Privacy Policy

In this policy you will find all the information related to the processing of your personal data and the rights that you can exercise to maintain control over them. Therefore, you must read it carefully before using this Website. Do not hesitate to ask us any questions about it.

From Bestrateo Limited we need to have the personal data that we request from you during your browsing and use of the website: https://www.bestrateo.com (hereinafter “the Website”), with the aim of:

• Offer you different channels where you can contact us, to request information, resolve questions, etc.
• Register as a registered user on our Website and be able to manage the services we offer you related to strategic consulting of Organization and People, etc.
• Offer you, where appropriate, products and services that may be of interest to you.
• We may also use your data to help improve the development, maintenance and usability of the Website.

In any case, we guarantee to safeguard said information with the maximum security guarantees and in accordance with current regulations on the protection of personal data.

At any time you can exercise the rights provided for by data protection regulations or ask us any questions you may have about the processing of your data by contacting us via email hello@bestrateo.com

1. Who is responsible for the processing of your personal data? 

Your personal data will be processed by the company Bestrateo Limited, and whose contact information is as follows:

Contact telephone: +44 7747375215

Contact email: hello@bestrateo.com

Contact mail: 128 City Rd, London, EC1V 2NX

2. The type of personal information we collect 

We currently collect and process the following information:

• Identification and contact information. We collect the information that you provide us through the contact form that we make available to you on this Website. In this sense, we will process your identifying data (name and surname), email address, and telephone number as well as any other information that you include in the communications you send us.
• Device information: While using the Website, we collect information about the mobile device from which you access the Website. The information we obtain is the device model, operating system and version, unique device identifier and network.
• User navigation information: We collect information about your use of the Website. Specifically, the frequency of use, the sections you visit, use of specific functions, etc.

3. What are the purposes of the processing of your personal data?

• Respond to your requests. The main purpose of processing this data will be to answer your requests, quotations, resolve your doubts and/or provide you with the required information, as well as, where appropriate, follow up on them.
• Carry out statistical analysis and improvement of the Website: All the information collected through cookies and other tracking tools helps us to analyze, maintain and improve the Website, since from the analysis of the navigation that users make users, we can detect errors on the Website, aspects to improve in the design or the need to add new functions and services.
• Prevention, detection and prosecution of activities that are illegal or contrary to the conditions of service or that endanger the security of the information or the Website. Bestrateo may process the data to control and prevent any form of abuse of our services, such as fraudulent activities, denial of service attacks, spamming, unauthorised access, as well as any other practice that is contrary to the General Conditions. , Individuals and Use of the Website or endanger the security of the information or the integrity of the Website.
• Sending commercial communications. Bestrateo may send you commercial communications and alerts based on your behavior and profile within the platform, this profiling is the result of an automatic analysis of your behavior (interest, browsing, etc.).

For more information, you can visit our Cookies Policy.

Retention periods for information collected through cookies depend on the specific cookie. All information conservation periods are specified, for each type of cookie, in our Cookies Policy.

4. To whom do we transfer your personal information?

The transfers of personal data carried out through third-party cookies (cookies collected and managed by a third party) for this purpose are specified in the Cookies Policy.

In addition, we may use the services of service providers, who will have limited access to the data and will be bound by a duty of Generally, at Bestrateo we will not communicate your data to third parties. However, in addition to the transfers that we specifically indicate to you in the section in which we explain the characteristics of the different operations. We inform you of the communications that we can make, in general, and that affect all the previous treatments. and its legitimizing basis.

Essential service providers to execute the service we offer you (for example, computer hosting companies or platforms for sending commercial communications). Notwithstanding the above, these entities have signed the corresponding confidentiality agreements and will only process your data according to our instructions, and will not be able to use them for their own purposes or apart from the service they provide us confidentiality (for more information on how our service providers act.

We may disclose data and any other information in our possession or that is accessible through our systems to law enforcement authorities and competent authorities, when there is a legal obligation to do so, as well as when required, for example, when the purpose is to prevent or prosecute abuses of services or fraudulent activities through our Website or web page. In these cases, the personal data that you provide us would be kept and made available to the administrative or judicial authorities.

5. Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are the following

(a) Your consent. You are able to remove your consent at any time. You can do this by contacting 

Contact telephone: +44 7747375215

Contact email: hello@bestrateo.com

(b) We have a contractual obligation.

(c) We have a legal obligation.

(d) We have a legitimate interest.

6. How we store your personal information 

Your information is securely stored. 

We keep your personal information during the time in which your requests are being processed and for 6 months to follow up on them. Once this period has ended, UpGrow Strategy will keep this information for the periods provided in the legislation to address possible responsibilities and to demonstrate compliance with our obligations. All this, unless you start a new treatment.

We will then dispose your information by deleting data electronically in all our electronic devices, hostings and back-ups storages.

7. Your data protection rights

Under data protection law, you have rights including:

• Your right of access - You have the right to ask us for copies of your personal information. 
• Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances. 
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances. 
• Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at 

If you wish to make a request, please contact to:

Telephone: +44 7747375215

email: hello@bestrateo.com

8. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at 

 Telephone: +44 7747375215

email: hello@bestrateo.com

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:       

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

If you hire one of our services we will put in place the following agreement regarding your data protections

TREATMENTS CARRIED OUT BY UPGROW STRATEGY AS DATA PROCESSOR FOR CUSTOMER DATA

In the provision of its services, UpGrow Strategy may have access to certain data to provide you with the service as a client. In this regard, the client will be referred to hereinafter as the "Data Controller" or the "Controller".

UpGrow Strategy will be referred to hereinafter as the "Provider", the "Data Processor" or the "Processor".

Hereinafter, the Client and the Provider shall be jointly referred to as the "Parties" and individually and interchangeably as the "Party".

The Parties acknowledge each other's legal capacity to enter into this Personal Data Processing Addendum and, for this purpose,

DECLARE

(i) That the Parties have formalized a contract for the provision of consulting services for Organization and People Management (hereinafter, the "Contract") pursuant to which the Data Processor provides certain services that involve access to personal data the responsibility of the Data Controller (hereinafter, the "Services").

(ii) That Data Protection Act 2018 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") imposes new obligations on the Parties, necessitating the modification of the obligations assumed by the Parties in the Contract regarding data protection.

(iii) That, as of the date of signature of this Addendum, the data protection regulation of the Contract will be that included in this Addendum, replacing the data protection regulation that may have been included in the Contract prior to this Addendum.

(iv) That, in accordance with the above, the Parties agree to the conclusion and signing of this Addendum, which shall be governed by Article 59 of the GDPR and by the following:

CLAUSES

1. Purpose.

To execute the services derived from the Contract, and to effectively provide the Services, the Data Processor may have access to personal data the responsibility of the client.

For the provision of the service, the Data Processor shall carry out the following treatments, by way of example but not limited to: collection, recording, structuring, adaptation or alteration, storage, retrieval, consultation, transmission by communication, dissemination or making available, interconnection, comparison, limitation, erasure, destruction, preservation, communication, and other treatments carried out.

2. Duration.

This Addendum shall enter into force on the date of the Addendum's signature.

3. Data Controller's Obligations.

In addition to complying with all obligations imposed on it throughout this Addendum, it is the responsibility of the Data Controller to perform the following tasks:

a) Comply with all necessary technical and organizational measures to ensure the security of the processing, premises, equipment, systems, programs, and persons involved in the processing activity of the personal data referred to, as stipulated in the current regulations applicable at all times.

b) Provide the Processor with the data referred to in clause 1 of this document, as well as the necessary instructions to carry out the data processing on the terms set by the Controller.

c) Respond to the rights of individuals affected by the processing, such as the rights of access, rectification, erasure, and objection, restriction of processing, data portability, and not to be subject to automated individual decision-making, in collaboration with the Processor.

d) Carry out, if applicable, an assessment of the impact on the protection of personal data resulting from the processing operations to be carried out by the Processor.

e) Ensure, prior to and during processing, compliance with applicable data protection regulations by the Processor.

f) Monitor the processing, including conducting inspections and audits.

g) Inform the Processor of any changes that occur in the personal data provided, so that updates can be made.

Likewise, the client guarantees that the data processed as a result of the provision of the Services have been collected and processed by the Controller in accordance with the obligations stipulated by the GDPR, particularly taking into account the need for a legal basis legitimizing the processing, as indicated in Article 8 of the GDPR.

4. Data Processor's Obligations.

The Data Processor declares and guarantees to the Data Controller the following stipulations:

1. The Data Processor has sufficient technical capacity to fulfill the obligations arising from the Contract.

2. The Data Processor, in relation to the Services provided, commits to comply with the requirements of the GDPR and any other applicable legislation on the protection of personal data.

3. The Data Processor will maintain confidentiality and secrecy regarding the personal data to which it has access.

4. The Data Processor will process and use the personal data to which it has access only in accordance with the instructions of the Data Controller, and in accordance with the purposes regulated in the Contract. The Processor will be considered responsible for processing in the event that it uses the data for other purposes, communicates them, or uses them in breach of the provisions of this Addendum, being responsible for any breaches incurred personally.

5. The Data Processor will not disclose to third parties the data to which it has access as a result of the Services provided.

6. The Data Processor will provide the client with the information necessary to demonstrate compliance with its obligations established in this Contract.

7. The Data Processor will provide the assistance requested by the Controller for the performance of audits or inspections, carried out by the Controller or by another auditor authorized by the Controller. Audits may be conducted periodically, planned, or "ad hoc", with prior notice to the Processor within a reasonable notice period, during the Processor's usual working hours.

8. The Data Processor guarantees that the persons authorized to process personal data have expressly and in writing committed to comply with the established security measures, and to respect the confidentiality of the data. Compliance with this obligation must be documented by the Processor and made available to the Data Controller.

9. The Data Processor guarantees that the persons authorized to process personal data under its responsibility have the necessary training in data protection matters.

10. The Data Processor will collaborate in fulfilling the Controller's obligations and will provide support when necessary for (i) impact assessments regarding the personal data to which it has access; (ii) prior consultations with the supervisory authority.

11. If the Data Processor considers that compliance with a specific instruction from the Controller could constitute a breach of data protection regulations, it shall immediately notify the Controller. In this communication, the Processor will request that the Controller correct, withdraw, or confirm the instruction provided and may suspend its compliance pending a decision by the Controller.

12. Upon completion of the provision of the Services, the Data Processor will delete or return the personal data to which it has had access and any existing copies, as instructed by the Data Controller. If the Data Controller requests the deletion of data in a specific manner not customary within the normal activity of the Processor, the costs derived from the deletion of the data in the manner indicated by the client shall be borne by the Data Controller.

Here is the translation of the provided text:

---

**The Processor shall be obliged to delete or return: a) data included in files under the responsibility of the Controller, made available to the Processor as a result of the provision of the Services; b) data generated by the Processor during the processing of data under the responsibility of the client; c) media containing this data.**

The Processor may retain a copy of the data duly blocked while liabilities may arise from the execution of the provision of the Services.

The Processor shall notify the Controller, without undue delay, and in any case, before the maximum period of 24 hours, via hello@bestrateo.com, of any incident, suspected or confirmed, relating to data protection, within its area of responsibility. Among others, it shall notify the Controller of any processing that may be considered unlawful or unauthorised, any loss, destruction, or damage to the data, and any incident considered a breach of data security. The notification shall be accompanied by all relevant information for the documentation and communication of the incident to the relevant authorities or affected parties. In this regard, it shall provide the client, at a minimum, with the following information:

a) Description of the nature of the data security breach, including, where possible, the categories and the approximate number of affected individuals, and the categories and the approximate number of affected personal data records;

b) Name and contact details of the data protection officer or another contact point where further information can be obtained;

c) Description of the possible consequences of the data security breach;

d) Description of the measures taken or proposed to remedy the data security breach, including, where appropriate, measures taken to mitigate potential negative effects.

The Processor shall also initiate an investigation into the circumstances of the incident, and shall submit to the Controller a report with observations on said incident. The Provider shall fully cooperate with the investigation conducted by the Controller, providing the assistance required by the Controller for the investigation of the incident.

Additionally, the Processor shall assist the Controller in relation to the notification obligations in accordance with the GDPR (in particular, Articles 67 and 68 of the GDPR) and any other applicable present or future regulations that modify or complement such obligations.

The Processor shall provide the information and/or documentation requested by the Controller to respond to requests to exercise rights that may be received from the client of the data subjects whose data is being processed.

When data subjects exercise their rights of access, rectification, erasure, and objection, restriction of processing, data portability, and to not be subject to automated individual decision-making, with the Processor, it shall communicate it by email to hello@bestrateo.com. The communication shall be made in a manner that can be addressed within the legal deadlines established.

The Processor may subcontract the Services, always informing the Controller of the processing intended to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details.

The subcontractor (or "Sub-Processor"), who will also have the status of data processor, shall also be obliged to comply with the obligations imposed on the Processor and the instructions issued by the Controller, as set forth in the Contract and the Addendum. It is the responsibility of the Processor to regulate the new relationship in a contract signed by Processor and Sub-Processor, so that the Sub-Processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the Provider, regarding the proper processing of personal data and the guarantee of the rights of the affected persons.

The Processor shall keep a written record of the categories of processing activities carried out, according to this Addendum, specifying:

a) The name and contact details of the Processor and of each Controller on whose behalf the Processor acts, and, where applicable, the representative of the Controller or Processor and the data protection officer;

b) The categories of processing carried out on behalf of each data controller;

c) Where applicable, transfers of personal data to a third country or international organization, the identification of such third country or international organization, and documentation of appropriate safeguards;

d) A general description of the technical and organizational security measures relating to:

(i) Pseudonymization and encryption of personal data;

(ii) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(iii) The ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;

(iv) The regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

The Processor may only carry out international transfers of personal data to which it has access, the responsibility of the Controller, if such transfers are duly regulated as provided for in Articles 74, 75, or 76 of the GDPR.

Regarding technical and organizational security measures, the Processor shall implement all those that are applicable in accordance with the GDPR (in particular, and without limitation, those provided for in Article 66 and 107 of the GDPR) and in any other applicable regulations, whether modifying, supplementing, or replacing them.

In any case, the Processor must implement mechanisms to:

a) Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

b) Restore the availability and access to personal data quickly, in the event of a physical or technical incident.

c) Verify, assess, and evaluate, regularly, the effectiveness of the technical and organizational measures implemented to ensure the security of processing.

d) Pseudonymize and encrypt personal data, if applicable.

In particular, the Parties have agreed on a list of measures that the Provider must implement, as indicated in Annex I to this Addendum.

If the Controller, after the conclusion of the Contract, requires the Processor to adopt or maintain security measures different from those agreed upon in this Annex I, or if they are mandatory under any future regulation, and this significantly affects the costs of providing the Services, the Provider and the client shall agree on the appropriate contractual measures to address the effect that such modifications may have on the price of the Services.

Responsibility

The Processor shall reimburse the Controller for the amount of any fines imposed by the Spanish Data Protection Agency ("AEPD") or any other competent authority for non-compliance with data protection regulations if these are a consequence of the willful and grossly negligent breach of the Processor's data protection obligations. The Controller shall immediately inform the Processor of any sanctioning procedures potentially initiated by the AEPD or any other authority against the client for such breaches, so that the Processor can assume the legal defense in a coordinated manner with the Controller.

Data of Representatives of the Parties.

The Parties shall process personal data concerning the signatories of this Addendum, based on the legal basis of legitimate interest, in order to maintain and execute the existing contractual relationship between the client and Provider and during the term of the same. Data subjects may exercise their rights of access, rectification, erasure, restriction, and objection to processing, as established in data protection regulations, by contacting the Party processing their data at the address included in the header of the Addendum.

Entry into force.

This Addendum shall enter into force on the date of signing of the Addendum.

As evidence of their agreement, the Parties, through their representatives, sign this Addendum, which constitutes an integral part of the attached Contract, replacing the regulation of the data processing assignment with what is reflected in this Addendum. Signed in duplicate at the place and date indicated in the heading.

THE CLIENT

Mr./Ms. ___________________________________

THE PROVIDER

Mr./Ms. ____________________________________

ANNEX I

Security measures to be implemented by the Processor regarding the data processed under this Addendum.

1. The Processor applies, both when determining the means of processing and at the time of processing itself, appropriate technical and organizational measures, such as those included in this document and mentioned in the body of the contract, designed to effectively implement data protection principles, such as data minimization, and integrate necessary safeguards in processing.

2. Upon joining the staff of the Processor, all its employees have signed a confidentiality agreement, committing to keep secret all data processed for the performance of their duties, including those processed under this contract.

3. The Processor has a procedure for notifying, managing, and responding to any personal data security breaches, as indicated in Articles 66 and following of the GDPR.

4. The Processor has established a system that allows the unequivocal and personalized identification and authentication of any user attempting to access the information system and verification of their authorization. The identification and authentication system for users wishing to access the system are described in a document available to the Controller upon request.

5. Users of the Processor's systems will have authorized access only to the data and resources they need for the performance of their functions. The system used to limit access according to the privileges of each user is described in a document available to the Controller upon request.

6. The operating systems and applications used in the processing covered by this contract have mechanisms to prevent a user from accessing resources with rights different from those authorized.

7. The Processor has access control measures for physical access to its facilities and data processing centers, so that access to the data processed under this contract is only permitted to authorized personnel.

8. The Processor has a policy for managing media and documents ensuring that all applications, systems, and subcontractors it uses have been previously studied and authorized to process data of its clients, by complying with the regulations and the GDPR. This policy also regulates the entry and exit of documents from the facilities and systems of the Processor, allowing the processing of personal data under this contract only on authorized encrypted and/or anonymized devices approved by the Processor.

9. Access to information systems of the Processor hosting personal data under this contract may only be carried out by encrypting such data or using any other mechanism that ensures that the information is not intelligible or manipulated by third parties. Security in such access must be guaranteed by the security protocols of the applications involved in the transmission.

10. The Processor has a backup and recovery policy ensuring that data can be reconstructed at all times in the state they were in at the time of loss or destruction.

11. In the case of work with temporary files that the employees of the Processor need to provide the service to the Controller, the same security measures as for other personal data shall apply, and they shall be deleted or destroyed once they are no longer necessary for the purposes for which they were created.

12. Storage devices for documents containing personal data must have mechanisms to hinder their opening.

13. Continuously and at least once a year, the periodic checks required to verify the suitability and operability of the security measures implemented and compliance with the provisions of this annex will be carried out.