Legal notice, privacy and cookies
Last updated: 22 May 2026. This document covers the obligations of the General Data Protection Regulation (EU 2016/679, GDPR) and of the Spanish laws applicable to Giormo, S.L. as a Spanish-domiciled entity (LSSI-CE Law 34/2002, LOPDGDD Organic Law 3/2018).
1. Legal notice and identification of the controller
The following are the identifying details of the owner of this website (giormo.com and all its subdomains), in compliance with article 10 of Spanish Law 34/2002 (LSSI-CE) and article 13 GDPR:
Company name: Giormo, S.L.
Tax ID (NIF / VAT): ES B13389770
Registered office: Av. de la Ciencia 1, 13005 Ciudad Real, Spain
Email: info@giormo.com
Activity: custom software development, multi-tenant SaaS platforms, cybersecurity and automation.
Accessing and using this website implies acceptance of the terms described below. If you disagree with any of them, please stop using the site.
Intellectual property
The source code, texts, visual design, logos and any other proprietary content published on this site are protected by intellectual and industrial property rights. Reproduction, distribution, public communication or transformation without express authorisation is prohibited.
Liability
We make reasonable efforts to keep the information up to date and accurate, but we do not warrant the absence of errors. We are not liable for the use you make of the information published or for damages arising from access to the site when caused by reasons outside our control.
Third-party links
The website may contain links to third-party sites. We do not control or endorse their content. Browsing those sites is governed by their own terms and policies.
2. Privacy policy and data processing
We process your personal data in accordance with the GDPR. The data controller is Giormo, S.L. (Tax ID ES B13389770), with registered office at Av. de la Ciencia 1, 13005 Ciudad Real, Spain. For any matter relating to your personal data you may contact us at info@giormo.com.
Giormo, S.L. has not appointed a Data Protection Officer (DPO) because none of the cases listed in art. 37(1) GDPR apply: the core activity does not consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale nor of large-scale processing of special categories of data. Data-protection enquiries are handled directly through the email above.
What data we collect and why
- Contact form: name, email, company (optional) and message. Purpose: replying to your enquiry and, where appropriate, preparing a commercial offer. Legal basis: pre-contractual measures at the request of the data subject (art. 6(1)(b) GDPR) and, subsidiarily, consent given by sending the form (art. 6(1)(a)). Retention: up to 2 years from last contact, unless you request earlier erasure.
- Server technical logs: IP address, user-agent, date/time and requested URLs. Purpose: security (abuse and attack detection), debugging and incident response. Legal basis: legitimate interest of the controller (art. 6(1)(f) GDPR) in protecting its systems. Retention: 30 days.
- Browser headers (Accept-Language): read on the client side to suggest a language. They never leave your browser and are not stored on the server.
We do not use tracking cookies, do not share data with marketing third parties and do not profile visitors.
Recipients and sub-processors
To deliver the web service we rely on the following processors or sub-processors. They process the data exclusively under our instructions and within the European Economic Area (EEA):
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud EMEA Ltd. | Hosting of the public website and the contact form | Spain (EU) |
| Contabo GmbH | Organisation mail server (receipt of contact-form messages) | Germany (EU) |
| Let's Encrypt (ISRG) | TLS certificate issuance | No personal data processed: only the domain name is transmitted |
We do not carry out international transfers of personal data outside the EEA in the context of the public website. Fonts (Inter) and illustrative images are served directly from our own servers: no contact is made with Google Fonts, Unsplash or third-party CDNs.
Security measures
We apply appropriate technical and organisational measures under art. 32 GDPR: HTTPS with Let's Encrypt certificates on all domains, CrowdSec intrusion detection, ClamAV antivirus on every file upload, role-based access control with audit logging, isolated Docker containers, encrypted database backups and strict multi-tenant isolation at database level (Row Level Security).
3. Cookie and local-storage policy
This site does not install tracking, advertising or analytics cookies. We do not use Google Analytics, Meta Pixel or equivalents.
We do use localStorage (technical browser storage, not cookies) for a single functional purpose: remembering the language you selected in the header switcher so we can respect it on future visits. This information:
- Exists only in your browser. It is never sent to any server.
- Does not identify the user.
- Is a functional preference exempt from prior consent (art. 22(2) LSSI-CE; equivalent to EDPB guidance on strictly necessary technical storage).
- Can be deleted at any time from your browser settings (under "Site data" or equivalent).
If we ever add cookies that require consent, we will display a banner with genuine accept / reject options and update this page.
4. Your rights and how to exercise them
As a data subject you may exercise at any time the following rights, foreseen in articles 15 to 22 of the GDPR:
- Access: know which of your data we process.
- Rectification: correct inaccurate data.
- Erasure: have your data deleted when it is no longer necessary.
- Objection: object to processing on legitimate grounds.
- Restriction: restrict processing while we verify your request.
- Portability: receive your data in a structured, commonly used and machine-readable format.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, write to info@giormo.com stating your request clearly and attaching, where necessary for identity verification, a copy of an identification document. We will reply within one month (extendable by two months in complex cases). If you believe your request has not been properly handled, you may lodge a complaint with the Spanish Data Protection Agency (C/ Jorge Juan 6, 28001 Madrid) or with the supervisory authority of your country of residence.
5. Data processing in the SaaS platform (customers)
Giormo, S.L. operates a multi-tenant logistics-management platform accessible under client-specific subdomains (e.g. customer.giormo.com). In this context:
- The customer (the contracting company) acts as data controller for the personal data of its employees, drivers, third parties and end customers uploaded to the platform.
- Giormo, S.L. acts as data processor (art. 28 GDPR) and processes the data exclusively to provide the contracted service.
- The conditions of this processing (purposes, instructions, sub-processors, security measures, return and deletion, assistance with data-subject rights, breach notification and audit rights) are regulated by a Data Processing Agreement (DPA) signed with each customer.
- Data subjects (drivers, employees, etc.) should exercise their rights primarily before the customer acting as controller. Giormo, S.L. assists the customer in handling such requests with the diligence required by the GDPR.
Customers and prospective customers may consult the Data Processing Agreement (DPA) template with the up-to-date sub-processor list, or request an editable version for signature by writing to info@giormo.com.