Privacy Policy

Easy210Spain is operated by Juan Antonio Bertomeu Vallés, a Spanish lawyer registered with the Bar Association of Alicante (ICALI member #4643) since 1991, and a Tax Authority Collaborator (AEAT Colaborador Social since 2017). This Privacy Policy explains how we collect, use, and protect your personal data when you use our service to file Spanish Form 210 (Modelo 210 IRNR) as a non-resident property owner.

Our approach in one sentence: you give us only what we need, our human lawyer reviews everything personally before signing and submitting to the Spanish Tax Authority (AEAT), and all data stays in the European Union.

1. Who we are (Data Controller)

• Current entity (until July 2026): Juan Antonio Bertomeu Vallés, NIF 28988016N, freelance lawyer (ICALI #4643)
• Future entity (from July 2026): Expat Abogados y Asesores Fiscales S.L.P. (Spanish Professional Services Limited Liability Company — incorporation in progress)
• Office addresses: Calle Doctor Calatayud 39, 03724 Moraira (Alicante), Spain · Calle Ramón y Cajal 5E, 03700 Dénia (Alicante), Spain
• General contact: legal@expatabogados.com
• Customer support: support@easy210spain.com
• Phone / WhatsApp: +34 614 08 68 07
• Parent brand: Expat Abogados (law firm)

2. Data Protection Officer (DPO)

We have designated a Data Protection Officer responsible for overseeing GDPR compliance and handling your privacy questions and rights.

• DPO contact: dpo@expatabogados.com
• The DPO can also be reached by post at the office addresses above.

3. What personal data we collect

We collect only the minimum data necessary to prepare and file your Modelo 210 IRNR. Specifically:

• Account data: email address, password (stored as a one-way cryptographic hash — we never see your password in clear), name.
• Identity data: Spanish NIE or NIF, full name, date of birth, nationality, country and town of residence.
• Property data:town and province of the property in Spain, property type (residential / garage / commercial). Technical fields (cadastral reference, cadastral value, exact street address, etc.) are extracted from your documents by our staff — you don't need to enter them.
• Documents you upload: Most recent IBI receipt (required), purchase deed / escritura (required), rental contract (required if filing rental income), other optional documents you choose to share.
• Service-specific data: for rental income, total annual rent + days rented; for property sales, sale date + sale price + purchase date + purchase price + acquisition type.
• Banking data (only if you choose SEPA Direct Debit for paying AEAT): your IBAN, encrypted with AES-256 via Google Cloud KMS before being stored. We never store your IBAN in clear text. Only the last 4 digits are kept unencrypted for display purposes.
• Payment data: we use Stripe to process the payment of our service. Card details go directly to Stripe and are not stored by us — we only receive a transaction identifier and the last 4 digits of the card.
• Communication data: emails, support tickets, WhatsApp messages (if you choose to contact us via WhatsApp).
• Cookie / web analytics data: as detailed in our Cookie Policy.

We do NOT collect:health data, religious beliefs, political opinions, biometric data, race or ethnicity, sexual orientation, or any other special categories defined in Article 9 GDPR. We do not engage in profiling within the meaning of Article 4(4) GDPR — we don't infer personal characteristics about you.

4. Why we collect your data (legal basis)

The legal grounds under Article 6 GDPR are:

• Article 6(1)(b) — performance of a contract: preparing and submitting your Modelo 210 on your behalf pursuant to the Professional Engagement Letter you signed electronically.
• Article 6(1)(c) — legal obligation: compliance with Spanish tax law (TRLIRNR, RDL 5/2004 Art. 5), ICALI deontological obligations (Art. 23 client funds), and AEAT Tax Authority Collaborator regulations.
• Article 6(1)(f) — legitimate interest: using internal productivity tools to process documents you upload, so our lawyer can review filings faster and more accurately. Your interests prevail: you can always opt out by filling fields manually instead of uploading documents, and our lawyer cross-checks every filing against your original documents before signing.
• Article 6(1)(a) — consent: only for non-essential cookies (analytics, marketing) and optional marketing communications. Consent is freely given and revocable at any time.

5. Automated decisions

The documents you upload are processed internally by our teamto prepare your Modelo 210. This processing is not customer-facing — you don't interact with it in the wizard.

There is no automated decision-making with legal or significant effects on you (Article 22 GDPR). Every Modelo 210 we file is reviewed and signed by a qualified, licensed Spanish lawyer (Juan Bertomeu Vallés, ICALI #4643) who cross-checks our findings against your original documents before electronic signature and submission to AEAT.

You have the right to receive meaningful information about the logic of any automated processing we apply (Article 13(2)(f) GDPR). If you want details, contact our DPO at dpo@expatabogados.com.

6. Who we share your data with

We share your personal data only with:

• The Spanish Tax Authority (AEAT) — when we file your Modelo 210 on your behalf. This is required to deliver our service and is your tax obligation under Spanish law.
• Trusted service providers (processors) who help us deliver Easy210Spain, listed below. Each is bound by a Data Processing Agreement (Article 28 GDPR):
  • Supabase Inc. — database, authentication, and document storage (EU region: Frankfurt, Germany)
  • Vercel Inc. — website hosting (EU edge nodes preferred)
  • Document-processing technology providers — tools that assist our staff with the documents you upload (EU infrastructure, no training on your data)
  • Stripe Payments Europe Ltd. — payment processing (Ireland)
  • Resend.com Inc. — transactional email delivery (EU residency)
  • Google Cloud Platform — encryption key management (europe-west1, Spain)
  • Google Workspace (Google LLC) — corporate email (configurable EU residency)
  • Sentry GmbH — error monitoring (Germany region: de.sentry.io)
  • PostHog Inc. — product analytics (EU region: eu.i.posthog.com)
  • CaixaBank S.A.— Spanish bank custody of client funds (Art. 23 ICALI code of conduct), only if you choose the "Bank Transfer Managed" payment option
  • Brevo SAS — email marketing automation (sequences, lead capture, landing pages), French headquarters with EU data processing in Belgium (GCP). EU-EU processing, no Cloud Act exposure. Only used after you opt in to marketing communications.
  • Attio Plc — CRM platform for managing customer relationships across the Easy Legal Group products. London, UK (covered by the UK Adequacy Decision EU-UK 2021). Activated when we begin lead capture operations.
  • n8n GmbH (n8n Cloud) — workflow orchestration platform connecting our internal systems (Supabase ↔ Brevo ↔ Attio ↔ Stripe ↔ PostHog). Berlin, Germany — EU-EU processing.
  • Holded (Suma) — accounting and tax compliance software (Spanish models 303, 349, 111, 190, 200, 347). Madrid, Spain. Activated when our Spanish Limited Liability Company is incorporated (July 2026).
• Legal authorities — only when required by Spanish or EU law (court order, AEPD inspection, etc.).

We do not sell your data. We do not share your data with advertisers, data brokers, or marketing platforms without your explicit consent.

6.1. Meta Custom Audiences — Separate explicit consent

We may share your hashed email and phone number (SHA-256, irreversible) with Meta Platforms Inc. (USA, under the EU-U.S. Data Privacy Framework) for personalised advertising on Facebook and Instagram via Custom Audiences — only if you have given separate explicit consent for this purpose (not bundled with the email marketing opt-in).

Joint controllership (Article 26 GDPR): for the upload and matching phase, Expat Abogados and Meta act as joint controllers. The joint controller arrangement (Meta Custom Audiences Terms + Controller Addendum) is available on request via dpo@expatabogados.com.

Withdrawal: you may withdraw this consent at any time. Removal from Meta Custom Audiences is processed within 48 hours. Withdrawal channels:

• Email: privacy@easylegalspain.com
• Account settings (when launched): easylegalspain.com/hub/settings/privacy
• Cookie banner reset: footer "Cookie settings" link

Legal basis: Article 6.1.a GDPR (explicit consent) + Article 26 GDPR (joint controllership). Standard set by CJEU Fashion ID (C-40/17, 29 July 2019) + EDPB Guidelines 8/2020 v2.1.

6.2. Email communications — Two distinct types

We send two clearly differentiated types of email communications:

Stream A — Operational service emails (no opt-in required):

• Payment receipts and welcome emails
• Case status updates
• Mid-process notifications
• Deadline early warnings (e.g. Form 210 December 31)
• Yearly renewal nudges (same product you contracted)

Legal basis: Article 6.1.b GDPR (contract performance) + Article 21.2 LSSI-CE (existing customer + same product) for renewal notices. Each renewal email includes a one-click unsubscribe.

Stream B — Educational emails (opt-in required):

• Topic-specific guides (Beckham law, NIE, wills, etc.)
• Legal updates relevant to your declared interests
• Maximum 1-2 emails per month per topic
• One-click unsubscribe per topic or globally (RFC 8058)

Legal basis: Article 6.1.a GDPR (explicit consent, granular per topic).

7. International data transfers

We prioritize processors with EU data residency. Where a processor has parent operations outside the EU (e.g., USA), the transfer is covered by one of the legitimate mechanisms in Chapter V GDPR:

• EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
• EU-US Data Privacy Framework (DPF) where applicable
• Contractual EU residency commitments for processing

Your filing data, documents, and identity information are processed in EU infrastructure (Frankfurt, Spain, Ireland, Germany). They do not leave the EU.

8. How long we keep your data

• Account data: while you have an active account + 4 years after last use
• Modelo 210 filings and supporting documents: 6 years (4 years tax prescription + 2 years safety margin — Spanish General Tax Law Art. 66)
• Audit logs of internal processing: 6 years
• Bank data (encrypted IBAN): while contract runs + 4 years (legal obligation), revocable on request subject to tax law
• Customer support communications: 2 years from last interaction
• Marketing email subscriptions: until you unsubscribe, or 4 years of inactivity
• Essential cookies: max 13 months (Spanish LSSI-CE limit)
• Analytics / marketing cookies: based on your consent, max 24 months
• Consent records: 6 years (legal proof of compliance)

9. How we protect your data

• Encryption in transit: TLS 1.3 across all services
• Encryption at rest: AES-256 (Google Cloud KMS, europe-west1) for IBANs and other sensitive fields
• Row Level Security (RLS): applied to all database tables containing personal data
• Two-factor authentication (2FA): required for all staff and administrator accounts
• Role-based access: users can only access their own data; staff access only assigned cases
• Immutable audit logs for every cross-checking, consent, and review action
• Encrypted automatic backups with point-in-time recovery
• Regular staff training on data protection
• Documented incident response plan (72-hour notification to AEPD if required)

10. Your rights under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of all data we hold about you
• Rectification (Art. 16) — request correction of inaccurate data
• Erasure (Art. 17) — request deletion of your data (subject to legal tax retention obligations — we will tell you precisely what we can and cannot delete)
• Restriction (Art. 18) — request that we temporarily stop processing
• Objection (Art. 21) — object to our processing in certain situations
• Portability (Art. 20) — receive your data in a structured, machine-readable format
• Withdraw consent for any processing based on consent — without affecting prior lawful processing
• Lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es if you believe we have not handled your data correctly

To exercise any right, email dpo@expatabogados.com with your NIE/NIF + identity verification + the right you wish to exercise. We will respond within 1 month (extendable by 2 months for complex requests, with notification).

11. Cookies

See our Cookie Policy for detailed information on the cookies and similar technologies we use, and how to manage your preferences.

12. Children

Easy210Spain is intended for adult property owners only. We do not knowingly collect data from anyone under 18.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users. The effective date is shown at the top of this page.

14. Governing law and competent jurisdiction

This Privacy Policy is governed by Spanish law (GDPR + LOPDGDD — Organic Law 3/2018). Disputes are subject to the competent courts of Alicante, Spain — subject to any consumer law provisions that may apply if you are a consumer resident in another EU member state.