Privacy Policy

# Privacy Policy

Last updated: 1 October 2025

This Privacy Policy explains how TimontiumGroup S.L. (“UNIQA Spain”, “we”, “us”, or “our”) collects, uses, shares and protects personal data when you visit our website www.uniqa-spain.com (the “Website”), contact us, work with us as a client, supplier or partner, or receive our commercial communications.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Spanish data protection laws.

—

## 1. Data controller

The data controller responsible for your personal data is:

**TimontiumGroup S.L.**  

Address: Rambla de Catalunya 38, 8º1ª, 08007 Barcelona, Spain

Tax ID / VAT: B-67361659  

Email: info@uniqa-spain.com  

For any questions regarding this Privacy Policy or our processing of personal data, you can contact us at: **info@uniqa-spain.com**.

We have not appointed a Data Protection Officer, but you may contact us using the details above for any privacy-related queries.

—

## 2. Scope – Who this Privacy Policy applies to

This Privacy Policy applies to:

– Visitors to our Website.  

– Contact persons within client, prospect or supplier companies.  

– Individuals who contact us by email, phone or through forms on the Website.  

– Individuals who receive our commercial / marketing communications (mainly in a B2B context).  

– Individuals who send us their CV or apply to work with us (candidates, hostesses, promoters, brand ambassadors, etc.).

—

## 3. Categories of personal data we process

Depending on the relationship we have with you, we may process the following categories of data:

### 3.1. Website visitors and contact forms

– Identification data: name, surname.  

– Contact details: email address, phone number.  

– Company and professional data: company name, position, department, country.  

– Content of your message or request.  

– Technical data: IP address, browser type, device, pages visited, date and time, and similar usage data (through cookies or similar technologies – see our Cookie Policy).

### 3.2. Client, prospect and supplier contacts (B2B)

– Name and surname.  

– Professional email address.  

– Phone number (if provided).  

– Company information: company name, address, position, department, industry.  

– Relationship and communication history with us (emails, proposals, contracts, events, etc.).

### 3.3. Candidates and staff for events

– Identification data: name, surname, date of birth (if provided).  

– Contact details: email, phone, city/country of residence.  

– Professional profile: CV, experience at events, languages, skills, photos or portfolio (if you decide to send them), availability and preferences.  

– Any other information you voluntarily include in your CV or communications with us.

—

## 4. Purposes and legal bases for processing

We process your personal data for the purposes and on the legal bases described below:

### 4.1. Managing enquiries and contact requests

– **Purpose:** To handle enquiries sent through our Website, email, phone or social media; provide information about our event staffing services; prepare and send quotations; and manage pre-contractual or contractual relationships.  

– **Legal basis:**  

  – Performance of a contract or pre-contractual steps at your request (Art. 6.1.b GDPR).  

  – Our legitimate interest in responding to your requests and managing our business relationships (Art. 6.1.f GDPR).

### 4.2. B2B commercial communications and marketing

– **Purpose:** To send professional contacts within companies (clients or potential clients) information about our services, especially related to event staffing for trade fairs and B2B events, including specific campaigns linked to certain fairs.  

– **Legal basis:**  

  – Our legitimate interest in promoting our services in a B2B context and maintaining commercial relationships between companies (Art. 6.1.f GDPR).

We only send such communications to professional contacts whose role is reasonably related to our services (e.g. marketing, events, sales, management), and always offer a simple way to opt out.

You can object to receiving these communications at any time by using the unsubscribe mechanism included in each message or by contacting us at **info@uniqa-spain.com**.

### 4.3. Candidate management and selection processes

– **Purpose:** To manage applications from individuals who want to work with us (hostesses, promoters, brand ambassadors, etc.), evaluate their profiles, contact them for current or future events and maintain a pool of candidates.  

– **Legal basis:**  

  – Pre-contractual steps and, where applicable, performance of a contract (Art. 6.1.b GDPR).  

  – Our legitimate interest in managing and selecting suitable candidates for events and projects (Art. 6.1.f GDPR).

### 4.4. Contractual and administrative management

– **Purpose:** To manage contracts with clients and suppliers, invoicing, accounting and other administrative obligations.  

– **Legal basis:**  

  – Performance of a contract (Art. 6.1.b GDPR).  

  – Compliance with legal obligations in accounting and tax matters (Art. 6.1.c GDPR).

### 4.5. Security, prevention of fraud and legal actions

– **Purpose:** To ensure the security of our Website, prevent fraud and misuse, and exercise or defend legal claims.  

– **Legal basis:**  

  – Our legitimate interest in guaranteeing the security of our systems and our business, and in defending our rights (Art. 6.1.f GDPR).  

  – Compliance with legal obligations (Art. 6.1.c GDPR).

### 4.6. Cookies and similar technologies

– **Purpose:** To operate the Website, measure its usage and, where applicable, to personalise content or show relevant marketing.  

– **Legal basis:**  

  – Our legitimate interest in using strictly necessary cookies for the functioning of the Website (Art. 6.1.f GDPR).  

  – Your consent for non-essential cookies (analytics, marketing, etc.), where required (Art. 6.1.a GDPR).

For more information, please refer to our separate **Cookie Policy**.

—

## 5. Use of Brevo and Mailrelay as email and marketing providers

We use trusted third-party service providers to manage email communications and mailing lists:

– **Brevo** (Sendinblue SAS and group entities) – an email marketing and transactional email platform that processes and stores data on servers located within the European Union (including data centres in Belgium, France and Germany).  

– **Mailrelay** (CPC Servicios Informáticos Aplicados a Nuevas Tecnologías S.L.) – an email marketing provider that stores data in data centres located in Europe and states compliance with GDPR requirements.

In these cases:

– We remain the **data controller** for your personal data.  

– Brevo and Mailrelay act as our **data processors** in accordance with Article 28 GDPR, processing personal data only on our documented instructions and for the purposes described above.  

– We have or will have in place appropriate **Data Processing Agreements (DPAs)** with these providers, including commitments on security, confidentiality and data protection.

—

## 6. Who we share personal data with

We do not sell your personal data. We only share it with:

– **Service providers** acting as data processors, such as:  

  – Website hosting and maintenance providers.  

  – Email and marketing platforms (Brevo, Mailrelay).  

  – IT support and cloud service providers.  

– **Professional advisors** (e.g. lawyers, accountants, auditors) where necessary.  

– **Public authorities or courts** when we are legally required to do so or to protect our rights and legitimate interests.

All service providers that process personal data on our behalf are bound by contractual obligations to implement appropriate security measures and to process the data only in accordance with our instructions and applicable law.

—

## 7. International transfers of personal data

As a general rule, we aim to keep your personal data within the **European Economic Area (EEA)**.

Brevo and Mailrelay currently host and process data in data centres located within the European Union.

If in the future we use providers or services that involve transfers of personal data outside the EEA, such transfers will only take place if:

– The European Commission has issued an **adequacy decision** for the destination country; or  

– We have implemented appropriate safeguards such as **Standard Contractual Clauses** or other mechanisms recognised under the GDPR.

You may request more information about any international transfers and the safeguards in place by contacting us at **info@uniqa-spain.com**.

—

## 8. Data retention periods

We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with applicable legal requirements. In general:

– **Website enquiries and contact requests:** up to **2 years** after the last relevant contact, unless they lead to a contractual relationship or we are required to store them for a longer period.  

– **Client and supplier data:** for the duration of the contractual relationship and, after that, for the period required by applicable laws (e.g. tax and accounting obligations – typically up to 6–10 years, depending on the jurisdiction).  

– **B2B marketing contacts:** as long as we have an ongoing business relationship or potential relationship with your company, and until you object or request deletion/unsubscribing.  

– **Candidate data (CVs, profiles):** generally for up to **2 years** from the last update or contact, unless you authorise a longer retention or a shorter period is required by law.  

– **Technical and browsing data (cookies):** according to the lifetimes indicated in our Cookie Policy and applicable regulations.

We may keep some data in an anonymised or aggregated form that does not allow your identification.

—

## 9. Your rights under data protection law

Under the GDPR, you have the following rights regarding your personal data:

– **Right of access:** to obtain confirmation as to whether we process your personal data and, if so, to access it and receive information about it.  

– **Right to rectification:** to request the correction of inaccurate or incomplete personal data.  

– **Right to erasure (“right to be forgotten”):** to request the deletion of your personal data in certain circumstances.  

– **Right to restriction of processing:** to request limitation of processing in certain cases.  

– **Right to data portability:** where processing is based on consent or a contract and carried out by automated means, to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.  

– **Right to object:** to object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests; and, in particular, to object at any time to the processing of your data for **direct marketing** purposes.

Where processing is based on your consent, you have the **right to withdraw your consent at any time**, without affecting the lawfulness of processing carried out before such withdrawal.

You can exercise your rights by contacting us at **info@uniqa-spain.com**, indicating “Data protection” in the subject line and specifying your request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Spain, this is the **Agencia Española de Protección de Datos (AEPD)**.

—

## 10. Security of your personal data

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures include, among others, access controls, secure servers, encryption or pseudonymisation where appropriate, regular backups and internal policies on data protection and information security.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

—

## 11. Data of minors

Our services and Website are not directed at children under 16 years of age. We do not knowingly collect personal data from children under this age.

If you believe that a child has provided personal data to us, please contact us at **info@uniqa-spain.com** and we will take appropriate steps to delete such data.

—

## 12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example due to changes in our processing activities, new legal requirements, or guidance from supervisory authorities.

When we make significant changes, we will indicate the updated date at the top of this page and, where appropriate, inform you through the Website or via email.

We encourage you to review this Privacy Policy periodically to stay informed about how we process and protect your personal data.