Legal · 001

Privacy policy.

Last updated18 April 2026
Supersedes21 Nov 2024
JurisdictionEU / Spain
ControllerHirefel SL

This notice explains what personal data Hirefel SL handles, why, and how you can exercise your rights over it. We keep this short, plainly written, and up to date. If something is unclear, email [email protected] — a human replies.

01Who we are

The data controller is Hirefel SL, a company registered in Spain, operating from Barcelona. When you engage us on a project, a contract-specific Data Processing Agreement takes precedence over this notice for data you entrust to us.

02What we collect

  • Contact intake. Name, company, email, and whatever you write in a scope message. Nothing more, unless you send it.
  • Applications. CV, links (GitHub/LinkedIn), your answers to role-specific questions, and any attachments you upload.
  • Site analytics. Page, referrer, country, coarse device type — aggregated and stripped of IPs.
  • Service delivery. During an engagement, whatever is contractually in scope — typically production logs, eval datasets, and workflow artifacts. Always governed by the engagement DPA.

03Why we process it

Only for the thing you came here for: answering a scope enquiry, reviewing an application, or delivering the work you hired us to do. We do not sell or trade personal data, ever.

04Lawful basis (GDPR Art. 6)

Contact & applications
Your consent (Art. 6(1)(a)) and, once a contract begins, contract necessity (Art. 6(1)(b)).
Service delivery
Contract necessity (Art. 6(1)(b)), plus legitimate interest (Art. 6(1)(f)) for internal operational logging.
Tax & compliance records
Legal obligation (Art. 6(1)(c)) — Spanish tax law requires we retain invoices for six years.

05Retention

Data classRetentionBasis
Scope enquiries90 days after last contactConsent
Applications12 months, or until you withdrawConsent
Engagement artifactsAs specified in the DPAContract
Invoices & tax records6 yearsLegal obligation
Site analyticsAggregated indefinitely; raw events 30 daysLegitimate interest

06Sharing & sub-processors

We use a small, named set of sub-processors. We do not add new sub-processors silently during an engagement — changes are notified in advance under the DPA.

  • Google WorkspaceEmail, document storageEU
  • Fathom AnalyticsPrivacy-preserving site analyticsEU
  • StripeBilling & paymentsEU / US (SCCs)
  • PlausibleApplication form analyticsEU

07Your rights

Under GDPR you have the right to access, rectify, erase, restrict, or port your data, and to object to processing. Write to [email protected] — we respond within 30 days. If we ever fall short, you can complain to the Spanish DPA (AEPD) at aepd.es.

08Cookies

This site sets no third-party marketing cookies. One first-party cookie stores your theme preference, and one stores your language preference — both optional, both expire after one year.

09Contact

Questions, requests, corrections:

Hirefel SL
Barcelona, Spain
[email protected]