GDPR Compliance

Last updated: December 26, 2025

1. Our Commitment to GDPR

Campora Cloud, operated by Campora Tech, S.L. (registered in Torredembarra, Spain), is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. We recognize the importance of protecting personal data and have implemented comprehensive measures to ensure compliance for both our customers and their guests.

2. Data Controller and Processor Roles

2.1 When We Are the Data Controller

For our own business operations (marketing, customer accounts, billing), Campora Cloud acts as the Data Controller.

2.2 When We Are the Data Processor

For guest data that our customers input into our platform, we act as a Data Processor. Our customers are the Data Controllers responsible for determining how guest data is processed.

3. Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contract Performance: To provide our services and fulfill our contractual obligations
  • Legitimate Interests: For business operations, fraud prevention, and service improvement
  • Legal Obligation: To comply with tax, accounting, and other legal requirements
  • Consent: For marketing communications and optional features (where consent is required)

4. Data Subject Rights

Under GDPR, individuals have the following rights:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with specific information about the processing.

How to exercise: Email admin@campora.cloud with subject "Data Access Request"

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

How to exercise: Update your account information or contact support

4.3 Right to Erasure - "Right to be Forgotten" (Article 17)

You have the right to have your personal data erased under certain conditions.

How to exercise: Email admin@campora.cloud with subject "Data Erasure Request"

4.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data under specific circumstances.

How to exercise: Email admin@campora.cloud

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

How to exercise: Use our data export feature or request assistance

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Use unsubscribe links or contact us directly

4.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

5. Response Timeframes

We will respond to data subject requests:

  • Within 1 month as standard (Article 12)
  • Extended to 3 months for complex or numerous requests (with notification)
  • Free of charge for the first request; reasonable fees may apply for excessive or repeated requests

6. Data Protection by Design and by Default

We implement technical and organizational measures to ensure data protection principles:

  • Pseudonymization: Where appropriate, we pseudonymize personal data
  • Minimization: We collect only necessary data for specified purposes
  • Access Controls: Role-based access ensures only authorized personnel access data
  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Regular Audits: Ongoing compliance reviews and security assessments

7. Data Breach Notification

In the event of a personal data breach:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware (Article 33)
  • We will notify affected data subjects without undue delay if the breach poses a high risk (Article 34)
  • We maintain detailed documentation of all breaches, including facts, effects, and remedial actions

8. International Data Transfers

When transferring personal data outside the European Economic Area (EEA):

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission
  • We ensure adequate safeguards and enforceable data subject rights
  • We conduct Transfer Impact Assessments (TIAs) where necessary
  • We maintain records of all international data transfers

9. Data Processing Agreements (DPA)

For customers acting as Data Controllers:

  • We provide a comprehensive Data Processing Agreement (DPA)
  • The DPA includes all requirements from Article 28 GDPR
  • We maintain records of processing activities
  • We assist with Data Protection Impact Assessments (DPIAs) when required

Request our DPA: admin@campora.cloud

10. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee GDPR compliance:

  • Email: admin@campora.cloud
  • Responsibilities: Monitor compliance, advise on obligations, cooperate with supervisory authorities

11. Subprocessors

We engage the following subprocessors to provide our services:

  • Cloud Infrastructure: AWS (EU regions)
  • Payment Processing: Stripe, Redsys
  • Email Services: SendGrid
  • Analytics: Self-hosted analytics (EU servers)

All subprocessors are bound by DPAs ensuring GDPR compliance. We will notify customers of any subprocessor changes.

12. Records of Processing Activities

We maintain comprehensive records of processing activities as required by Article 30, including:

  • Categories of data processed
  • Purposes of processing
  • Categories of data subjects
  • Recipients of personal data
  • International data transfers
  • Retention periods
  • Security measures

13. Accountability and Documentation

We demonstrate GDPR compliance through:

  • Written data protection policies and procedures
  • Privacy by design implementation
  • Regular staff training on data protection
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Third-party security audits and certifications
  • Incident response and breach management procedures

14. Customer Responsibilities

As Data Controllers, our customers are responsible for:

  • Obtaining necessary consents from guests
  • Providing privacy notices to data subjects
  • Responding to data subject requests from their guests
  • Ensuring lawful processing of guest data
  • Implementing appropriate security measures

15. Assistance and Support

We assist our customers with GDPR compliance:

  • Technical and organizational measures documentation
  • Data breach notification procedures
  • Data subject request fulfillment
  • Data Protection Impact Assessment (DPIA) support
  • Compliance guidance and resources

16. Contact for GDPR Matters

For GDPR-related questions, requests, or concerns: