Privacy Policy

Last updated: 8 June 2026 · This notice explains how X-Residency processes personal data under the EU General Data Protection Regulation (GDPR) and Spanish data-protection law (LOPDGDD).

1. Who we are (Data Controller)

X-Residency ("we", "us") is the controller of your personal data. Contact: hello@x-residency.es, Madrid, Spain. Before launch, insert the registered legal entity name, address, company/VAT number, and a Data Protection Officer or privacy contact where applicable.

2. What personal data we collect

• Identity & contact: name, email, phone/WhatsApp, country of residence, nationality, preferred language.
• Application data: service requested, NIE purpose, package, urgency, and the messages you send us.
• Documents you upload: e.g. passport, proof of income, health insurance, and—where relevant—criminal-record certificates. Some of these may contain special-category or sensitive data.
• Payment data: processed by our payment provider (Stripe). We receive payment status and metadata only; we do not store full card numbers.
• CITA Previa alert data: selected provinces, procedures, notification channels, and contact details.
• Technical data: IP address, device/browser information, and cookies or similar technologies (see our Cookie Policy).

3. Why we use it and our legal basis (Art. 6 & 9 GDPR)

• To provide our services (intake, document review, appointment monitoring, support) — performance of a contract.
• Payments, accounting and legal obligations — compliance with a legal obligation.
• Marketing, optional analytics and non-essential cookies — your consent, which you may withdraw at any time.
• Security, fraud prevention and improving our services — our legitimate interests, balanced against your rights.
• Special-category data contained in certain documents is processed only with your explicit consent and/or as necessary for the establishment, exercise or defence of legal claims (Art. 9 GDPR).

4. Who we share data with (Processors & recipients)

We share data only with service providers acting on our instructions under a data-processing agreement, including: payment processing (Stripe), hosting and database (e.g. Supabase/Vercel), transactional email and messaging providers, and—where enabled—analytics. We do not sell your personal data. Where a recipient is outside the EEA (e.g. in the United States), transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses.

5. How long we keep it (Retention)

We keep personal data only as long as necessary for the purposes above and to meet legal/accounting obligations, after which it is deleted or anonymised. CITA Previa alert data is retained until you cancel the subscription. Insert specific retention periods agreed with counsel.

6. Your rights

Under the GDPR you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent at any time without affecting prior processing. To exercise any right, email hello@x-residency.es (or use our contact form, topic "Data protection / privacy request"). We will respond within one month. You also have the right to lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

7. Security

We apply appropriate technical and organisational measures—including encryption in transit, access controls, and least-privilege handling—to protect your data. No system is perfectly secure, and we will notify you and the AEPD of a personal-data breach where legally required.

8. Cookies

We use strictly necessary cookies and, with your consent, optional analytics/marketing cookies. Manage your choices via "Cookie Settings" in the footer. See our Cookie Policy for details.

9. Children

Our services are intended for adults. We do not knowingly process the data of children without appropriate legal basis and safeguards.

10. Changes

We may update this policy and will revise the "last updated" date above. Material changes will be communicated where appropriate.