Transparency and compliance
Privacy Policy
In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), we inform you about the processing of your personal data.
Last updated: April 2026
Data controller
In accordance with Articles 13 and 14 of the GDPR, we provide you with the following information regarding the controller of your personal data:
- Identity: Felipe Roberto Sastre Botella (self-employed), trading under the name Sastre Law Firm
- Tax ID (CIF/NIF): 28993407K
- Professional address: Calle del Marqués de Campo, 45, 2nd Floor, Door D, 03700 Dénia, Alicante, Spain
- Phone: 669315750
- Email: info@sastrelawfirm.com
- Privacy / DPO contact: No Data Protection Officer (DPO) has been appointed. For any privacy-related matter, you may contact us at info@sastrelawfirm.com
Data we collect, purposes and legal basis
Contact form
Data collected: first name and surname, email address, telephone number (optional), selected practice area, and message content.
Purpose: to handle and manage your enquiry or request for information, to contact you in response, and where appropriate, to begin a professional services relationship.
Legal basis: data subject consent (Art. 6.1.a GDPR), expressed by ticking the box accepting this Privacy Policy; and performance of pre-contractual measures requested by the data subject (Art. 6.1.b GDPR).
Legal services relationship
Data collected: identification data (first name, surname, ID/NIE/passport), contact data (postal address, email, telephone), and any other data necessary to provide the contracted legal service.
Purpose: management and performance of the legal services agreement, maintenance of the contractual relationship, invoicing, and compliance with legal obligations arising from the professional relationship.
Legal basis: contract performance (Art. 6.1.b GDPR) and compliance with legal obligations (Art. 6.1.c GDPR), including tax rules, anti-money-laundering regulations, and legal profession rules.
Data processing in judicial proceedings
In the context of legal defense and representation of interests in files and judicial or administrative proceedings, categories of specially protected data under the GDPR may be processed (including, where necessary for the case, data relating to health, personal circumstances, or information on offences and convictions).
This processing is carried out based on performance of the professional relationship (Art. 6.1.b GDPR), compliance with legal obligations applicable to legal practice (Art. 6.1.c GDPR), and where applicable, for reasons of substantial public interest and for the establishment, exercise or defense of legal claims, in accordance with Arts. 9.2 and 10 GDPR and applicable national law.
Processing of this information is strictly limited to what is necessary for the proper provision of legal services, applying enhanced confidentiality and security measures.
Website browsing
Data collected: IP address, browser type, operating system, pages visited, date and time of access, and technical connection data.
Purpose: to ensure the technical operation of the website, server security, and service improvement.
Legal basis: legitimate interest of the controller (Art. 6.1.f GDPR) in maintaining website security and operability.
Sending emails
Data processed: sender email address and message content sent through the contact form.
Purpose: management of contact notification emails sent to the firm.
Legal basis: data subject consent (Art. 6.1.a GDPR) and performance of pre-contractual measures (Art. 6.1.b GDPR).
Data recipients
Your personal data will not be disclosed to third parties, except in the following cases:
- Legal obligation: when necessary to comply with a legal obligation (public authorities, courts and tribunals, law enforcement bodies).
- Defense of your interests: when strictly necessary to provide contracted legal services (court representatives, expert witnesses, notaries, public registries, or other professionals involved).
- Data processors: service providers acting on behalf of Sastre Law Firm that need access to data to perform the service, with whom the corresponding data processing agreements have been entered into in accordance with Art. 28 GDPR. In particular:
| Provider | Service | Location |
|---|---|---|
| Cloudflare, Inc. | Website hosting and CDN | U.S. / Global |
| Resend, Inc. | Sending contact form emails | U.S. |
International data transfers
The service providers indicated above (Cloudflare and Resend) may process personal data on servers located outside the European Economic Area, particularly in the United States. These transfers are covered by the following appropriate safeguards under Chapter V GDPR:
- The EU-U.S. Data Privacy Framework, adequacy decision of the European Commission of 10 July 2023, for participating providers.
- Standard Contractual Clauses approved by the European Commission (Implementing Decision 2021/914), where applicable.
You may request additional information about the safeguards applied to international transfers by contacting info@sastrelawfirm.com.
Retention periods
Personal data will be retained for the time necessary to fulfill the purpose for which it was collected and, in any case, for the applicable legal periods:
- Enquiries (contact form): data will be retained while necessary to handle your enquiry and, once resolved, for a maximum period of 1 year unless it leads to a contractual relationship.
- Contractual relationship: for the duration of the professional relationship and, subsequently, for the legal limitation periods for claims (5 years under Art. 1964 of the Spanish Civil Code, or specific applicable periods).
- Tax obligations: 4 years under the Spanish General Tax Law.
- Anti-money laundering: 10 years under Law 10/2010.
- Technical browsing data (logs, IP addresses): a maximum period of 90 days from collection, unless retention is necessary for managing a security incident or complying with a legal obligation.
After these periods, data will be deleted or, where applicable, blocked in accordance with Art. 32 of the LOPDGDD.
Your rights
In accordance with Articles 15 to 22 GDPR and Articles 12 to 18 of the LOPDGDD, you have the following rights:
Access (Art. 15 GDPR)
The right to obtain confirmation as to whether or not your personal data is being processed and, where that is the case, to access the data and information about the processing.
Rectification (Art. 16 GDPR)
The right to obtain the rectification of inaccurate personal data concerning you, or to have incomplete data completed.
Erasure (Art. 17 GDPR)
The right to obtain the erasure of your personal data when, among other reasons, it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
Restriction (Art. 18 GDPR)
The right to obtain restriction of processing of your data in certain circumstances provided for by law.
Portability (Art. 20 GDPR)
The right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
Objection (Art. 21 GDPR)
The right to object to processing of your personal data, including profiling, in certain circumstances. The controller will cease processing, unless there are compelling legitimate grounds.
Not to be subject to automated decisions (Art. 22 GDPR)
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects. Sastre Law Firm does not carry out automated decision-making.
Withdrawal of consent
Where processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
How to exercise your rights
You may exercise your rights by sending a written communication to Sastre Law Firm, to the postal address indicated or by email to info@sastrelawfirm.com, indicating:
- Your identity (first name, surname, and a copy of your ID/NIE or equivalent document).
- The right you wish to exercise.
- Address for notification purposes.
We will respond within a maximum period of one month from receipt of the request, unless due to complexity or number of requests it is necessary to extend that period by two additional months, in accordance with Art. 12.3 GDPR.
Complaint to the supervisory authority
If you consider that the processing of your personal data breaches current regulations, you have the right to lodge a complaint with the competent supervisory authority:
Spanish Data Protection Agency (AEPD)
C/ Jorge Juan, 6 · 28001 Madrid
Electronic office: www.aepd.es
Phone: 900 293 183 (toll-free)
However, before contacting the supervisory authority, we kindly ask that you contact us first so we can try to resolve any issue related to the processing of your data.
Security measures
In accordance with current data protection legislation, Sastre Law Firm has adopted the technical and organizational measures necessary to guarantee the security of personal data and prevent unauthorized alteration, loss, processing, or access, taking into account the state of the art, the nature of the data stored, and the risks to which it is exposed.
These measures include, among others, encrypted communication protocols (HTTPS/TLS), restricted access controls, periodic backups, and system security reviews.
Use of cookies
For detailed information about cookies and similar technologies used on this website, please consult our Cookie Policy.
Mandatory or optional nature of data
In the contact form, fields marked as mandatory are necessary to process your request. Refusal to provide such data will prevent us from managing your enquiry. Data marked as optional may be provided voluntarily by the user to improve the service provided.
The user guarantees that the personal data provided is truthful, accurate, complete and up to date, and is responsible for any direct or indirect damage that may arise from breach of this obligation. If the user provides third-party data, the user guarantees that they have informed those third parties and obtained authorization to provide their data for the stated purposes.
Do you have any questions about your privacy?
Our legal team is available to clarify any aspect related to the processing of your personal information.
Contact privacy arrow_forward
You can also write to us through our contact page.