Privacy Policy
1. Data Controller’s Details
Company: AFORI SOLUTIONS S.L. (“Company” or “Controller”)
Tax ID: B21761960
Address: PLAZA GAL·LA PLACIDIA, 1-3, 08006 Barcelona, Spain
Email for communications regarding data protection: help@a4i.ai
1.1 Applicable Regulations:
This Privacy Policy has been prepared in accordance with current data protection regulations, in particular:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, GDPR), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).
As well as any other complementary or future regulations.
By providing us with your personal data, the user declares that they have read and understood this Privacy Policy and gives their free, specific, informed, and unequivocal consent for the processing of such data, in accordance with the purposes described.
The company may update or modify this Privacy Policy to adapt it to new legislative or jurisprudential requirements or criteria issued by the Spanish Data Protection Agency (AEPD) or other competent supervisory authorities.
Likewise, this Policy may be supplemented by the Legal Notice, the Cookie Policy, and/or the General Terms and Conditions applicable to certain products or services, when access to such information involves specific requirements regarding the processing of personal data.
In any case, we will ensure that the user is duly informed of any changes that affect their rights or the way we process their personal data.
1.2. Data Protection Officer
AUDINNOVA, S.L., with Tax Identification Number (NIF) B25644543 and registered office at CRISTOFOL DE BOLEDA, 16, 25006 - LLEIDA, LLEIDA (SPAIN). The contact telephone number is +34 973122795 and the email address is DPO@2-CARE.ES.
2. PURPOSE OF PROCESSING PERSONAL DATA
Manage user access and authentication, enabling the creation and administration of accounts for users and their organizations.
Provide support services for insurance brokerage activities, including policy analysis, search, and comparison, as well as the generation of proposals, reports, and drafts using artificial intelligence systems under human supervision.
Facilitate broker client management by maintaining records of policyholders, policies, insured assets, claims, and communications through the integrated CRM module.
Automate the classification and processing of communications, enabling the organization of emails and attachments and their conversion into cases, tasks, or client records.
Assist brokers through specialized AI agents, providing email drafts, checklists, comparisons, and other case management support tools.
Manage administrative, accounting, and billing processes, including the processing of payments and subscriptions through accredited third-party providers.
Maintain the security and proper functioning of the platform through audit logs, access control, and fraud prevention measures.
Under no circumstances will the data be used for purposes other than those described. Specifically, the data will not be used to train external artificial intelligence models unless the data subject's express and informed consent has been obtained in advance.
2.1. Retention and storage of your data
Personal data is stored and processed on secure servers located in the European Union, provided by Amazon Web Services (AWS), ensuring that processing is carried out in accordance with the security and data protection standards applicable in the European Economic Area (EEA).
In addition, for certain functionalities related to user authentication and access management (login, session management, and identity verification), data may be processed and stored by our service provider, Clerk, whose servers are located in the United States. These transfers are carried out in accordance with the safeguards set forth in the EU-US Data Privacy Framework (Adequacy Decision, July 10, 2023), ensuring an adequate level of protection for personal data equivalent to that in the EEA.
Your personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected. Once these purposes have been achieved, the data will be deleted or blocked, unless a longer retention period is required by European or national regulations.
Where applicable laws establish specific retention periods (for example, for tax, commercial, or administrative liability purposes), data will remain duly blocked and protected until the expiration of those periods, after which it will be securely deleted in accordance with applicable regulations.
3. Legal Basis & Collected Data
The processing of your personal data by AFORI SOLUTIONS S.L. is carried out in accordance with the following legal bases:
Performance of a contract (Art. 6.1.b GDPR): processing is necessary for the provision of the services contracted by users and their organizations, which includes user authentication, customer and policy management, insurance analysis and comparison using artificial intelligence systems, as well as incident and claim handling.
Compliance with legal obligations (Art. 6.1.c GDPR): certain processing may be necessary to meet legal, tax, accounting, or regulatory requirements applicable to the insurance sector or to billing and payment services.
Legitimate interest (Art. 6.1.f GDPR): AFORI SOLUTIONS S.L. may process minimum data for security purposes, access control, fraud prevention, and service improvement, always ensuring that the rights and freedoms of data subjects prevail.
Explicit consent (Articles 6.1.a and 9.2.a GDPR): In cases where special categories of data are processed (for example, health data included in insurance claims or identity documents), processing will be based on the data subject's express and informed consent or on the exceptions provided for in Article 9 of the GDPR.
Under no circumstances will personal data be used for purposes incompatible with those described. In particular, the data will not be used to train external artificial intelligence models without obtaining prior express and informed consent.
3.1. Consent to process your data
By entering their email address or other requested information in the corresponding form and clicking “I accept the Privacy Policy,” the User declares that they have read and accepted this Privacy Policy, thereby giving their express and unequivocal consent for their personal data to be processed for the purposes of:
Managing their registration on the waiting list or newsletter,
Arranging and managing meetings or demonstrations with our team.
Enabling access to and use of the platform’s services and tools.
Receiving communications related to their registration, booked meetings, and updates about the launch or operation of the services.
Any communications regarding User registration, meeting reservations, updates on the launch or operation of the services, or marketing and promotional content will only be sent when the User has provided their prior and explicit consent, in accordance with applicable data protection and electronic communications regulations.
3.2. Data Categories
The data collected falls under the category of identifying data, such as:
• Basic personal data (identification and contact information).
• Professional and contractual data (policies, insurance, claims).
• Communication data (emails, attachments).
• Financial data (payments, billing).
• Sensitive data in some cases (health, identity documents, financial information on claims).
• Technical data (logs, tokens, telemetry).
4. Security Measures
In compliance with Article 32 of Regulation (EU) 2016/679 (GDPR) and consistent with our commitment to protecting user privacy, we have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures seek to preserve the confidentiality, integrity, and availability of personal data and are applied based on the state of the art, the nature of the information processed, and potential risks.
These measures include, among others, access control mechanisms, password management, data encryption, regular backups, incident detection and response procedures, as well as internal confidentiality policies and staff training.
Our goal is to prevent unauthorized access, improper alteration, accidental loss, or destruction of personal data, always maintaining the highest possible protection.
5. Data Transfer
Personal data will not be transferred to third parties, except when necessary for the proper provision of our services or due to legal obligation.
For the operation of the platform, data is communicated to technology providers, who act as data processors in accordance with Article 28 of the GDPR. All data processors offer adequate safeguards for the protection of personal data.
In certain cases, personal data may be subject to international transfers resulting from the use of technological services or cloud storage provided by entities located outside the European Economic Area (EEA).
Under no circumstances will data be transferred to countries that do not guarantee an adequate level of protection, in accordance with the provisions of Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), and Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
International data transfers will only be carried out when:
There is an adequacy decision by the European Commission recognizing the country, territory, or sector as having a level of protection comparable to that of the European Union and, therefore, it is authorized by the Spanish Data Protection Agency (AEPD).
6. User Rights
Any data subject has the right to obtain confirmation as to whether or not we are processing personal data that concerns them. Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, data subjects may request the restriction of the processing of their data, in which case we will only retain it for the exercise or defense of legal claims. For reasons related to their particular situation, data subjects may object to the processing of their data. The Data Controller will cease processing the data, except for compelling legitimate reasons, or for the exercise or defense of potential legal claims.
Right | What it entails | Retention Period |
|---|---|---|
Access | Request confirmation of whether we process your data and, where appropriate, obtain a copy of it | For as long as the data is retained. |
Rectification | Request the modification of inaccurate or incomplete data | For as long as the data is retained. |
Deletion ("right to be forgotten") | Request the deletion of your data when it is no longer necessary, you withdraw your consent, or there are other legitimate reasons | This is executed upon request, unless there is a legal retention obligation. |
Restriction of processing | Request that your data be retained solely for the exercise or defense of legal claims. | For the duration of the restriction period requested or legally granted. |
Objection | Object to the processing of your data for reasons related to your particular situation, provided it is based on legitimate interest or a mission of public interest | While the alleged reason exists; they are blocked unless there is an overriding legitimate interest or defense of legal claims. |
Portability | Receive your data in a structured, commonly used, and machine-readable format, or request that it be transmitted to another controller | This applies to data processed based on consent or contract, for as long as it is retained. |
Withdrawal of consent | Withdraw the consent given at any time, without affecting the lawfulness of the previous processing | As soon as it is withdrawn, the associated data will be deleted unless there is a legal retention obligation. |
Complaint | File a complaint with the Spanish Data Protection Agency | There is no deadline: you can exercise it at any time. |
6.1 How to exercise my right?
To exercise your rights, you must contact the data controller and request the corresponding form for exercising your chosen right. Optionally, you can contact the competent Supervisory Authority to obtain additional information about your rights. Contact information for exercising your rights can be found at the following email address: help@a4i.ai. Remember to include a copy of a document that allows us to identify you.
7. CONSENT TO SEND ELECTRONIC COMMUNICATIONS
Likewise, and in accordance with the provisions of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce, by completing the form data collection and by checking the corresponding box "I agree to receive electronic communications", you are giving your express consent to send information about the Company to your email address, telephone number, fax or other electronic means.
8. USE OF ARTIFICIAL INTELLIGENCE BY THE CONTROLLER
Our Platform integrates artificial intelligence (AI) systems designed to assist users in their professional work. Specifically, AI is used to:
Analyze policies and perform insurance comparisons.
Classify emails and attachments to generate cases or tasks in the system.
Provide draft communications, checklists, and other support for customer and claims management.
These systems operate based on models hosted on servers located in the European Union, and data is not shared with external AI providers or used to retrain external models.
Decisions derived from the use of AI are neither automatic nor binding: the user is constantly able to monitor the AI agents actions and can validate the final decision.
The personal data processed by AI systems is limited to the information necessary to provide the services described (for example, policies, claims, or communications managed on the platform). Under no circumstances is it used for purposes other than those reported.
In compliance with data protection regulations and Regulation (EU) 2024/1689 on Artificial Intelligence, users are expressly informed that they are interacting with an AI system and that they retain their rights at all times, including the right to request human intervention, to express their point of view, and to challenge decisions made with the support of such systems.
9. PERSONAL DATA PROCESSING ORDER (Article 28 GDPR)
For the purposes of Article 28 of Regulation (EU) 2016/679, it is established that:
Data Controller: the users, who enter the personal data of its clients (insured parties) into the AFORI SOLUTIONS S.L. platform for the purpose of managing policies, claims, communications, and complaints.
Data Processor: the Data Controller, who will process the personal data exclusively following the documented instructions of the data controller and solely for the provision of the contracted services, and under no circumstances may use them for its own purposes.
Obligations of AFORI SOLUTIONS S.L. as data processor:
Process the data only in accordance with the instructions of the data controller, including those regarding international data transfers.
Ensure that the persons authorized to process personal data have agreed to respect confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
Assist the controller, to the extent possible, in fulfilling its obligations to respond to requests from data subjects to exercise their rights (access, rectification, erasure, objection, restriction, portability).
Assist the controller in ensuring compliance with security obligations, breach notification, and impact assessments when necessary.
Delete or return all personal data to the controller once the service provision ends, except for legal retention obligations.
Make available to the controller the information necessary to demonstrate compliance with its obligations and allow for reasonable audits, whether carried out by the controller or by an authorized auditor.
4. Subprocessors: The controller authorizes AFORI SOLUTIONS S.L. to use certain suppliers who act as subprocessors, including:
AFORI SOLUTIONS S.L. will ensure that said subprocessors comply with the obligations established in this clause and in Article 28 of the GDPR.
5. Liability: The users, as data controller, will be solely responsible for ensuring that it has an adequate legal basis for processing its clients' personal data and for complying with its obligations to provide information and safeguard rights. AFORI SOLUTIONS S.L. will not be liable to data subjects for the obligations incumbent on the data controller, without prejudice to its responsibilities in its capacity as data processor.