Privacy Policy
Last updated: 24 April 2026 — Version 2.0
1. Who We Are and How to Contact Us
[PLACEHOLDER — full legal entity name] (trading as "Enter Spain," referred to in this policy as "we," "us," or "our") is the data controller responsible for the personal data we collect when you use our website at https://enterspain.io and our associated services.
We are established in Spain and operate as a data controller under Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation — GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
- NIF/CIF: [PLACEHOLDER — insert NIF or CIF]
- Registered address: [PLACEHOLDER — full address, Spain]
- Data protection contact: privacy@enterspain.io
We do not currently have a designated Data Protection Officer. For any data protection question, please contact us at privacy@enterspain.io.
Enter Spain provides practical relocation assistance. We are not a law firm, legal practice, certified immigration adviser, or regulated financial service.
2. What Personal Data We Collect and Why
We collect personal data only for specified, explicit, and legitimate purposes. The table below identifies each data category, the service for which it is collected, our purpose, and our legal basis under Article 6 GDPR.
2.1 Account Registration
| Data | Purpose | Legal basis |
|---|---|---|
| Full name | Account identification; service delivery; correspondence | Performance of contract — Art. 6(1)(b) GDPR |
| Email address | Account login; service communications; transactional notifications | Performance of contract — Art. 6(1)(b) GDPR |
| Password (hashed — we do not store plaintext) | Authentication | Performance of contract — Art. 6(1)(b) GDPR |
| Country of current residence | Service eligibility; jurisdictional compliance | Legitimate interests — Art. 6(1)(f) GDPR |
| Preferred language | Service localisation | Legitimate interests — Art. 6(1)(f) GDPR |
2.2 NIE, CUE, and Appointment-Based Services
When you purchase a service such as NIE or CUE assistance, we collect personal data to prepare official Spanish government forms on your behalf (e.g. EX-15 for NIE, EX-18 for CUE) and to monitor and submit appointment booking requests to official Spanish government systems.
| Data | Purpose | Legal basis |
|---|---|---|
| Passport or national ID (number, expiry, nationality) | Required for NIE/CUE application forms and appointment booking | Performance of contract — Art. 6(1)(b) GDPR |
| Date of birth, place of birth, parents' names | Required for NIE/CUE application forms | Performance of contract — Art. 6(1)(b) GDPR |
| Spanish address or intended address | Required for NIE/CUE applications | Performance of contract — Art. 6(1)(b) GDPR |
| Employment or income status (where relevant) | Required for certain NIE categories | Performance of contract — Art. 6(1)(b) GDPR |
| Uploaded identity documents and supporting files | Document preparation; appointment booking | Performance of contract — Art. 6(1)(b) GDPR |
| Case correspondence and communications | Service delivery; record of work performed; dispute resolution | Performance of contract; Legitimate interests — Art. 6(1)(b)/(f) GDPR |
Note on nationality data: Nationality and identity document details may, in certain contexts, reveal data relating to racial or ethnic origin (a special category under Article 9 GDPR). Where this applies, processing is based on your explicit consent given at the point of document upload (Article 9(2)(a) GDPR), or on the necessity to process for the exercise of rights in the field of immigration support (Article 9(2)(b) GDPR in conjunction with LOPDGDD). We will not process such data for any purpose beyond the contracted service.
2.3 Payment Processing
Payments are processed by Stripe, Inc. We do not receive, store, or have access to your card number, expiry date, or CVC. Stripe processes this data under their own privacy policy at stripe.com/privacy. We receive only a payment confirmation and your billing name and email from Stripe.
Legal basis: Performance of contract — Art. 6(1)(b) GDPR. Invoice data is also retained under a legal obligation — Art. 6(1)(c) GDPR (Spanish VAT and commercial law).
2.4 Partner Referral Services
If you request or accept a referral to a partner provider (for banking, insurance, tax, housing, or similar services), we will share your name and contact details with that partner. We will always ask for your specific, prior, informed consent before sharing any data with a partner. Consent is service-specific — consenting to one partner service does not constitute consent to any other.
Legal basis: Consent — Art. 6(1)(a) GDPR.
2.5 Contact Form Enquiries
When you submit a contact form, we process your name, email address, and message content solely to respond to your enquiry.
Legal basis: Legitimate interests — Art. 6(1)(f) GDPR (to respond to the request you have initiated).
2.6 Marketing Communications
If you have specifically opted in, we may send you relevant news, relocation tips, and service updates. You can withdraw this consent at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@enterspain.io. Withdrawal does not affect service communications related to your account.
Legal basis: Consent — Art. 6(1)(a) GDPR; Art. 19 LSSI-CE.
2.7 Platform Analytics
If you consent to analytics cookies, we use Plausible Analytics — a privacy-oriented, EU-based analytics service that does not use personal identifiers, cross-site tracking cookies, or advertising networks. Full details at plausible.io/privacy.
Legal basis: Consent — Art. 6(1)(a) GDPR (analytics cookies are only loaded after you accept via the cookie banner).
3. Appointment Booking via Official Government Channels
Where our service includes booking an appointment at a Spanish government office on your behalf, we submit your personal data to official Spanish government platforms, including:
- sede.policia.gob.es (National Police — NIE appointments)
- sede.administracionespublicas.gob.es (Central Government appointments)
- Relevant regional Oficina de Extranjería systems
This submission is mandatory and inherent to the service. We act as your representative using only official public channels. We do not use unofficial, third-party, or commercial appointment resale services. Once data is submitted to a government authority, that authority's own privacy obligations and administrative law govern how they process it — we have no control over that processing.
4. Recipients of Personal Data
We share your personal data only in the following circumstances:
- Hosting and infrastructure provider: [PLACEHOLDER — provider name and server location, EEA] — acts as processor under a Data Processing Agreement.
- Email delivery provider: [PLACEHOLDER — provider name] — for transactional and service emails; acts as processor under a Data Processing Agreement.
- Stripe: Payment processing — acts as an independent data controller for card data under their own privacy policy.
- Plausible Analytics: Anonymous aggregate analytics — only loaded with your consent; EU-based; no personal data transmitted.
- Spanish public authorities: Submission of application data to the relevant authority as required to deliver the contracted appointment service. Mandatory for service delivery.
- Partner providers: Only with your specific prior informed consent given at the point of referral (see Section 2.4). We will identify the specific partner before sharing any data.
- Legal and regulatory authorities: Where required by applicable law, court order, or regulatory requirement.
We never sell your personal data. We never share it for advertising purposes.
5. International Transfers
Our primary operations are based in Spain (EU). Where any service processor transfers data outside the European Economic Area (EEA), we ensure that an appropriate safeguard under Chapter V GDPR is in place, such as Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914.
[PLACEHOLDER — list each processor that transfers data outside the EEA, the destination country, and the transfer mechanism. Do not publish this section until each transfer is verified and the relevant SCC or other mechanism is in place.]
Where transfers occur to the United States via Stripe, Stripe participates in the EU-U.S. Data Privacy Framework where applicable and also relies on SCCs. See stripe.com/privacy for details.
6. Retention Periods
We retain personal data for no longer than is necessary for the purposes for which it was collected, taking into account applicable legal obligations and limitation periods under Spanish law.
| Data category | Retention period | Justification |
|---|---|---|
| Account data (active account) | Duration of account + 3 years after closure | Contractual limitation period (Art. 1964 Código Civil) |
| Transaction records and invoices | 6 years from invoice date | Spanish commercial law (Art. 30 C.Com); Spanish VAT law (Art. 70 LIVA) |
| Case files and service correspondence | 5 years from service completion | Statutory limitation period for contractual claims; professional accountability |
| Uploaded identity documents | Deleted within 12 months of service completion or account closure (whichever is sooner), unless an active dispute requires retention | Minimum necessary; no ongoing need after delivery |
| Contact form enquiries | 12 months unless converted to a client file | Response purpose fulfilled; no ongoing need |
| Cookie consent records | 3 years from consent event | Accountability obligation — Art. 5(2) GDPR |
| Marketing opt-in records | Duration of marketing relationship + 3 years | Evidence of consent for LSSI-CE anti-spam compliance |
| Server and technical logs | 12 months | Security monitoring; fraud prevention; proportionate |
At the end of each retention period, data is securely deleted or anonymised. We do not retain data indefinitely.
7. Consent Logging and Acceptance Records
At the point of account registration and service purchase, we record the date and time (UTC timestamp) of your acceptance, the version of the Terms & Conditions and Privacy Policy accepted, whether you opted in to marketing communications, and the specific service purchased. These records are retained for the periods specified above and may be used as evidence in the event of a dispute or regulatory enquiry.
8. AI-Assisted Processing
Certain internal processes may use AI-assisted tools to help with document preparation, form completion, or guidance. Where AI tools process your personal data:
- They operate under our instructions as data processors;
- They do not make autonomous decisions with legal or significant effects on your case without human review;
- We remain responsible for the accuracy of outputs and do not rely solely on AI-generated results for case-critical information.
[PLACEHOLDER — if specific AI tools are used that process personal data (e.g. document extraction, translation), list them here as processors with their data processing agreements in place before publishing this section.]
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
- Encrypted data transmission (TLS/HTTPS across the website);
- Password hashing (we do not store plaintext passwords);
- Role-based access controls limiting personal data access to authorised personnel on a need-to-know basis;
- Regular review of security practices and supplier certifications.
In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the AEPD within 72 hours as required by Article 33 GDPR, and will notify you directly where required by Article 34 GDPR.
10. Your Rights
Under GDPR and LOPDGDD, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your data where retention is no longer necessary or lawful. |
| Restriction (Art. 18) | Request that processing be restricted in certain circumstances. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format where processing is based on consent or contract. |
| Objection (Art. 21) | Object to processing based on legitimate interests; object to direct marketing at any time. |
| Withdraw consent (Art. 7(3)) | Withdraw any consent at any time. Withdrawal does not affect processing carried out before withdrawal. |
To exercise any of these rights, contact privacy@enterspain.io with your name and account email. We will respond within one calendar month. We may request identity verification where reasonably necessary.
We do not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline, with written reasons.
11. Right to Lodge a Complaint
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: www.aepd.es
You may also contact the supervisory authority in your EU country of residence. We would always appreciate the opportunity to address your concerns before you contact the AEPD — please write to us at privacy@enterspain.io in the first instance.
12. Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your preferences at any time using the Cookie Settings link in the footer of any page.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The version number and date of last update are shown at the top of this document. Where changes are material, we will notify registered users by email and display a prominent notice on the website before the changes take effect. Previous versions of this policy are available on request.