Privacy Policy

1. Data Controller

        • Controller: PHOENIX & FLAG S.L.
        • Tax ID (NIF/CIF): B21840772
        • Registered Address: C/ Musgo, 5 28023 Madrid
        • Privacy Contact: privacy@phoenixandflag.com


2. Purposes of Processing and Legal Bases
We process personal data for the following purposes and under the following legal bases (Article 6 GDPR):

Website Contact and Inquiries
To respond to information requests submitted through the website.
Legal basis: Consent and legitimate interest in responding to the request.

Provision of Services
Including translation, interpretation, intellectual property management, events, testing, and cybersecurity services. Processing is carried out for contractual, operational, and quality management purposes.
Legal basis: Performance of a contract and compliance with legal obligations.

B2B Marketing and Business Development
To send professional communications regarding similar services, and to manage webinars and events.
Legal basis: Legitimate interest and/or consent, where required.

HR and Talent Management
Including the management of applications, talent pools, and onboarding or accreditation processes for interpreters, translators, mediators, and technical professionals.
Legal basis: Pre-contractual measures and consent.

Security and Compliance
Including fraud prevention, access control, auditing, and regulatory compliance.
Legal basis: Legitimate interest and compliance with legal obligations.

Claims and Legal Rights Management
To handle legal claims and protect the company’s rights.
Legal basis: Legal obligations and legitimate interest.

Special Categories of Data
In specific projects (e.g., healthcare or mediation contexts), special categories of data will only be processed where strictly necessary and in accordance with Article 9 GDPR (e.g., explicit consent, substantial public interest), with enhanced safeguards in place.

      •  

3. Data Retention
Personal data will be retained for the following periods:

    • Contacts / Leads: Up to 24 months from the last interaction or until consent is withdrawn
    • Clients / Projects: For the duration of the relationship and applicable statutory limitation periods (typically 5–10 years)
    • HR / Talent Pool: Up to 24 months unless formalized as a supplier or employee
    • Marketing: Until consent is withdrawn or an objection is raised
      Security Logs: Between 6 and 24 months, depending on the system

4. Recipients and Data Processors

Personal data may be accessed by authorized data processors (e.g., hosting providers, CRM systems, project management platforms, AI-assisted translation tools, videoconferencing services, analytics providers, email platforms, billing systems, and cybersecurity providers), under data processing agreements compliant with Article 28 GDPR.

Personal data will not be disclosed to third parties unless required by law or necessary for contractual purposes (e.g., public authorities, courts, law firms, IP agents).

5. International Data Transfers

Where service providers are located outside the European Economic Area (EEA), an adequate level of protection will be ensured through adequacy decisions and/or Standard Contractual Clauses (SCCs), together with supplementary measures where appropriate.

Further information is available upon request.

6. Data Subject Rights

You may exercise your rights of access, rectification, erasure, objection, restriction of processing, data portability, and the right not to be subject to automated decision-making by contacting privacy@phoenixandflag.com, including the reference “GDPR Rights” and proof of identity.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es

7. Minors
Our services are not directed to minors. If any inappropriate data processing is identified, it will be promptly deleted.

8. Security Measures
We implement appropriate technical and organizational measures to ensure data security, including access controls, encryption in transit and at rest where applicable, data loss prevention (DLP), activity logging, confidentiality agreements, staff training, vulnerability management, backups, and business continuity planning.

9. Social Media and Communications
Our presence on social media platforms is governed by this Privacy Policy as well as the terms and conditions of each platform.
All marketing communications include opt-out mechanisms.

10. Cookies
The use of cookies and similar technologies is described in our Cookie Policy.

Last updated: December 1, 2025

Scroll to Top
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.