Last updated: 19 May 2026

This Privacy Policy describes the processing of personal data carried out by Fixender in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Data Protection (LOPDGDD).

1. Data controller

  • Identity: Gaspar García Sánchis
  • Spanish Tax ID: 44946948H
  • Address: Calle Palleter 13, 46008 Valencia, Spain
  • Contact email: [email protected]

Fixender is not required to appoint a Data Protection Officer under article 37 GDPR and article 34 LOPDGDD. The controller directly assumes the equivalent functions and handles all requests at the address above.

2. Processing activities, purposes and legal basis

2.1. Publication of professional listings

  • Purpose: publish listings of professionals (self-employed and companies) providing home services in Spain, to help users find them.
  • Data categories: business name or company name, professional phone, postal code, service category, opening hours, own website, and where applicable the public numeric rating obtained from Google Maps.
  • Source: publicly accessible sources (Google Maps, the professional’s own website, public registries) and direct contributions from the professional.
  • Legal basis: legitimate interest (art. 6.1.f GDPR), presumed by art. 19.2 LOPDGDD for data of self-employed persons and liberal professionals referring to them in their professional capacity. For legal persons, processing falls outside the scope of the GDPR under its recital 14.
  • Retention: while the listing remains published and, after removal, for one additional year in blocked form to defend against possible claims (LOPDGDD art. 32).
  • Right to object: the professional may request removal in one click at fixender.com/baja/ or by email to [email protected]. Removal is processed within 72 hours.

2.2. User and professional registration

  • Purpose: manage accounts, authenticate users, allow publication and modification of listings, and send necessary operational communications.
  • Data categories: name, email, phone, preferred language, listing data (for professionals).
  • Legal basis: contract performance (art. 6.1.b GDPR).
  • Retention: while the account is active and, after closure, for the periods required by applicable law.

2.3. WhatsApp messaging with professionals

  • Purpose: allow professionals to claim their listing, receive operational notifications (new leads, reminders) and, with prior explicit consent, promotional communications from Fixender.
  • Data categories: phone number, content of messages exchanged, consents granted and dates.
  • Legal basis: contract performance (operational messages) and explicit consent (promotional messages), in accordance with article 21 LSSI-CE.
  • Processor: WhatsApp Business Platform (Meta Platforms Ireland Ltd). International transfers covered by the Standard Contractual Clauses approved by the European Commission.
  • Withdrawal of consent: the professional can withdraw promotional consent at any time by writing “STOP” to the WhatsApp bot or from fixender.com/baja/.

2.4. Contact forms and unlawful content notifications

  • Purpose: handle the query or notification received.
  • Data categories: name, email, message content.
  • Legal basis: consent and, for DSA notifications, legal obligation (art. 16 Regulation (EU) 2022/2065).
  • Retention: the time needed to handle the query and applicable limitation periods.

2.5. Cookies and web analytics

See the Cookie Policy.

3. Recipients and processors

Fixender shares data only with the following processors, bound by contract under art. 28 GDPR:

  • Hostinger International Ltd. — web hosting and databases (Lithuania, EU).
  • Cloudflare Inc. — content delivery network, DDoS mitigation and security (USA, certified under the EU-US Data Privacy Framework).
  • Google Ireland Ltd. and Google LLC — Google Cloud Platform (Vertex AI for translations and description drafting), Google Analytics 4, Google Tag Manager, Google Search Console and Google Maps Platform.
  • Meta Platforms Ireland Ltd. — WhatsApp Business Platform.
  • OpenAI Ireland Ltd. — fallback provider for occasional translation tasks (residual use, transfers covered by SCC).
  • Backblaze Inc. — encrypted off-site backups (USA, transfers covered by SCC).

Fixender does not sell, rent or share personal data with third parties for purposes other than those described in this Policy.

4. International transfers

Processors based outside the European Economic Area apply the Standard Contractual Clauses approved by the European Commission, together with additional technical measures (encryption in transit and at rest, logical segregation, access controls). Users may request a copy of the applicable safeguards by writing to [email protected].

5. Automated decisions and algorithmic processing

Fixender uses artificial intelligence models (Google Cloud Vertex AI) for content translation into several languages and for drafting factual listing descriptions based on the professional’s own public website. These processes do not produce automated decisions with legal effects on the data subject within the meaning of art. 22 GDPR: listings are published, modified and removed under human decision.

6. Data subject rights

Under articles 15 to 22 GDPR, the data subject may exercise the following rights:

  • Access to personal data.
  • Rectification of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”).
  • Restriction of processing.
  • Data portability.
  • Objection to processing, in particular processing based on legitimate interest.
  • Not to be subject to automated decisions producing legal effects.
  • Withdrawal of consent at any time, without affecting the lawfulness of prior processing.

These rights may be exercised:

Data subjects have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es, especially if they consider that their rights have not been satisfactorily addressed.

7. Security

Fixender applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with art. 32 GDPR: TLS encryption, enforced multi-factor authentication for administrators, role-based access control, audit logs, encrypted off-site backups and periodic review of measures.

8. Minors

The site is not directed at children under 14 and does not knowingly collect data from minors. If registration of a minor without consent of the holder of parental authority is detected, the account will be deleted (LOPDGDD art. 7).

9. Changes

This Policy may be amended to reflect regulatory or processing changes. The version in force is the one published here with its update date. Substantial changes will be notified to registered users by email at least 15 days in advance.