Data Protection Notice

Effective Date: August 1, 2025 (Last updated on this date)

1. Identity and Contact Details

If you have any questions about how we process your personal data, you may contact us at:
compliance@wbagadion.com

2. How and What Data We Collect

We collect personal data that you provide directly, for example, when you:

• Fill out contact, appointment, or enquiry forms on our website
• Register for events, newsletters or downloads
• Engage via email or phone

Depending on context, this may include:

• Identity & contact data (name, email, company, role, phone)
• Transactional data (details of services requested/provided)
• Communications content (email/message history)
• Usage data (IP address, device/browser info)
• Cookies/analytics data via our website tracking tools

We do not collect sensitive special-category data (e.g. race, religion, health) unless explicitly stated and permitted.

3. Why We Process This Data & the Legal Basis

In accordance with Article 6 GDPR, we rely on the following lawful bases:

• Consent (you opt in to receive newsletters or marketing)
• Contractual necessity (fulfilling a service you requested)
• Legal obligation (e.g. bookkeeping, tax or employment law)
• Legitimate interests of the company—for example:
  • To maintain and improve our website and services
  • To run marketing communications about services similar to those you showed interest in unless you object

Where we rely on legitimate interests (e.g. marketing), we perform and document a balancing test, considering your rights. You may object at any time (see Section 8).

4. Cookies, Web Analytics & Log Files

We use cookies and analytics tools such as Google Analytics for website performance, traffic analysis, and user experience improvement.

• Necessary / functional cookies: to operate the site
• Analytics cookies: to monitor user behaviour anonymously
• Marketing/third-party cookies: only active with your consent

You can manage or withdraw your cookie consent at any time via our cookie banner or browser settings. Refer to our Cookie Policy for full details (accessible via link in footer).

5. Who We Share Your Data With

We may share your personal data with:

• Trusted service providers/processors, such as hosting providers, email platforms, CRM systems, professional advisers, or payment processors, under written data processing agreements ensuring GDPR compliance.
• Regulatory or legal authorities if required by law (e.g. court order or tax filing).
• Group companies, only where appropriate and under strict confidentiality terms.

All recipients are audited periodically to ensure they maintain GDPR-level protections.

6. Transfers to Countries Outside the EEA

BioStev operates within the European Economic Area (EEA). If we transfer your personal data to non-EEA countries (e.g. a data processor in the U.S.), we will ensure proper safeguards such as EU Commission Standard Contractual Clauses, or transfers to countries deemed adequate by the EU.

7. How Long We Retain Your Data

We retain your personal data only as long as necessary for the purpose(s) it was collected and to comply with legal obligations, for example:

• Client records and invoices: for at least 6 years (Spanish commercial law).
• Contact/marketing lists: until you withdraw consent or object.

After that, data is securely erased or fully anonymised.

8. Your Rights under the GDPR

Under Articles 15-22 GDPR, you have the right to:

1. Access personal data we hold about you.
2. Rectify inaccurate or incomplete data.
3. Erase data ("right to be forgotten"), where permitted.
4. Restrict processing in certain circumstances.
5. Data portability: to receive or transmit data in structured form.
6. Object to processing based on legitimate interests (including profiling/marketing).
7. Withdraw consent at any time, where processing is based on consent without affecting lawfulness of prior processing.

If you wish to exercise any of these rights, please contact us at compliance@wbagadion.com.

9. Automated Decisions / Profiling

We do not make purely automated decisions that produce legal effects concerning you or similarly significantly affect you. If this changes, we will notify you and ensure your right to human intervention, express your views, and contest decisions is preserved.

10. Data Security & Breach Notification

We employ appropriate technical and organisational measures to protect personal data including encryption in transit (TLS), access logs, secure back-ups, trained staff, and system access controls.

In the unlikely event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the Spanish Data Protection Authority (AEPD) without undue delay, and within 72 hours.

11. Updates to this Notice

We may revise this Notice to reflect changes in our processing, technical measures, or applicable law. The last updated date above reflects the most recent version; a copy will be available via link in our website footer.

12. Supervisory Authority & Right to Lodge Complaint

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) if you believe your data protection rights have been violated, particularly if you feel our response to a request is inadequate or delayed.

Their contact details and complaint form are available on the AEPD website located in Madrid as the national supervisory body.

This Data Protection Notice complies with GDPR requirements and is regularly reviewed to ensure ongoing compliance with applicable data protection regulations.