Legal document
Privacy Policy.
This policy describes how Next Capital and SEFIDE, in their capacity as joint data controllers, collect and process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Ley Orgánica 3/2018, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
01Data controllers
The processing of your personal data is carried out under a regime of joint controllership between:
- Next Capital — NEXT CAPITAL SOLUTIONS, S.L., with registered office at Avenida la Estación, 5, entresuelo, puerta 1-7, 03003 Alicante (Spain), N.I.F. B-88766142. It is responsible for the initial onboarding of the Client, the operation of the Platform and the functioning of the Agent Pay agent.
- SEFIDE E.D.E., S.L.U. — an electronic money institution authorised by the Banco de España. It is responsible for the processing arising from the actual provision of the electronic money services, as well as the associated regulatory obligations.
Both entities have entered into the joint controllership arrangement provided for in Article 26 of the GDPR. You may request a summary of this arrangement by writing to the Data Protection Officer.
02Data Protection Officer (DPO)
The Data Protection Officer is available at the email address info@nextcapital.es. You may contact them regarding any matter relating to the processing of your data.
03Data we process
Within the framework of the contractual and pre-contractual relationship, we process the following categories of data:
- Identification data: first name, surname, DNI or equivalent document, date and place of birth, nationality, gender, signature.
- Contact data: postal address, email, telephone.
- Biometric data: facial image and verification video during onboarding. These data are used exclusively for identity verification and are retained under the terms of the eIDAS Regulation and the prevention of money laundering regulations.
- Economic and financial data: IBAN, transactions, balances, operations, information on the source of funds where applicable, professional situation.
- Conduct data and conversations with the Agent Pay agent: messages exchanged, commands, confirmations and preference settings.
- Technical data: IP address, device identifier, session data, audit logs.
- Data relating to communities or shared accounts: where applicable, data of the other holders, authorised signatories or members of the community, to the extent strictly necessary.
04Purposes and legal bases of the processing
| Purpose | Legal basis |
|---|---|
| Management of the onboarding process and identity verification (KYC/KYB). | Performance of pre-contractual measures (Art. 6.1.b GDPR) and legal obligation (Ley 10/2010 PBC/FT). |
| Provision of the contracted electronic money services. | Performance of the contract (Art. 6.1.b GDPR). |
| Functioning of the Agent Pay agent and its operational controls. | Performance of the contract (Art. 6.1.b GDPR). |
| Compliance with regulatory obligations (prevention of money laundering, reporting to the Banco de España and to SEPBLAC, taxation). | Legal obligation (Art. 6.1.c GDPR). |
| Fraud prevention and detection. | Legitimate interest (Art. 6.1.f GDPR) and legal obligation where applicable. |
| Customer support and complaint handling. | Performance of the contract and legal obligation. |
| Commercial communications about Next Capital's own products, unless you object. | Legitimate interest (Art. 6.1.f GDPR), revocable at any time. |
| Service improvement through anonymised statistical analysis. | Legitimate interest (Art. 6.1.f GDPR). |
05Automated decisions and profiling
The Agent Pay service incorporates automated decisions in a broad sense. Actions of the agent that may have legal or significant effects on you —in particular, payment transactions— require your express confirmation in accordance with Article 22 of the GDPR, unless you have authorised us in writing through a specific and revocable mandate.
We use profiles for fraud prevention, automatic categorisation of transactions and personalisation of the agent's behaviour. You may object to these processing activities by contacting the DPO, without prejudice to the maintenance of those profiles necessary for compliance with legal obligations (for example, anti-fraud control).
06Retention periods
We retain your data for the duration of the contractual relationship and, once it has ended, for the periods legally required:
- Payment transaction data: 10 years, in accordance with Ley 10/2010.
- Tax documentation: 4 years, in accordance with the General Tax Law.
- Contractual data and complaints: until the limitation period for the corresponding civil and administrative actions.
- Biometric data: only during the verification process and thereafter only the result and proof of the KYC.
- Conversations with the agent: while the account is active and until the legal retention period for transactions; the conversational content may be anonymised beforehand for statistical purposes.
07Recipients and data processors
Your data may be disclosed to the following categories of recipients, where there is a legal basis:
- SEFIDE E.D.E., S.L.U. — as joint controller.
- Banca March, S.A. — as agent bank in the payment operations.
- Banco Inversis, S.A. — as custodian bank of the funds.
- Banco de España, SEPBLAC, Agencia Tributaria and other authorities in compliance with legal obligations.
- KYC/KYB providers, card networks, payment processors, communication providers.
- Technology infrastructure providers in the European Union, bound by a processing agreement in accordance with Article 28 of the GDPR.
- Artificial intelligence model providers, bound by contract and required to process the data exclusively for the provision of the service, without reuse for training general models.
08International transfers
As a general rule, your data is processed within the European Economic Area. Where, exceptionally, a transfer to a third country were necessary, it will be carried out under an adequacy decision of the European Commission or, failing that, with the additional safeguards provided for in the GDPR (standard contractual clauses). You will always be informed of these transfers.
09Your rights
As a data subject, you have the following rights:
- Access, rectification, erasure, objection and restriction of the processing.
- Portability of the data in a structured, machine-readable format.
- Not to be subject to automated decisions with legal or similar effects, under the terms of Article 22 GDPR.
- To withdraw consent at any time, without affecting the lawfulness of the prior processing.
- To lodge a complaint with the Spanish Data Protection Agency (calle Jorge Juan 6, 28001 Madrid; www.aepd.es) if you consider that your rights have been infringed.
To exercise these rights, write to the DPO at info@nextcapital.es attaching a document proving your identity. We will address your request within a maximum period of one month, extendable to two months where the complexity justifies it.
10Security
We apply appropriate technical and organisational measures to ensure the security of your data, including end-to-end AES-256 encryption of communications, segregation of environments, role-based access control, continuous auditing and periodic adversarial testing of the conversational agent. In the event of a notifiable security breach, we will report it to the AEPD and, where applicable, to those affected, in accordance with Articles 33 and 34 of the GDPR.
11Modification of the policy
We may update this policy to reflect regulatory or service changes. The date of the last update appears at the beginning of the document. Substantial modifications will be communicated to the Client through internal channels before they take effect.