprehensive statutory rights regarding their Personal Data processed by the Controller. To the full extent permitted by applicable law, Users are entitled to:

Revocation of Consent: Withdraw previously granted consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Object: Object to the processing of their data if the processing is based on a legal ground other than consent (detailed further below).
Right of Access: Obtain formal confirmation as to whether their data is being processed, request disclosures regarding the processing mechanics, and obtain a structured copy of the data in question.
Right to Rectification: Contest the accuracy of their data and demand that incomplete or erroneous information be updated or corrected.
Right to Restriction: Demand the restriction of data processing under specific conditions. In such instances, the Controller will cease processing the data for any purpose other than secure storage.
Right to Erasure ("Right to be Forgotten"): Request the permanent deletion or eradication of their Personal Data from the Controller's systems, subject to statutory exemptions.
Right to Data Portability: Receive their data in a structured, commonly used, and machine-readable format and, where technically feasible, mandate the unhindered transmission of that data to an alternative controller.
Right to Lodge a Complaint: Bring a formal claim or complaint before their competent national Data Protection Authority (e.g., the AEPD in Spain or the BfDI/State Authorities in Germany).

Users also possess the right to be informed regarding the legal mechanisms governing international data transfers to countries outside the European Economic Area (EEA), and the specific security frameworks implemented to safeguard that data.

Specific Provisions on the Right to Object

When Personal Data is processed in the exercise of official authority, or based on the legitimate interests of the Controller, Users may formally object by providing a justification relating to their specific personal situation.

Absolute Right Regarding Direct Marketing: Should Personal Data be processed for direct marketing purposes, the User holds an absolute right to object at any time, free of charge, and without any requirement to provide justification. Upon receiving such an objection, all processing for direct marketing purposes will cease immediately.

Procedural Guidelines for Exercising Rights

Any requests to invoke these Data Subject rights must be directed to the Controller using the contact information provided in this document. All such requests are processed entirely free of charge. The Controller is legally obligated to respond and provide the requested information without undue delay, and strictly within one calendar month of receipt.

Furthermore, the Controller will communicate any rectification, erasure, or restriction of processing to all downstream recipients to whom the data was previously disclosed, unless this proves technically impossible or involves a disproportionate effort. The Controller will identify these recipients to the User upon request.

Specific Statutory Provisions for Data Subjects in Switzerland

This section applies exclusively to Data Subjects residing within the jurisdiction of Switzerland. For such individuals, the specific legal frameworks outlined in this section hold absolute legal precedence and supersede any potentially divergent or contradictory clauses contained elsewhere within this general Privacy Policy.

For exhaustive details concerning the specific categories of Personal Data processed, operational purposes, authorized third-party recipients, and statutory data retention schedules, Swiss Data Subjects are directed to the primary operative sections (the "Detailed Information" clauses) of this document.

Statutory Rights under the Swiss Federal Act on Data Protection (nFADP)

Within the strict boundaries of applicable Swiss law, Users retain comprehensive rights regarding their Personal Data. Specifically, Users are legally entitled to:

Right of Access: Demand formal confirmation and access to the Personal Data currently being processed.
Right to Rectification: Demand the immediate correction or updating of factually inaccurate or incomplete Personal Data.
Right to Object and Restrict: Formally object to the processing of their Personal Data. This right inherently includes the authority to demand that data processing be restricted, that specific Personal Data be permanently deleted or destroyed, and that any further disclosure of Personal Data to third parties be strictly prohibited.
Right to Data Portability: Receive their Personal Data in a structured, commonly used format, and mandate that it be transferred to an alternative data controller without operational hindrance.

Procedural Guidelines for Exercising Rights

Requests to invoke these statutory rights must be submitted to the Data Controller utilizing the official contact details provided in this document. All such requests are processed entirely free of charge. The Controller will execute the request without undue delay and provide the legally required disclosures strictly within the 30-day timeframe mandated by Swiss data protection regulations.

Supplementary Disclosures and Operational Policies

Defense of Legal Claims and Compliance with Authorities

The Data Controller reserves the absolute right to process and, if necessary, disclose the User's Personal Data where strictly required for the establishment, exercise, or defense of legal claims. This includes court proceedings, administrative actions, or pre-litigation stages arising from the improper, malicious, or unlawful use of this Website or its associated digital infrastructure. Furthermore, the User acknowledges that the Controller is legally bound to surrender Personal Data if compelled by a valid statutory mandate or binding judicial order from competent public authorities, law enforcement, or regulatory bodies (such as the Spanish AEPD or German State Data Protection Authorities).

Provision of Contextual Disclosures

In addition to the comprehensive framework detailed within this primary Privacy Policy, the Controller may, either upon direct request or at specific points of data capture, provide the User with supplementary, situational data protection notices directly relating to specialized Services or specific processing events.

Infrastructure Logs and Security Maintenance

To guarantee continuous operational stability, technical troubleshooting, and robust cybersecurity architecture, this Website and its integrated third-party frameworks automatically generate system logs. These essential technical files record server-level interactions and may process specific network identifiers (such as the User’s IP Address) strictly for immediate maintenance, incident response, and network security purposes.

Inquiries Regarding Unlisted Information

Any further granular details concerning the scope, mechanics, or specific parameters of a data processing activity not explicitly enumerated within this document may be requested from the Data Controller at any time. Users are directed to utilize the official contact channels provided at the inception of this policy.

Modifications to this Privacy Framework

The Data Controller retains the right to amend, update, or legally revise this Privacy Policy at any time to reflect technical infrastructure upgrades or shifts in statutory jurisprudence. Users will be informed of such changes via an update to this specific webpage (indicated by the modification date at the top/bottom of the document) and, where legally necessary and technically viable, through direct notification via the contact details on file.

Mandatory Re-Consent

Crucially, should any modifications alter processing activities fundamentally anchored in the User’s previously granted consent, the Controller shall entirely suspend those specific processing activities until a new, explicit consent declaration is lawfully obtained from the User.

Definitions and legal references

Personal Data (or Data)

Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Usage Data

Technical and behavioral metadata collected automatically by this digital infrastructure (or integrated third-party frameworks). This encompasses: the IP addresses or domain names originating from the User's connection, Uniform Resource Identifiers (URIs), the precise timestamp of the server request, the technical method utilized to submit the request, the payload size of the server's response, HTTP status codes indicating success or error states, the geographic country of origin, the User’s browser capabilities and operating system specifications, and associated diagnostic parameters regarding the User's device and overarching IT environment.

User

The individual directly engaging with this Website. Unless explicitly designated otherwise within a specific context, the User legally coincides with the Data Subject.

Data Subject

The identified or identifiable natural person to whom the specific Personal Data legally pertains.

Data Processor (or Processor)

A natural or legal person, public authority, agency, or other body which processes Personal Data strictly on behalf of, and under the explicit instructions of, the Data Controller, in accordance with this privacy framework.

Data Controller (or Owner)

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, fundamentally determines the overarching purposes and strict technical means of processing Personal Data, inclusive of establishing necessary cybersecurity measures for this Website. Unless explicitly stated otherwise, the Data Controller is the legal Owner of this digital platform.

This Website

The specific digital interface, application, or web-based infrastructure through which the User’s Personal Data is actively collected and processed.

Service

The specific operational functions, digital products, or commercial offerings provided via this Website, as contractually outlined in the applicable terms of service or directly detailed on the platform.

European Union (EU) and European Economic Area (EEA)

For the purposes of this legal document, any reference to the European Union (EU) inherently encompasses all current Member States of the European Union as well as all participating states within the European Economic Area (EEA).

Cookie

A specific category of Tracker consisting of small, localized text files or data fragments structurally deposited and retained within the User's web browser.

Tracker (or Tracking Technology)

An overarching classification for any technology—expressly including, but not limited to, Cookies, unique digital identifiers, web beacons, embedded executing scripts, entity tags (e-tags), and browser fingerprinting techniques—that facilitates the tracking of User behavior or the accessing and localized storage of information directly on the User’s device.

Applicable Legal Framework

This legal disclosure has been drafted to ensure strict statutory compliance with a multitude of cross-jurisdictional privacy legislations. Unless expressly stipulated otherwise, the provisions contained herein apply exclusively to the data processing activities conducted via this specific Website.

How to Exercise Your Privacy Rights

We strive to ensure your data is handled with absolute transparency. If you wish to exercise any of your statutory rights—including the right to access, correct, delete (be forgotten), or port your personal data—or if you simply have a question regarding our privacy practices, please contact our Data Protection team directly:

By Email: [email protected]
By Contact Form: HERE!

All requests are free of charge and will be processed without undue delay, strictly within the statutory 30-day timeframe.

Document Control and Administration

Abionori S.L.U.

Carrer Gremi de Sabaters 21, 2º - B 24

07009 Palma de Mallorca

Illes Balears, Spain
Tax Identification Number (NIF): B22648554

Hubs

Palma de Mallorca | Marbella | Cologne

Reach

Connect

Privacy Policy

Policy Status

Table of contents

Summary

Automatically Processed Data

Data you give to us

Owner and Data Controller

Type of Data we collect

Mode and Place of Processing, and International Data Transfers

Methods of Processing and Cybersecurity Architecture

Primary Place of Processing (EU/EEA)

International Data Transfers (Outside the EEA)

Statutory Safeguards for International Transfers

The purposes of processing

Detailed information on the processing of Personal Data

Contacting the User

Operations Management and Productivity

Platform services and hosting

Network Performance, Security Routing, and Content Delivery

Managing web conferencing and online telephony

Managing support and contact requests

External Links and Third-Party Platforms

External Corporate Presences and Social Media Profiles

ANNEX: Social Media Coverage Checklist

Implementation of Cookies and Tracking Technologies

Statutory Rights and GDPR Compliance Framework for Users in the European Union

Legal Bases for Processing

Data Minimization and Statutory Retention Periods

Data Subject Rights (Under the GDPR)

Specific Provisions on the Right to Object

Procedural Guidelines for Exercising Rights

Specific Statutory Provisions for Data Subjects in Switzerland

Statutory Rights under the Swiss Federal Act on Data Protection (nFADP)

Procedural Guidelines for Exercising Rights

Supplementary Disclosures and Operational Policies

Defense of Legal Claims and Compliance with Authorities

Provision of Contextual Disclosures

Infrastructure Logs and Security Maintenance

Inquiries Regarding Unlisted Information

Modifications to this Privacy Framework

Mandatory Re-Consent

Definitions and legal references

Personal Data (or Data)

Usage Data

User

Data Subject

Data Processor (or Processor)

Data Controller (or Owner)

This Website

Service

European Union (EU) and European Economic Area (EEA)

Cookie

Tracker (or Tracking Technology)

Applicable Legal Framework

How to Exercise Your Privacy Rights

Document Control and Administration