Privacy Policy

VINTEGRIS S.L. is a trusted service provider. For us, ensuring the security and privacy of the data we process in the provision of our services is essential, and we are committed to adopting the necessary security measures to fulfill this commitment.

In this Privacy Policy, you will find all the information related to the processing of personal data that we carry out in order to provide you with the services offered on this website.

Who is the data controller?

• Company Name: VINTEGRIS, S.L. (VINTEGRIS)
• Tax ID (NIF): B62913926
• Address: Calle Pallars, 99. 08018 Barcelona (Spain)
• Contact: info@vintegris.com

Who are the data subjects?

The personal data processed are those of:

• Persons who have registered on this website to purchase certificates.
• Persons acting as certificate managers.
• Persons holding the certificates that are issued.

For what purpose do we process your data?

Your data may be processed for the following purposes:

If you are a registered user on our website:

• Management of the registered user on this website.
• Management of certificate orders placed and processing of refund requests with PADDLE.
• Managing the incidents you have communicated to us.
• Sending you information about our services or products.

If you are an invited manager:

In this case, your email account has been provided to us by a registered user who invites you to manage the certificates they have purchased. Your email account will only be used to send you the manager invitation which you can accept or reject. If you accept it, you will need to register as a user of the website in order to manage the certificates assigned to you.

If you are the holder of a certificate:

The holder of a certificate can be a user who has purchased the certificate, a certificate manager, or a third party to whom the certificate owner or manager assigns a certificate to be issued as the holder. Your data will be processed to carry out the identity validation process via video identification and thus verify your identity as the certificate holder. When your certificate is for a legal representative of a legal entity or the person responsible for a company seal, the attached documentation will be processed to verify that those attributes to be included in the certificate are correct, the certificate will be approved, and you will be able to issue it.

Once the certificate is issued, the data may be processed to perform internal auditing tasks and monitor our certificate issuance processes. The data may be communicated to competent bodies and auditors in compliance with current regulations.

Before starting the video identification process, you will be able to access specific information about this process and give your consent to carry it out.

What personal data do we process?

We apply the principle of minimization in the collection of personal data, collecting only the data necessary for the purpose of the processing.

Data in the user registration on the web:

• Identification data: Name and surname
• ID/Tax Number (data for billing)
• Contact data: Email
• Password (always encrypted)

Manager data:

• Contact data: Email. This data will always be provided by a registered user and it is they who must previously inform you of the data communication made to us.

Certificate holder data:

• Identification data: Name and surname, ID, PASSPORT OR TIE
• Contact data: Email and mobile phone number
• Attribute data collected in the certificate: data proving your status as a legal representative of an entity

What is the legitimate basis?

Data in the user registration on the web:

• Consent, which is understood to be granted when you register on the web.
• For the purchasing process, management of your certificates, incident management, and refund management: the existing contractual relationship.
• For sending information about our products or services: Article 21 LSSICE.

Manager data:

• The person providing us with your email must have informed you beforehand and you must agree. However, when you receive the invitation email as a manager, you can reject it and we will delete your email account.

Certificate holder data:

• The existing contractual relationship and compliance with the applicable legislation for the provision of trust services.
• Regarding the processing related to internal audits and monitoring of our certificate issuance processes, the legitimate basis is compliance with requirements established in current regulations for trust service providers, as well as the data controller's legitimate interest in verifying that the actions taken are correct.

When you are going to carry out the video identification process, you can previously access the data protection clause related to this processing, and your consent will be required to carry out this video identification process.

What is the data retention period?

Data in the user registration on the web:

• Once the relationship has ended, the time necessary to handle claims arising from the maintained relationship or to meet requirements established in applicable legislation.
• We may send you information once the contractual relationship has ended if you do not object to it.

Manager data:

• If you reject the invitation, we delete your data.
• If you accept the invitation, you are a user of the web (see corresponding section).

Certificate holder data:

• The retention period for data related to issued certificates will be 15 years from the date the certificate expires or is revoked in accordance with the provisions of the applicable regulations.
• The retention period for processing related to internal auditing and monitoring of the validation, approval, and issuance processes of the certificates will be maintained as long as our auditing obligation is maintained.

To whom will the data be communicated?

Personal data is communicated to PADDLE when you request the modification of an invoice, so that PADDLE can process your request. Please note that the invoicing of your orders is carried out directly by PADDLE, and VINTEGRIS does not intervene in the invoicing of orders.

Data will not be transferred to other entities, unless it is necessary to respond to your request, we are required to do so by law, or the data subject has given us their consent.

Are there treatments by third parties?

If it is possible to access content and services located on external websites or social networks from this website that are not under the control or responsibility of VINTEGRIS, users should know that these sites may collect information about their internet activities. By clicking, these sites record this action and could use the collected information. Consult the respective privacy policies of each site to find out exactly how they use the collected information and how you can disable or delete such information.

Can we send you advertising?

We will only process your data to send you information about our services, offers, and other commercial information when you have given us your consent to do so, or when this information is related to products or services similar to those you have already contracted with us, in accordance with the provisions of Article 21 of the Law on Information Society Services (LSSI). At any time, you can ask us not to send you information if you wish.

What are the rights of the interested parties when they provide us with their data?

At any time, the data subject can make a request to exercise their rights of access, rectification, deletion, and portability of personal data processed by VINTEGRIS, as well as those of opposition and limitation of its processing.

These rights may be exercised free of charge by the interested party, and where appropriate by whoever represents them, through a written and signed request, accompanied by a copy of their ID or equivalent document proving their identity, addressed to:

• By email: incidentesRGPD@vintegris.com
• By mail: Calle Pallars 99. 08018 Barcelona (Spain)
• In the case of representation, it must be proven by a written document attaching a copy of the ID or equivalent document proving their representation.

VINTEGRIS reminds the interested party that they have the right to file a claim with the relevant supervisory authority (Spanish Data Protection Agency).

In each data collection form, you can access this Privacy Policy and the corresponding clauses and, if you agree, accept the data processing we are going to carry out.

Our data protection clauses:

Registration on our website and Cart

• Vintegris informs you that the personal data provided in the user registration, as well as in the purchase of your certificates, will be processed for the purpose of managing your access registration to this website and allowing you to perform the different options of purchase and management of acquired certificates. This data may be communicated to PADDLE, the company that bills the purchases made, when necessary to process a return request or incident with your invoices. The requested data are necessary to perform these actions. The legitimate basis is your consent, which is understood to be granted when making your user registration on the website, and the existing contractual relationship in the purchase of certificates, as well as the processing of your requests. Once the relationship ends, the data will be kept for the time necessary to meet legal obligations that may arise from the relationship maintained and the service provided.
• PADDLE is an entity located in the United Kingdom; the international transfer of your data, if communication to PADDLE is necessary for the management of your requests related to the billing of services, is covered by Decision (EU) 2021/1772, adopted by the European Commission on June 28, 2021, which declares that the United Kingdom offers an adequate level of data protection under Article 45 of the General Data Protection Regulation. You can access PADDLE's privacy policy at https://www.paddle.com/legal/privacy
• We may send you information related to services or products similar to those acquired in accordance with the provisions of Article 21 LSSICE; at any time, you may object to the processing of your data for this purpose.
• You can exercise your rights, in accordance with data protection regulations, by sending your request to the address incidentesRGPD@vintegris.com
• You can expand the information in our Privacy Policy.

Certificate issuance form

Vintegris informs you that the personal and contact data provided, as well as those collected in the attached documentation, will be processed for the purpose of managing your certificate issuance request, validating your identity and, where appropriate, the attributes collected in the certificate. The requested data are necessary to carry out the approval of the certificate. The legitimate basis is the existing contractual relationship, your consent which is understood to be granted when making the issuance request, and compliance with the regulations applicable to trust services. The data will be kept for 15 years from the expiration date of the issued certificate in accordance with applicable regulations. If the certificate issuance process is not concluded, the data will not be kept. The data may be processed for the purpose of internal auditing and system monitoring in accordance with the legislation applicable to trust services and the legitimate interest of the data controller, and will be kept for the time necessary to fulfill these obligations of the trust service provider. Data may be communicated to competent authorities or auditors in compliance with applicable regulations. If you provide third-party data, you must previously inform them of the content of this clause. You may exercise your rights, in accordance with data protection regulations, by sending your request to the address incidentesRGPD@vintegris.com.

Update of your data

It is important that so we can keep your personal data updated, you inform us whenever there has been any change in them. If you are a registered user, you can update your data in My Profile.

Data of minors

The services provided by Vintegris are not directed at minors, so we do not accept requests made by them. Vintegris is not responsible for improper access and personal data of themselves or third parties that may be provided by minors.

Security in data processing and custody

Vintegris applies all the security measures required by the applicable regulations for trust services for a qualified service provider. Compliance with these measures is audited by third parties annually.

Relevant information

All our trust services fall under the applicable European eIDAS and Electronic Signature regulations. According to the existing regulation, you can consult the "Personal Data Protection" section in the Certification Practice Statement available at https://www.vincasign.net/policy/es/DPC/Vintegris-DPC-ES.pdf or in the Privacy Policy https://www.vincasign.net/privacy.html.

You can access the Certificate Policies at https://www.vincasign.net/

Video identification process

For the issuance of certificates, it is necessary to carry out an identity verification process for the certificate holder. This process is carried out on the nebulaSuite platform owned by Vintegris, which is responsible for this personal data processing.

The obtaining of the data subject's consent and the data protection policy related to this processing is accessible to the user when they access this platform to start the video identification process.

Validity of the Policy

The applicable Privacy Policy will be the one in force and published at the time you visit these websites.

VINTEGRIS expressly reserves the right to modify this Privacy Policy without prior notice. Consequently, the data subject must carefully read this Privacy Policy each time they proceed to use the VINTEGRIS websites, as this Privacy Policy may undergo modifications. The changes will be effective immediately from the date indicated at the top of this page.

Cookies

To obtain information about the use of cookies on this website, please access our Cookie Policy.