Privacy Policy
Last updated: May 18, 2025
At Heimsall Group, we are committed to protecting your privacy and upholding the highest standards of transparency, integrity, and compliance with international data protection laws. This Privacy Policy explains how we collect, use, store, and safeguard your personal data—whether you are a website visitor, client, business partner, or a user of our Anonymous Whistleblowing Channel.
This policy complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Spanish Law 2/2023 implementing Directive (EU) 2019/1937 on whistleblower protection.
Who We Are
Heimsall Group is a group of companies dedicated to providing industrial, technological and automation solutions. The data controller for the processing activities described in this policy is:
Heimsall Group
Larrondo Goiko Kalea, 2, PABELLÓN C3-C4, 48180 Loiu, Biscay
heimsall@heimsall.es
(+34) 944 761 082
What Information We Collect
We may collect the following categories of data:
a. General website and business data (contact forms)
- Identity: name, company, position
- Contact: email, phone, address
- Technical: IP address, device type, browser data
- Commercial: inquiries, transactions, correspondence
- Usage: browsing behaviour, preferences
b. Anonymous Whistleblowing Channel
We collect minimal, strictly necessary information, in accordance with Law 2/2023:
- Content of the report
- Date and time of submission
- Optional email address (only if the user requests feedback)
- Technical metadata (e.g., IP) only when strictly necessary and never used to identify the whistleblower
We do not require or store personal data unless it is voluntarily provided, and we never attempt to identify anonymous whistleblowers.
How and Why We Use Your Data
We use personal data for purposes including:
- Responding to inquiries and providing services
- Managing business relationships and legal compliance
- Sending relevant communications (if you opt-in)
- Improving our websites and digital tools
- Investigating whistleblower reports under applicable law
All data processing is based on one or more of the following legal grounds:
- Your consent (when applicable)
- Contractual necessity
- Legal obligations (e.g., Law 2/2023)
- Our legitimate interests, such as improving services or ensuring security
Data Sharing
We do not sell your personal data.
We may share your information only with:
- Other companies within the Heimsall Group
- Trusted service providers under confidentiality agreements
- Public authorities where legally required
- Investigators or legal teams, in the context of whistleblower reports
All third parties are required to implement adequate data protection and security measures.
International Transfers
If your data is transferred outside the European Economic Area (EEA), we ensure it is protected through:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions from the European Commission
- Other appropriate legal safeguards
Data Retention
We only retain data for as long as necessary for the purposes outlined above or to comply with legal requirements.
Specifically:
- Data from the whistleblowing channel is kept for a maximum of 2 years, unless legally required otherwise
- Other data is retained in accordance with internal data retention policies and contractual or regulatory obligations
Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data
- Request rectification or deletion
- Restrict or object to processing
- Request data portability
- Withdraw consent
- File a complaint with a supervisory authority
To exercise your rights, contact us at heimsall@heimsall.es
Cookies and Tracking
Our website uses cookies and similar technologies to enhance functionality and analyze usage. You can manage your preferences via your browser settings or through our cookie banner.
See our [Cookie Policy] for details.
Security Measures
We implement strong technical and organisational security measures, including:
- Data encryption and pseudonymisation
- Access controls and internal confidentiality policies
- Secure communication protocols (SSL/TLS)
- Specific protocols for secure whistleblower report handling
Whistleblower Protection (Law 2/2023 & Directive 2019/1937)
Heimsall Group fully complies with Spanish Law 2/2023 and Directive (EU) 2019/1937.
- You may submit a report anonymously
- Your identity (if known) is kept strictly confidential
- Reports are managed by authorised personnel only
- No retaliation is tolerated—whistleblowers are fully protected
We only collect the minimum data necessary to manage reports effectively and securely.
Your privacy and trust are our priority.
Policy Updates
We may update this Privacy Policy periodically to reflect legal changes or improvements to our practices. Updates will be posted on this page with a new revision date.
Contact
For any privacy-related concerns or requests, please contact our Data Protection Officer:
Heimsall Group
Larrondo Goiko Kalea, 2, PABELLÓN C3-C4, 48180 Loiu, Biscay
heimsall@heimsall.es
(+34) 944 761 082