Privacy Policy
BCloud Consulting Privacy Policy
Last Updated: December 3, 2025
Effective Date: December 3, 2025
1. Introduction
BCloud Consulting ("we", "our") is a technology consulting company specializing in Artificial Intelligence, Machine Learning, Cloud Computing, and DevOps services. We are registered in Barcelona, Spain, and are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR) and Spain's Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you:
- Visit our website (https://bcloud.consulting)
- Engage our consulting services
- Subscribe to our newsletter or download resources
- Contact us through forms, email, or other communication channels
By using our services or website, you agree to the collection and use of information in accordance with this policy.
2. Data Controller Information
Data Controller (GDPR):
BCloud Consulting
Abdessamad Ammi Hafaou
Calle Sant Pere Mitja 14, 08002
Barcelona, Catalonia
Spain
Contact Information:
Email: sam@bcloud.consulting
Phone: +34 631360378
Website: https://bcloud.consulting
EU Representative: BCloud Consulting (same address)
Data Protection Officer: sam@bcloud.consulting
Supervisory Authority (Spain):
Spanish Data Protection Agency (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
https://www.aepd.es
3. Information We Collect
3.1 Information You Provide Directly
When you interact with our services, we collect information you voluntarily provide:
Contact Forms and Inquiries:
- Full name
- Email address
- Phone number (optional)
- Company name and job title (for B2B clients)
- Message content and project requirements
- Budget range and timeline preferences
Consulting Projects:
- Professional contact information (name, email, phone, company)
- Project requirements and technical specifications
- Billing information (company address, tax ID, payment details)
- Communication records related to project delivery
Newsletter and Marketing:
- Email address
- Communication preferences
- Areas of interest (AI/ML, Cloud, DevOps)
Lead Magnets and Downloadable Resources:
- Email address
- Name (optional)
- Company name (optional)
3.2 Information Collected Automatically
When you visit our website, we automatically collect certain technical information:
Analytics and Usage Data:
- IP address (anonymized when possible)
- Browser type and version
- Operating system
- Pages visited and time spent on each page
- Referral source (how you reached our website)
- Device information (mobile, tablet, desktop)
- Geographic location (city/country level, not precise location)
Cookies and Tracking Technologies:
- Essential Cookies: Required for website functionality (GDPR consent banner, language preferences)
- Analytics Cookies: Google Analytics (only with your consent) to understand website traffic and user behavior
- No Advertising Cookies: We DO NOT use cookies for advertising, cross-site tracking, or selling data to third parties
3.3 Information We Do NOT Collect
- We DO NOT collect sensitive personal data (health, religion, political opinions, biometric data)
- We DO NOT track your browsing activity outside our website
- We DO NOT use facial recognition or biometric authentication
- We DO NOT sell or rent your personal data to third parties
- We DO NOT share data with advertising networks or data brokers
4. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal bases under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Responding to inquiries and providing quotes | Legitimate interest (responding to business inquiries) |
| Providing consulting services under contract | Contractual necessity (contract execution) |
| Sending marketing emails and newsletters | Consent (explicit opt-in required) |
| Web analytics and site improvement | Consent (via GDPR cookie banner) |
| Invoicing and accounting | Legal obligation (tax and accounting requirements) |
| Fraud prevention and security | Legitimate interest (protecting our business) |
5. How We Use Your Information
5.1 To Provide Consulting Services
- Respond to inquiries and provide technical assessments
- Prepare project proposals and cost estimates
- Deliver contracted services (RAG systems, MLOps, Cloud optimization, AI agents)
- Communicate about project progress, deliverables, and technical requirements
- Provide technical support and post-project assistance
5.2 To Improve Our Services
- Analyze website traffic to understand user needs and improve experience
- Identify technical issues and optimize website performance
- Develop new services based on client feedback and market trends
5.3 For Marketing and Communication
- Send newsletters with technical articles, case studies, and industry insights (only with consent)
- Share blog posts about AI/ML, Cloud, and DevOps topics
- Provide downloadable resources (checklists, guides, templates)
- Inform you about new services or offers relevant to your interests
5.4 For Legal and Security Purposes
- Comply with legal obligations (tax filing, data protection laws)
- Respond to legal requests from authorities when required by law
- Protect against fraud, security breaches, and unauthorized access
- Enforce our Terms of Service and contractual agreements
6. Sharing Information with Third Parties
We share your data only with trusted third-party service providers who help us operate our business. All providers are contractually bound to protect your data and use it only for specified purposes.
6.1 Service Providers We Use
Web Hosting and Infrastructure:
- Vercel / Netlify: Website hosting (EU data centers when possible)
- Amazon Web Services (AWS): Cloud infrastructure for client projects (eu-west-1 region)
Analytics:
- Google Analytics: Website traffic analysis (only with consent, IP anonymization enabled)
Communication and Marketing:
- Email Provider: For sending newsletters and transactional emails (GDPR-compliant provider)
- AWS SES / SendGrid: Email delivery infrastructure
Payment Processing:
- Bank Transfer / SEPA: Primary payment method (no third-party processor)
- Stripe (if used): Payment processing for international clients (PCI-DSS compliant)
AI/ML Tools (client projects only):
- OpenAI, Anthropic, Google Gemini: LLM APIs for building client applications (data processed under DPA agreements)
- Pinecone, Weaviate: Vector databases for RAG systems
6.2 International Data Transfers
BCloud Consulting operates from Spain (European Union). When we transfer data outside the EU, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms with non-EU providers
- EU-US Data Privacy Framework: For US-based providers certified under the DPF
- Transfer Impact Assessments (TIA): Assessing risks of international data transfers
- Data localization preference: We prioritize EU data centers when technically feasible
6.3 We Do NOT Share Data With:
- Advertising networks or ad tech companies
- Data brokers or data aggregators
- Social media platforms (except when you explicitly share our content)
- Insurance companies or financial institutions (except for payment processing)
- Government agencies (except when legally required)
We DO NOT sell or rent your personal data to anyone.
7. Data Security
We implement industry-standard security measures to protect your personal data:
7.1 Technical Measures
- Encryption in transit: All website communications use HTTPS/TLS encryption
- Encryption at rest: Databases and backups are encrypted
- Secure access controls: Multi-factor authentication (MFA) for administrative access
- Regular security updates: Patching and updating systems to address vulnerabilities
- Network security: Firewalls, intrusion detection, and DDoS protection
7.2 Organizational Measures
- Data minimization: We collect only data necessary for stated purposes
- Access limitation: Only authorized personnel can access personal data
- Confidentiality agreements: All staff and contractors sign NDAs
- Data Processing Agreements (DPA): Contracts with all third-party processors
- Incident response plan: Procedures for handling data breaches
7.3 Data Breach Notification
In the unlikely event of a data breach affecting your personal data:
- We will notify the AEPD within 72 hours (as required by GDPR)
- We will inform affected individuals without undue delay if there is high risk to rights and freedoms
- We will take immediate steps to contain and remedy the breach
- We will provide clear information about the nature of the breach and steps you can take to protect yourself
8. Data Retention and Deletion
8.1 How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form inquiries (no engagement) | 2 years | Legitimate interest (potential future engagement) |
| Client project data and communications | 6 years after project completion | Legal obligation (Spanish commercial law) |
| Invoicing and accounting records | 10 years | Legal obligation (Spanish tax law) |
| Newsletter subscriptions | Until unsubscribe | Consent (can be withdrawn anytime) |
| Web analytics (Google Analytics) | 26 months (default) | Consent (anonymized data) |
| Lead magnet downloads | 3 years or until unsubscribe | Legitimate interest / Consent |
8.2 Automatic Deletion
After retention periods expire, we automatically and securely delete or anonymize personal data unless:
- Legal obligations require longer retention (e.g., tax records)
- Ongoing legal proceedings require preservation
- You have exercised your right to erasure (in which case we delete data sooner)
9. Your Rights Under GDPR
As a data subject in the European Economic Area (EEA), you have the following rights:
9.1 Right of Access (Article 15)
You can request a copy of all personal data we hold about you. We will provide it within 30 days in a machine-readable format (e.g., PDF, JSON).
9.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. We will update records within 30 days.
9.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data when:
- Data is no longer necessary for the purposes for which it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- Data has been unlawfully processed
Exceptions: We may refuse deletion if required for legal compliance (e.g., tax records) or defense of legal claims.
9.4 Right to Restriction of Processing (Article 18)
You can request we limit how we use your data while we verify accuracy, assess legitimate grounds, or during legal proceedings.
9.5 Right to Data Portability (Article 20)
You can receive your personal data in a structured, machine-readable format (CSV, JSON) and transmit it to another service provider.
9.6 Right to Object (Article 21)
You can object to processing based on legitimate interest or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.
9.7 Right to Withdraw Consent (Article 7)
When processing is based on consent (e.g., newsletter, analytics cookies), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
9.8 Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if you believe we have violated your data protection rights:
Spanish Data Protection Agency (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
https://www.aepd.es
9.9 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: sam@bcloud.consulting
- Subject: "GDPR Rights Request - [Your Right]"
- Include: Your full name, email address, and specific request
We will respond within 30 days (extendable to 60 days for complex requests). We may request identity verification to protect against unauthorized access.
10. Cookies and Tracking Technologies
10.1 Types of Cookies We Use
Essential Cookies (No Consent Required):
- GDPR Consent Banner: Remembers your cookie preferences (bcloud_gdpr)
- Language Preference: Stores your language selection (NEXT_LOCALE)
Analytics Cookies (Consent Required):
- Google Analytics (_ga, _gid): Tracks website traffic, page views, and user behavior. IP addresses are anonymized. Data is retained for 26 months.
We Do NOT Use:
- Advertising cookies
- Cross-site tracking cookies
- Social media tracking pixels (Facebook Pixel, LinkedIn Insight Tag, etc.)
- Third-party behavioral advertising cookies
10.2 Managing Cookie Preferences
You can manage cookies through:
- GDPR Banner: Appears on first visit for EU users. You can accept or reject non-essential cookies.
- Browser Settings: Most browsers allow you to block or delete cookies. Note that blocking essential cookies may affect website functionality.
11. Children's Privacy
Our services are intended for businesses and professionals. We do not knowingly collect personal information from individuals under 18 years old (or 16 in the EU).
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at sam@bcloud.consulting and we will delete the information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you by email if you are a newsletter subscriber or active client
- We will display a prominent notice on our website
We encourage you to review this policy periodically. Your continued use of our services after changes indicates acceptance of the updated policy.
13. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
General Inquiries:
Email: sam@bcloud.consulting
Phone: +34 631360378
Website: https://bcloud.consulting
Contact Form: https://bcloud.consulting/contact
Data Protection Officer (DPO):
Email: sam@bcloud.consulting
Postal Address:
BCloud Consulting
Abdessamad Ammi Hafaou
Calle Sant Pere Mitja 14, 08002
Barcelona, Catalonia
Spain
14. Additional Information for Specific Regions
14.1 Spain (LOPDGDD Compliance)
In addition to GDPR, we comply with Spain's LOPDGDD, which provides additional protections:
- Age of consent: 14 years (lower than GDPR's 16 years)
- Digital disconnection: Employees have the right to disconnect outside working hours
- Post-mortem data rights: Heirs can exercise data subject rights after death
14.2 California Residents (CCPA)
While we primarily serve European clients, California residents have the following rights under CCPA:
- Right to know: Request disclosure of personal information collected, used, and shared
- Right to delete: Request deletion of personal information
- Right to opt-out of sale: We DO NOT sell personal information, so this does not apply
- Right to non-discrimination: Equal service regardless of exercising privacy rights
By using BCloud Consulting's services or website, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.
Document Version: 1.0
Last Revision Date: December 3, 2025
Next Review Date: December 3, 2026 (or sooner if significant changes occur)