Privacy Policy

1. Data Controller

Identity: Blue Mountain Asesores, SLU
Tax ID (CIF): B42985432
Address: Paseo de la Castellana 40, Planta 8, 28046 Madrid, Spain
Email:
Data Protection Officer (DPO):

2. Personal Data We Collect

We collect personal data that you provide directly to us:

Identification data: name, surname, corporate email
Company data: company name, position
Usage data: information about how you use our website
Communication data: content of messages sent through forms

3. Purpose of Processing

We process your personal data for the following purposes:

Managing diagnosis requests and bookings
Sending commercial communications (with your consent)
Improving our services and user experience
Complying with legal obligations

4. Legal Basis for Processing

Consent: for commercial communications and non-essential cookies
Legitimate interest: for improving our services
Contract performance: for managing contracted services
Legal obligation: for complying with applicable regulations

5. Data Recipients

Your data will not be shared with third parties except when legally required. We use the following data processors:

Cloudflare, Inc. -- CDN, WAF and DDoS protection. Data processed: web traffic, IP addresses. Location: Global (EU included). Privacy policy
Railway Corp. -- Application hosting. Data processed: application data, logs. Location: EU. Privacy policy
Brevo (Sendinblue) -- Transactional and marketing email (with consent). Data processed: email, name. Location: EU (France). Privacy policy
Google LLC (Calendar API) -- Meeting bookings. Data processed: name, email, booking time. Location: Global (standard contractual clauses). Privacy policy
Cloudflare Turnstile -- CAPTCHA verification. Data processed: anonymized session data. Location: Global (EU included).
Plausible Analytics -- Privacy-friendly web analytics. Data processed: anonymized and aggregated usage data (no cookies, no personal data). Location: EU (Germany). Data policy

Full subprocessor list available upon request at .

6. Obligation to Provide Data

Data marked as mandatory in forms is necessary to process your request. Failure to provide such data will prevent us from delivering the requested service. Data marked as optional may be omitted without affecting service delivery.

7. Automated Decision-Making

We do not carry out automated decision-making or profiling with your personal data within the meaning of Article 22 of the GDPR.

8. International Transfers

Some of our providers may be located outside the European Economic Area. In such cases, we ensure appropriate safeguards in accordance with the GDPR.

9. Data Retention

The retention periods for your personal data are as follows:

Contact form data: 2 years from the last communication
Job applications (careers): 2 years (per LOPDGDD Art. 94)
Newsletter: until voluntary unsubscription + 1 additional year
Booking data: 1 year from the meeting date
Analytics cookies: 13 months (AEPD guideline)
Consent records: 5 years

After these periods, data will be deleted or anonymized unless legal obligations require further retention.

10. Data Subject Rights

You have the right to:

Access your personal data
Rectify inaccurate data
Request erasure of your data
Object to processing
Request restriction of processing
Request data portability
Withdraw consent at any time

To exercise these rights, contact us at .

11. Supervisory Authority

You may file a complaint with the Spanish Data Protection Agency (AEPD) if you consider that the processing of your data does not comply with current regulations.

12. Changes

We reserve the right to modify this privacy policy. Any changes will be published on this page with the corresponding update date.

Security & Compliance -- Security practices, certifications and infrastructure
Cookie Policy -- Cookie management and settings
Legal Notice -- Legal information and terms of use