Privacy Policy.

01Data controllers

The processing of your personal data is carried out under a regime of joint controllership between:

Both entities have entered into the joint controllership arrangement provided for in Article 26 of the GDPR. You may request a summary of this arrangement by writing to the Data Protection Officer.

02Data Protection Officer (DPO)

The Data Protection Officer is available at the email address info@nextcapital.es. You may contact them regarding any matter relating to the processing of your data.

03Data we process

Within the framework of the contractual and pre-contractual relationship, we process the following categories of data:

04Purposes and legal bases of the processing

Purpose Legal basis
Management of the onboarding process and identity verification (KYC/KYB). Performance of pre-contractual measures (Art. 6.1.b GDPR) and legal obligation (Ley 10/2010 PBC/FT).
Provision of the contracted electronic money services. Performance of the contract (Art. 6.1.b GDPR).
Functioning of the Agent Pay agent and its operational controls. Performance of the contract (Art. 6.1.b GDPR).
Compliance with regulatory obligations (prevention of money laundering, reporting to the Banco de España and to SEPBLAC, taxation). Legal obligation (Art. 6.1.c GDPR).
Fraud prevention and detection. Legitimate interest (Art. 6.1.f GDPR) and legal obligation where applicable.
Customer support and complaint handling. Performance of the contract and legal obligation.
Commercial communications about Next Capital's own products, unless you object. Legitimate interest (Art. 6.1.f GDPR), revocable at any time.
Service improvement through anonymised statistical analysis. Legitimate interest (Art. 6.1.f GDPR).

05Automated decisions and profiling

The Agent Pay service incorporates automated decisions in a broad sense. Actions of the agent that may have legal or significant effects on you —in particular, payment transactions— require your express confirmation in accordance with Article 22 of the GDPR, unless you have authorised us in writing through a specific and revocable mandate.

We use profiles for fraud prevention, automatic categorisation of transactions and personalisation of the agent's behaviour. You may object to these processing activities by contacting the DPO, without prejudice to the maintenance of those profiles necessary for compliance with legal obligations (for example, anti-fraud control).

06Retention periods

We retain your data for the duration of the contractual relationship and, once it has ended, for the periods legally required:

07Recipients and data processors

Your data may be disclosed to the following categories of recipients, where there is a legal basis:

08International transfers

As a general rule, your data is processed within the European Economic Area. Where, exceptionally, a transfer to a third country were necessary, it will be carried out under an adequacy decision of the European Commission or, failing that, with the additional safeguards provided for in the GDPR (standard contractual clauses). You will always be informed of these transfers.

09Your rights

As a data subject, you have the following rights:

To exercise these rights, write to the DPO at info@nextcapital.es attaching a document proving your identity. We will address your request within a maximum period of one month, extendable to two months where the complexity justifies it.

10Security

We apply appropriate technical and organisational measures to ensure the security of your data, including end-to-end AES-256 encryption of communications, segregation of environments, role-based access control, continuous auditing and periodic adversarial testing of the conversational agent. In the event of a notifiable security breach, we will report it to the AEPD and, where applicable, to those affected, in accordance with Articles 33 and 34 of the GDPR.

11Modification of the policy

We may update this policy to reflect regulatory or service changes. The date of the last update appears at the beginning of the document. Substantial modifications will be communicated to the Client through internal channels before they take effect.