1. Data controller
The controller is SERAPH ENGINEERING, S.L., NIF B26683037, with registered office at C. José Franchy Roca, 5, 35007 Las Palmas de Gran Canaria, Spain. Contact: [email protected].
No data protection officer has been appointed. Privacy enquiries can be sent to the address above.
2. Data we process
We process the data you voluntarily submit through the form: name, email address, selected role and message content. The hosting provider may process technical data needed to serve the site, such as IP address, technical logs and security data. Please do not include special-category data (for example, health, beliefs or other sensitive data) in your message; the form is not intended to collect that kind of information.
3. Purposes and legal bases
- To respond to and manage enquiries sent through the form: SERAPH's legitimate interest in handling requests you voluntarily send us and, where an enquiry may lead to a contract, pre-contractual steps at your request (Art. 6.1.b and 6.1.f GDPR).
- To route the conversation by the declared role (university, grant or investor): SERAPH's legitimate interest in handling each request appropriately (Art. 6.1.f GDPR).
- To maintain the security, availability and technical traceability of the site: legitimate interest in protecting the service (Art. 6.1.f GDPR).
- To share specific information with research collaborators or investors where relevant to your enquiry (see section 4): your consent (Art. 6.1.a GDPR), which you can withdraw at any time.
- The form checkbox confirms you have read this policy; it is not itself a legal basis. Any future commercial communication or newsletter would rely on separate, specific consent (Art. 6.1.a GDPR and Art. 21 LSSI), which can be withdrawn at any time.
4. Recipients and processors
Your data is handled by a small set of providers acting as data processors on our instructions:
- Cloudflare, Inc. (USA) — hosting for this site and the serverless function that receives the contact form.
- Resend (Resend, Inc., USA) — relays your enquiry email to our own mailboxes.
- mailbox.org (Heinlein Support GmbH, Germany) — the EU-hosted mailboxes that receive and store enquiries.
SERAPH does not sell personal data and does not share it with data brokers or advertising networks.
We may share specific information with research collaborators or with our investors — for example, in the context of a collaboration or investor due diligence — only with your consent, which we will ask for before doing so. Such recipients are collaborators or investors, never data-marketing companies.
AI-assisted drafting. Most enquiries are triaged and handled entirely on our own systems, without any third-party AI. For some replies we may choose to use an AI service to help draft a response. When we do, we first screen the message on our own infrastructure: any special-category data (for example health, beliefs or other sensitive information) is blocked from being sent, and personal identifiers are flagged and removed before anything is transmitted — and where that is not possible, we handle the enquiry without a cloud AI. We do not use a cloud AI for enquiries we consider particularly sensitive or confidential. Any text sent to the AI service is still personal data to us, so the provider acts as a data processor under an Article 28 agreement, and where it is located outside the EEA the transfer relies on the safeguards in section 5. We rely on our legitimate interest in responding to you (Art. 6.1.f GDPR). AI is only ever an aid: a person always reviews, approves and sends the reply, and no decision about you is automated.
5. International transfers
If providers located in the United States or other third countries are used, transfers will rely on the EU-US Data Privacy Framework where the provider is self-certified, or on standard contractual clauses and a transfer assessment where appropriate.
6. Retention periods
Enquiries are kept for as long as needed to respond to and manage the conversation and, at most, 24 months from the last contact, after which they are deleted. If an enquiry leads to a contract, the retention periods of that relationship apply; data is also kept where a legal obligation requires it.
7. Your rights
You may request access, rectification, erasure, objection, restriction, portability and withdrawal of consent by emailing [email protected]. You may also lodge a complaint with the Spanish Data Protection Authority (AEPD), www.aepd.es.
8. Obligation to provide data
Providing the form data is not mandatory, but if the required fields are not supplied we will not be able to respond to your enquiry properly.
9. Automated decisions
We do not carry out automated decision-making or profiling with legal or similarly significant effects on users.