DRAFT v0 — text intended to be published in full at
/privacy.htmlof the Futuh website.andmarkers to be resolved before publication. Pending external review before going to production.
PRIVACY POLICY
In one sentence: the Futuh website processes the absolute minimum of personal data to function. It uses no third-party cookies, performs no profiling, does not share your data with anyone for commercial purposes, and does not transfer data to the United States other than the unavoidable technical transit through Cloudflare.
1. Who we are
The FUTUH product is a joint initiative of ACPP and CONSORCIO ANDALUZ DE IMPULSO SOCIAL (hereinafter, CAIS). With regard to the processing of your personal data in connection with the use of this website, both entities act as joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679 (GDPR).
| Joint controller | Identification details |
|---|---|
| ACPP — Asamblea de Cooperación Por la Paz | NIF G80176845 · C/ Campomanes 8, 2ºD, 28013 Madrid · (+34) 914680492 · [email protected] |
| CONSORCIO ANDALUZ DE IMPULSO SOCIAL — CAIS | NIF F90335001 · Calle Marqués de Pickman 49, 41005 Seville · [email protected] · |
Data Protection Officer (designated by ACPP, assumes
coordination with CAIS pursuant to the Article 26 agreement of which we
inform you at the end):
[email protected].
1.1. Single point of contact
For any matter relating to your personal data, you may contact the single point designated by the two joint controllers (clause FOUR of the Joint Controllership Agreement, Article 26.1 in fine GDPR):
Email:
[email protected]Postal: C/ Campomanes 8, 2ºD, 28013 Madrid
Important: regardless of this single point, in accordance with Article 26.3 GDPR you may exercise your rights against either of the two joint controllers.
2. What data we process and for what purpose
This website processes the minimum personal data essential for it to function. We distinguish three purposes:
2.1. Serving the website (ordinary visit)
| Aspect | Detail |
|---|---|
| Data | IP address, user agent (browser, operating system), page visited, date and time. These data are recorded in the server logs. |
| Purpose | Serve the website, maintain operational security (detect abuses, attacks, bots) and diagnose technical incidents. |
| Legal basis | Legitimate interest of the joint controllers (Article 6.1.f GDPR) in ensuring the availability and security of the site. Favourable balancing on grounds of: absence of individual identification, absence of profiling, short retention period. |
| Retention period | Server logs: 30 days. Security logs in the event of an incident: up to 12 months and only if necessary to investigate the incident. |
2.2. Measuring website usage (anonymous analytics)
| Aspect | Detail |
|---|---|
| Data | Session hash generated by Umami from IP + user agent + domain + daily salt. The hash does not allow you to be identified individually and is rotated every 24 hours. Pages visited, country (at aggregate level), referrer (the site you come from, without campaign parameters). |
| Purpose | To understand, in an aggregate and anonymous way, which pages work and which content is useful. |
| Legal basis | Legitimate interest (Article 6.1.f GDPR). Favourable balancing on grounds of: absence of cookies, absence of identification, hash rotated daily, privacy-first alternative to Google Analytics. |
| Tool | Self-hosted Umami on the same infrastructure as the website. There is no transfer of data to third parties. The tool operates without cookies. |
| Retention period | Aggregated data, with no individual deletion period (no individuals are identifiable). |
2.3. Handling your enquiries by email
| Aspect | Detail |
|---|---|
| Data | Those you voluntarily provide when writing to us: name, email address, organisation you represent, content of the enquiry, attachments if any. |
| Purpose | To respond to your enquiry, to assess whether Futuh fits what you are looking for and, if you so decide, to maintain a pre-contractual relationship or initiate a project. |
| Legal basis | Application of pre-contractual measures at the data subject’s initiative (Article 6.1.b GDPR). If your message includes an express request for recurring commercial information, consent (Article 6.1.a GDPR). |
| Retention period | For as long as the active exchange lasts. If a project arises from the exchange, for the life of the project and the applicable legal periods. If no project arises, 24 months counting from the last message, and subsequent deletion or anonymisation. |
3. What we do NOT do
So that you know what does not happen on this website:
- ❌ We do not use analytics, advertising or third-party tracking cookies.
- ❌ We do not carry out profiling or automated decisions with legal effects on you (Article 22 GDPR).
- ❌ We do not sell or transfer your data to third parties for commercial purposes.
- ❌ We do not use Google Analytics, Meta Pixel, TikTok pixel or equivalents.
- ❌ We do not have lead-capture forms: the price calculator runs entirely in your browser and does not send anything to any server.
- ❌ We do not subscribe you to any newsletter or automated communications.
4. With whom we share your data (processors and sub-processors)
To serve the website, we work with two providers acting as processors within the meaning of Article 28 GDPR:
| Provider | Function | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting (debian-vps in Falkenstein, Germany) | European Union | Standard Hetzner data processing agreement accepted |
| Cloudflare, Inc. | Tunnel and CDN, TLS termination, anti-bot protection | US-based company with global infrastructure | Standard Cloudflare data processing agreement + international transfer under the EU–US Data Privacy Framework (DPF) and, subsidiarily, European Commission Standard Contractual Clauses (Decision (EU) 2021/914) |
No other provider receives your personal data. The Umami analytics tool is not an external provider: we operate it directly on our own infrastructure (Hetzner).
4.1. International transfers
The only effective international transfer in the operation of the website is the one resulting from the use of Cloudflare, Inc. (US parent company). The safeguards used are those described above (DPF + Standard Contractual Clauses).
If you are concerned about this transfer, you may access the website via a connection that does not pass through Cloudflare by contacting the single point of contact; we will assess on a case-by-case basis the feasibility of serving the content via an alternative route.
5. How long we keep your data
| Category | Period |
|---|---|
| Server logs (ordinary visit) | 30 days |
| Security logs in the event of an incident | Up to 12 months |
| Aggregated Umami data (anonymous analytics) | No individual deletion period (no identifiable individuals) |
| Emails sent to the single point of contact or other published mailboxes | For as long as the active exchange lasts + 24 months, unless a contractual project arises |
6. Your rights
In accordance with the GDPR and Spanish Organic Law 3/2018 on Personal Data Protection and digital rights guarantees (LOPDGDD), you have the following rights over your personal data:
| Right | What you may request |
|---|---|
| Access (Article 15 GDPR) | To know what data of yours we process and obtain a copy |
| Rectification (Article 16 GDPR) | To correct inaccurate or incomplete data |
| Erasure (Article 17 GDPR) | To delete your data when no longer necessary or when you withdraw consent |
| Restriction (Article 18 GDPR) | That we suspend processing while a dispute is resolved |
| Portability (Article 20 GDPR) | To receive your data in a structured format to take to another controller |
| Objection (Article 21 GDPR) | To object to processing based on legitimate interest, in which case we will weigh your reasons |
| Not to be subject to automated decisions (Article 22 GDPR) | Applicable only if it occurred. We do not carry out profiling or automated decisions about you on this website |
6.1. How to exercise them
By email to the single point of contact
([email protected]) or, where appropriate, to the ACPP
DPO ([email protected]) or to the CAIS
privacy contact (). Pursuant to Article 26.3
GDPR you may address either of the two joint controllers.
We will respond within one month from receipt of your request, extendable by up to two further months on duly justified grounds (Article 12.3 GDPR).
6.2. Complaint to the AEPD
If you consider that the processing of your data does not comply with the regulations, you may file a complaint with the AEPD (Spanish Data Protection Agency) (https://www.aepd.es). In any case, we encourage you to contact us first to try to resolve the reason for the complaint.
7. Cookies
This website uses exclusively cookies and equivalent mechanisms that are exempt from the consent requirement of Article 22.2 LSSI-CE.
| Mechanism | What it does | Type | Expiry |
|---|---|---|---|
localStorage: accent colour preference |
Stores in your browser the accent colour you have selected in the personalisation panel | Technical/functional, in your own browser | Until you clear your browser storage |
__cf_bm cookie (Cloudflare) |
Distinguishes human traffic from automated bots, without profiling | Technical security cookie, managed by Cloudflare | 30 minutes after the last activity |
There are no analytics cookies, no advertising, no cross-domain tracking.
8. The essentials of the ACPP↔︎CAIS Joint Controllership Agreement (Article 26.2 GDPR)
In accordance with Article 26.2 GDPR, we make available to you the essentials of the Joint Controllership Agreement signed between ACPP and CAIS for the processing of personal data on the Futuh website.
Who: ACPP (NIF G80176845, Madrid) and CAIS (NIF F90335001, Seville) act as joint controllers.
What each does:
- ACPP technically operates the current domain
(
futuh.ruiberriz.org), handles in the first instance the rights you exercise, attends to notifications to the AEPD (Spanish Data Protection Agency) in the event of security breaches and maintains the mandatory documentation (record of processing activities, breach register, logs). - CAIS assumes responsibility for its own domain mailboxes when an enquiry arrives there and participates in all material decisions on the processing (changes of providers, modifications of the informative content, impact assessments where applicable).
- Both maintain active coordination at a minimum quarterly cadence between their data protection contacts.
Single point of contact for you:
[email protected](provisional until
[email protected]).
Your right to address either of the two (Article 26.3 GDPR): the internal allocation does not limit you. You may exercise your rights against ACPP, against CAIS, or against both.
Full text of the Agreement: available to you upon request to the single point of contact.
9. Modifications to this policy
If we modify this policy, we will publish the new version at the same URL and update the “Last updated” date at the bottom. Substantial changes (new processors, new purposes, changes of legal basis) will additionally be announced by means of a visible notice on the site’s homepage for a reasonable period.
Last updated: 5 May 2026.
Language versions: the legally binding version is the Spanish version. The English and French versions are courtesy translations with no autonomous legal value.