SOCIALO Privacy Policy

1. Introduction

At SOCIALO we work to offer users the best possible experience through our mobile application. In some cases, it is necessary to collect information in order to achieve that objective.

Therefore, pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (hereinafter, the “GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Ley Organica 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (hereinafter, the “LOPDGDD”), SOCIALO, S.L. informs users about the processing of their personal data in accordance with this policy.

This privacy policy is available both within the application itself and in the application stores (App Store, Google Play), so that it can be consulted before installing the application or at any time during its use.

2. Data Controller

The SOCIALO application is used by two types of users with differentiated roles in terms of data protection:

a) Organisations (university halls of residence, institutions, communities): They are the data controllers of the personal data of their members (students, residents, etc.). SOCIALO acts as a data processor on behalf of such organisations, in accordance with Article 28 of the GDPR.

b) End users (students, residents, members): Their personal data are processed under the responsibility of their respective organisation. SOCIALO processes such data following the instructions of the organisation concerned.

SOCIALO details as data processor:

Company name: SOCIALO, S.L.
Address: Paseo de la Castellana, 194, Bajo B, 28046 Madrid, Spain
NIF: B26602979
Email: dpo@socialo.live

SOCIALO has appointed a Data Protection Officer (DPO) within its organisation. For any enquiry relating to the processing of your personal data, you may contact us at the email address indicated above or approach the data controller of your organisation.

3. Collection of Personal Data and Processing Thereof

3.1. Categories of Personal Data

The categories of personal data that may be processed within the application, to the extent enabled by your organisation, are described below:

a) Identification data: First name, surname, identity document (DNI, NIE, passport or other identification document), photograph.

b) Contact data: Email address (personal and institutional), mobile and landline telephone numbers, postal address, professional social-network profiles.

c) Organisational-context data: Academic, professional or contextual information relevant to the community (for example: degree programme, institution, department, professional area, specialisation, position, role or function within the organisation).

d) Location or assignment data: Location, assigned space or membership information within the organisation (for example: room number, building, office, area, section, group, team or unit), dates of incorporation and expected end date, where applicable.

e) Participation and activity data: Activities in which you participate, events you attend, activity preferences, declared personal interests, groups or committees to which you belong, comments and ratings.

f) User-profile data: Personal biography, interests, hobbies, languages, skills, notification and communication preferences.

g) Platform-usage data: Access logs, date and time of connection, pages visited within the platform, interactions with content.

3.2. Purposes of Processing

Personal data will be processed for the following purposes:

User management and access control: Registration, enrolment and access to the platform.
Internal communication: Facilitating communication between community members and with the organisation’s administration.
Activity organisation: Organisation and promotion of activities, events and services of the organisation.
Community participation: Enhancing participation and engagement of community members.
Notifications: Sending notifications and communications related to the service.
Maintenance and support: Maintenance, technical support and improvement of the platform.
Statistics: Preparation of aggregate and anonymised statistics on platform usage.
User assistance: Handling enquiries and providing support.

3.3. Special Categories of Data (Sensitive Data)

SOCIALO does NOT under any circumstances process special categories of personal data within the meaning of Article 9 of the GDPR, which include:

Data revealing racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade-union membership.
Genetic data.
Biometric data for the purpose of uniquely identifying a natural person.
Data concerning physical or mental health.
Data concerning sex life or sexual orientation.

Nor are data relating to criminal convictions and offences processed within the meaning of Article 10 of the GDPR.

Should the processing of such categories of data be detected inadvertently, the data controller will be notified so that appropriate measures may be taken in accordance with its instructions.

4. Legal Basis for Processing Your Data

The legal basis legitimising the processing of the data referred to above is as follows:

For End Users:

The legal basis is that determined by the Organisations acting as data controllers in accordance with Article 6 of the GDPR (typically the performance of the legal relationship with the Organisations or the legitimate organisational interest).
For Organisations:

Performance of the contract between SOCIALO and the Organisations.
Consent of the data subject for the sending of commercial communications, data visibility within the community, and optional cookies.
Legitimate interest: where SOCIALO processes data for the purpose of improving the service in its capacity as a technology provider, this will be carried out on aggregate or anonymised data or, alternatively, on the basis of its duly balanced legitimate interest.
Compliance with legal obligations for communication with public authorities and the fulfilment of legal requests.

5. Retention of Your Personal Data

Personal data are retained only for as long as necessary to fulfil the purposes for which they were collected, to meet your needs or to comply with legal obligations.

5.1. Retention Periods

Account data: For as long as the account remains active and the relationship with the organisation subsists.
Activity data: For the time necessary for managing the activity and, thereafter, for the applicable limitation periods.
Data subject to legal obligations: For the periods established by applicable legislation.

5.2. End of the Relationship

Upon termination of the relationship with the organisation or upon deletion of your account:

You will be given a period within which to request the download of your data through the channels provided.
Data will be deleted or, where applicable, returned to the data controller (your organisation).

5.3. Blocking Period

Pursuant to Article 32 of the LOPDGDD, personal data may be retained in a duly blocked state for the limitation periods applicable to any liabilities arising from the processing, in accordance with applicable legislation.

During the blocking period, the data may not be accessed or processed, except to make them available to:

Courts and tribunals
The Ministerio Fiscal (Public Prosecutor’s Office)
The competent public authorities
The Defensor del Pueblo (Ombudsman)
The Tribunal de Cuentas (Court of Auditors)
The Agencia Espanola de Proteccion de Datos or other data-protection authorities

5.4. Definitive Deletion

Once the blocking period has elapsed without the need for further retention, data will be permanently deleted using secure procedures that prevent their recovery, or anonymised so that the user is no longer identifiable.

6. Recipients to Whom Your Data Are Disclosed

Data will not be disclosed to third parties except where required by law or where services are provided by data processors.

6.1. Data Recipients

Your organisation (Data Controller): If you are an end user (student, resident, member), your data are accessible to the administrators of your organisation, who are the data controllers of your data.
Service providers (Sub-processors): SOCIALO may engage service providers who access personal data solely for the purpose of providing the service (such as hosting, communications, analytics and other ancillary technical services), always in accordance with the controller’s instructions. All sub-processors are contractually bound to comply with the GDPR and to maintain the confidentiality of the data.

6.2. Disclosure to Authorities

In certain cases, the law may require that personal data be disclosed to public bodies or other parties (courts and tribunals, public authorities, law-enforcement agencies, etc.). Only the data strictly necessary for the fulfilment of such legal obligations will be disclosed.

6.3. Information on Service Providers

To obtain information about the specific providers that access your personal data, you may send an email to dpo@socialo.live

7. Storage and International Data Transfers

7.1. Storage Location

As a general rule, personal data are stored on servers located within the European Union.

7.2. International Transfers

Where the processing of your data entails an international transfer of data outside the European Economic Area (EEA), SOCIALO ensures compliance with the safeguards provided for in Chapter V of the GDPR by means of one of the following mechanisms:

Adequacy decisions: Transfers to countries that the European Commission has determined to provide an adequate level of protection.
Standard contractual clauses: Contracts incorporating the standard clauses approved by the European Commission.
Other legally recognised mechanisms: Such as binding corporate rules or specific certifications.

7.3. List of Transfers

SOCIALO maintains an up-to-date list of all providers that carry out international transfers, specifying the destination countries and the applicable protection mechanisms. This information is available upon request. As at the date of the last update of this policy, international transfers are carried out in accordance with the mechanisms described above.

7.4. Further Information

For further information on service providers and international transfers, contact: dpo@socialo.live

8. Your Rights and How to Exercise Them

8.1. How to Exercise Your Rights

If you are an end user (student, resident, member), you may exercise your rights:

By contacting the data controller of your organisation directly.
By writing to dpo@socialo.live, which will forward your request to the competent controller immediately and, in any event, within a maximum of one business day. In such cases, SOCIALO will act solely as a communication channel and will not resolve the request directly unless it acts as controller in the specific processing.

If you are an organisation administrator, you may address your communications to: dpo@socialo.live

Under the GDPR (Articles 15 to 22) you may exercise the following rights:

Right of access (Art. 15): You may request information as to whether your personal data are being processed and, if so, obtain a copy thereof together with information on the processing.
Right to rectification (Art. 16): You may request the correction of inaccurate personal data or the completion of incomplete data.
Right to erasure / “Right to be forgotten” (Art. 17): You may request the erasure of your personal data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
Right to restriction of processing (Art. 18): You may request the restriction of the processing of your personal data in certain circumstances.
Right to data portability (Art. 20): You may request to receive your personal data in a structured, commonly used and machine-readable format (for example: JSON, CSV, XML) and to transmit them to another controller.
Right to object (Art. 21): You may object to the processing of your personal data, including profiling.
Right not to be subject to automated individual decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. SOCIALO does not make automated decisions of this kind without human intervention.

8.3. Response Period

Requests to exercise rights will be dealt with within a maximum of one month from receipt. This period may be extended by a further two months in the case of complex or numerous requests, provided that you are informed of such extension within one month of receipt of the request.

8.4. Limitations

In certain cases, a request may be refused where you request the erasure of data that are necessary for:

Compliance with legal obligations.
The establishment, exercise or defence of legal claims.
Reasons of public interest in the area of public health.

8.5. Complaint to the Supervisory Authority

If you consider that your rights have not been adequately safeguarded, you have the right to lodge a complaint with the Agencia Espanola de Proteccion de Datos (AEPD):

Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid
Telephone: 901 100 099 / 91 266 35 17

9. Responsibility for the Accuracy and Truthfulness of Data

The user is solely responsible for the truthfulness and accuracy of the data provided, and SOCIALO is released from any liability in this regard. Users warrant and are responsible for the accuracy, currency and authenticity of the personal data provided and undertake to keep them duly updated.

SOCIALO reserves the right to terminate the services contracted with users where the data provided are false, incomplete, inaccurate or out of date.

10. Security Measures

SOCIALO has adopted the technical and organisational security measures necessary to ensure the protection of personal data, in accordance with Article 32 of the GDPR. These measures are designed to ensure:

Confidentiality: Ensuring that only authorised persons have access to personal data.
Integrity: Ensuring that personal data are not altered in an unauthorised manner.
Availability: Ensuring that personal data are available when required.
Resilience: The ability of systems to recover in the event of physical or technical incidents.

10.1. Technical Measures Implemented

Encryption in transit: The application uses secure connections with TLS certificates, encrypting all information transmitted via HTTPS.
Encryption at rest: Stored data are protected by encryption techniques.
Pseudonymisation: Where possible, pseudonymisation techniques are applied to reduce risks.
Access control: Authentication and authorisation systems to restrict access to data.
Backups: Regular backup procedures to ensure data recovery.
Monitoring: Incident-detection and security-response systems.

10.2. Organisational Measures

Training: Personnel with access to personal data receive specific training on data protection.
Confidentiality: All personnel are subject to written confidentiality undertakings.
Periodic reviews: Periodic audits and assessments of the effectiveness of the security measures implemented are carried out.

10.3. Notification of Security Breaches

In the event of a personal-data breach that is likely to result in a high risk to your rights and freedoms, you will be informed without undue delay, in accordance with Article 34 of the GDPR, so that you may take the necessary precautions.

11. Processing of Minors’ Data

11.1. Minimum Age

Pursuant to Article 7 of the LOPDGDD, the processing of personal data of minors may be based on their consent only where they are at least 14 years of age.

11.2. Minors Under 14

The processing of personal data of minors under 14 years of age requires the consent of the holder of parental responsibility or guardianship. In such cases, the organisation (data controller) must verify that consent has been given by the holder of parental responsibility or guardianship over the minor.

11.3. Organisation’s Responsibility

It is the responsibility of the organisation (data controller) to ensure compliance with the age and consent requirements for the processing of data of minors who use the platform.

12. Changes to the Privacy Policy

This privacy policy may be amended to adapt it to regulatory or case-law changes or changes in the interpretation of the Agencia Espanola de Proteccion de Datos, as well as to changes in the configuration of the platform.

In the event of material changes that affect the processing of your personal data, we will inform you through the application or by email before such changes take effect, so that you may become aware of the amendments and, where appropriate, exercise your rights.

We recommend that you review this policy periodically in order to stay informed about how your data are protected.

Date of last review: January 2026

13. Additional Information

13.1. Application Permissions

When the application requests permission to access features of your mobile device (camera, image gallery, notifications, etc.), such access will be used exclusively for the purposes described in this privacy policy. You may manage these permissions at any time from your device settings.

13.2. Cookies and Similar Technologies

The application may use cookies and similar technologies to improve the user experience. For further information on the use of cookies, please see our Cookie Policy.

13.3. Contact

For any enquiry relating to this privacy policy or the processing of your personal data:

Email: dpo@socialo.live
Address: Paseo de la Castellana, 194, Bajo B, 28046 Madrid, Spain

This privacy policy has been drawn up in compliance with Regulation (EU) 2016/679 (GDPR) and Ley Organica 3/2018 (LOPDGDD).