GDPR Compliance

Last updated: May 2026

1. Data Controller

Bayshore Products S.L. (trading as SpainPorFavor) is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and Spain's Ley Orgánica 3/2018 de Protección de Datos Personales (LOPDGDD).

C.I.F.: B70778360
Data Protection Contact: [email protected]
Supervisory Authority: Agencia Española de Protección de Datos (AEPD)

2. What Data We Collect

We collect only the data necessary to prepare and submit your visa application:

Data CategoryExamples
Identity documentsPassport, criminal record certificate, birth certificate
Financial documentsBank statements, employment contracts, tax returns
Contact informationName, email address, phone number
Health insuranceInsurance policy documents
Account and usage dataLogin times, document upload history, chat transcripts

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): Processing necessary to deliver the visa preparation service you purchased.
  • Consent (Art. 6(1)(a)): For AI-powered document validation and optional marketing communications. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)): For security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): Where required by Spanish or EU law.

4. Data Retention Periods

We retain your data only as long as necessary for the purposes described above:

Data TypeRetention Period
Uploaded documents (passport, bank statements, etc.)Deleted 30 days after visa approval or case closure
Account data (name, email)Retained while your account is active; deleted upon account deletion request
Case recordsAnonymised after case closure and retained for compliance records
Chat transcriptsDeleted 30 days after case closure
Payment recordsRetained for 5 years as required by Spanish tax law

Renewal clients who opt into ongoing services retain their data until they cancel or their case concludes.

5. Your Rights Under GDPR

Under GDPR Articles 15–22, you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data (see Section 6 below).
  • Right to restriction (Art. 18): Limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): Withdraw any consent you have given, at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected] or use the data controls in your client portal. We will respond within 30 days as required by GDPR.

6. Right to Erasure — How It Works

You may request deletion of your personal data at any time. Here is how the process works:

  1. Submit your request: Email [email protected] or use the "Delete my data" option in your client portal.
  2. Confirmation: We send a double opt-in confirmation email to verify the request is genuine.
  3. Processing: Once confirmed, we delete all your uploaded documents, chat transcripts, and personal data within 30 days.
  4. Exceptions: We may retain anonymised case records and payment records where required by Spanish tax law (Ley General Tributaria).

Important: If your visa application is currently being processed by the Spanish authorities, erasure of your documents may prevent us from completing your application. We will inform you of this before proceeding.

7. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • EXIF metadata stripped from uploaded images (GPS coordinates, device information removed)
  • Role-based access control — only you, your assigned Gestor, and authorised administrators can access your data
  • All document access logged in an audit trail
  • Rate limiting and session-based authentication

8. International Transfers

Your data is stored on servers within the European Union. Where data is processed outside the EU (for example, AI-powered document validation), we ensure adequate protection through Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

9. AEPD Registration and Complaints

Bayshore Products S.L. is registered as a data processor with the Agencia Española de Protección de Datos (AEPD), Spain's supervisory authority for data protection under GDPR and the LOPDGDD.

If you believe your data protection rights have been violated, you have the right to lodge a complaint directly with the AEPD:

If you are based in another EU/EEA country, you may also lodge a complaint with your local supervisory authority.

10. Contact

For any questions about this GDPR compliance notice or your data protection rights:

Bayshore Products S.L. (trading as SpainPorFavor)
C.I.F.: B70778360
Data Protection Contact: [email protected]
General enquiries: [email protected]
Website: www.spainporfavor.com

This page supplements our Privacy Policy and Terms of Service. For questions, contact [email protected].