Privacy policy

INTRODUCTION

At Enreach, we value your privacy and are committed to protecting your personal data (‘Personal Data’). This privacy statement (‘Privacy Statement’) explains how we process your Personal Data in accordance with applicable data protection legislation (‘Data Protection Legislation’), what Personal Data we process, for what purposes we process your Personal Data, how we protect your Personal Data, how long we store your Personal Data, how you can exercise your privacy rights in relation to this Personal Data, and any other information that may be relevant to you.

This Privacy Statement is only applicable when you interact with to an Enreach entity located in the EU. When you have interacted with an Enreach entity located outside of the EU/EEA, different privacy statements apply.

In this Privacy Statement, ‘you’, ‘your’, and ‘yours’ refers to all data subjects (‘Data Subject’) interacting with Enreach as either a (potential/former) customer, partner, end user, website visitor, or in any other capacity other than as an employee or job applicant, whereas ‘Enreach’, ‘we’, ‘our’, or ‘us’ refers to the Enreach entity that you have interacted with as a Data Subject. Additionally, you will see references to the Enreach Group, which includes all other Enreach entities globally. Further information on the Enreach Group can be obtained by contacting us using the details provided below.

Enreach Group is the data controller (‘Data Controller’) for the Personal Data we process as identified in this Privacy Statement. In some circumstances, Enreach will process data on behalf of other organisations (e.g., on behalf of customers or partner organisations with their own purposes for processing the data). In such circumstances, the other organisation will be the Data Controller and so you should refer to their privacy statements/notices for details of how your Personal Data is processed.

Occasionally, Enreach may be a joint Data Controller with one of our partner organisations. Such processing may be communicated to you in a separate privacy statement.

We may provide additional privacy statements or information to you at the time when we collect your data other than for the purposes listed in this Privacy Statement. For example, if you apply for a job with us or use the Chatbot feature of our website. Such privacy statements will govern how we process the information you provide at that time.

Enreach does not share Personal Data with third parties, unless this is (1) legally required, (2) necessary to supply a service, 3) specifically requested by the customer that has provided the Personal Data, or (4) otherwise Enreach has a legitimate interest in doing so, assuming that interest outweighs any potential effects that the sharing of Personal Data might have on the rights and freedoms of the affected Data Subject.

This general policy includes the most common stakeholders and purposes of the treatment in the relationships established by Enreach, so that certain products and treatments may have their own particular privacy policy (different retention periods, different types of assignments, legal bases, etc. …).

In these particular cases, Enreach will duly inform the interested party of these legal rights and obligations in the different means of contracting, subscription or information made available to the interested party.

The capitalised words in this Privacy Statement have the meanings ascribed to them in this Privacy Statement and in the Definitions provided below.

CONTACT INFORMATION

You can contact us here:

Enreach Communications S.L.

Address: Travessera de Gràcia, 17-21, 08021 Barcelona

Tel/Fax: 931 222 223

E-mail Data Protection Delegate: privacy.es@enreach.com

CIF: IS B62959077

Data Protection Officer

We have a dedicated Data Protection Team and a Data Protection Officer (DPO). If you have any questions relating to the processing of your Personal Data or want to contact our DPO, feel free to do so using the details provided below:

Enreach Data Protection Team

Email: dataprotectionteam@enreach.com

DEFINITIONS

Below are some key terms relevant to this Privacy Statement:

Personal Data: Any information directly or indirectly relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Data Subject (You): Natural person(s) whose Personal Data is processed, specifically in this case, the customer, partner, end user, or website visitor.

Data Controller (We): Natural or legal entity that determines the purpose and means for the processing of Personal Data. In the context of this Privacy Statement, this is the Enreach entity that you have interacted with as a customer, partner, end user, or website visitor.

Data Processor: Natural or legal entity processing data on behalf of the Data Controller.

Sensitive Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a Data Subject’s sex life or sexual orientation.

Data Protection Legislation: Data Protection Legislation refers to the applicable laws that govern the protection of Personal Data and privacy. This includes the legislation applicable to the processing of Personal Data in the EU, such as the General Data Protection Regulation (‘GDPR’) and the ePrivacy Directive (‘ePD’), as well any national laws implemented in connection with the aforementioned legislation.

The client or contract holder is the company responsible for hiring Enreach services. In this sense, in the event that such holder allows other third parties (users) to use the contracted Enreach services, it guarantees that it is legitimized by the type of contractual relationship it has with them or because it has obtained their prior consent to accept the privacy conditions set forth in this Policy as well as in the conditions of each of the contracted Products and Services.

WHAT PERSONAL DATA WE PROCESS AND WHY

We only collect Personal Data that is necessary for our intended purposes and in accordance with the GDPR. The type of Personal Data that we will collect depends on the nature of our relationship with you.

What categories of Personal Data do we process

Mandatory personal and user information: When you purchase a service from Enreach or when you contact us, Enreach processes your Personal Data, such as your name, address, telephone number, email address and bank account number.

Traffic data: When using our services, traffic data will be processed. This data is required for us to facilitate communication. Traffic data is generated and processed automatically when end users make use of our telecommunication services. Traffic data consists of calling and called numbers, as well as the date, time, duration, and the fees that were charged for said call.
This data does not concern the contents of the communication. In the case of a data session, we also register the amount of data used, and when roaming, we register the network that was used. We never store the contents of communication unless directly instructed to do so by a customer, such as in the case of call recordings.

Location data: When you set up a call or data session, Enreach processes information that can make a very rough determination of your location at that moment. We use this information to determine whether or not the call or data session is happening within in the Netherlands.
Enreach uses third party operators’ mobile networks. These operators are able to accurately determine your location by looking at which transmission tower was used for your call or data session. Enreach does not have access to this information.

Information collected when visiting our website: When you visit our website enreach.es and our customer portals, we use cookies to optimise our website’s functionality. When visiting the website, you have the option to configurate your Cookie settings. Our website and our customer portal Operator use Google Analytics, Hotjar, and social media cookies to analyse site usage. Google Analytics transfers and stores cookie-generated information (including IP address) on servers in the United States and uses it to monitor website use, compose reports for operators, and offer other services. Please see Section 7 below for more information about our use of cookies.

Other information: When you visit our offices, we will register you as a guest for safety purposes. This allows us to quickly evacuate the premises in case of a disaster without leaving anyone behind. We also have cameras in our offices for security reasons and will inform you of their presence.

Any additional information collected will be used in accordance with this Privacy Statement or as disclosed at the time of collection.

How do we collect your Personal Data

We may collect Personal Data directly from you or indirectly through a third party, depending on your relationship with us. If you choose not to provide Personal Data to us, you may experience limited functionality in your desired Enreach service, function, or technical assistance. The way we collect your Personal Data differs depending on your relationship with us:

For website users or newsletter subscribers: We always inform you about our processing before collecting your Personal Data such as name, e-mail address, company name, address, and telephone number.
Please note that Personal Data may be required in order for you to use the features of the website. Additionally, it may be necessary for us to collect and process your Personal Data in order to provide and optimise our services for you. For example, we need your contact information to be able to book a meeting with you, receive inquiries from you via our contact form or Chatbot, or send you a newsletter if you consented to this.

For end users: The same principles apply to the processing of traffic data and your telephone number when we are delivering our telecommunication offerings.

For Enreach Contact users: For business end users of the Enreach Contact app the privacy statement can be found here.

For business customers and partners: Personal Data is collected directly from you or indirectly through your employer. In some instances, a third party may provide us with data relating to you (e.g., if we need to carry out a credit check). If you, as a business customer or a partner, provide us with Personal Data about individuals other than yourself, for example by making our telecommunication solutions available to your employees, you are obligated to inform your end users about this transfer of Personal Data to Enreach.

For other parties: We may collect your data directly if you provide your data to us through your use of our website, via online forms or questionnaires, through phone conversations, by email, in person (at conferences, workshops, seminars or events), and so on. Alternatively, we may collect your data indirectly through approved sales and marketing channels. Whether your Personal Data is collected directly or indirectly, we will always provide our privacy information where required under the Data Protection Legislation.

How do we process your Personal Data and why
Lawful basis

We only process your Personal Data when we have a lawful basis for doing so. The specific legal basis we rely on is identified per processing activity in the table below. Possible legal bases for processing Personal Data include:

Legitimate Interest: The processing is necessary for the purposes of our legitimate interests (i.e., our business interests), except where such interests are overridden by your interests or fundamental rights and freedoms.

Consent: You have given consent to the processing of your Personal Data for one or more specific purposes.

Legal obligation: The processing is necessary for compliance with our legal obligations.

Vital interests: The processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.

Contractual obligation: The processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.

Processing activities

We may use your Personal Data to:

Processing activity
Lawful basis
Communications
To contact you following an enquiry or in reply to any questions, suggestions, issues, or complaints you have contacted us about.
Legitimate Interest
To follow up on any interest you have shown in our products and services (e.g., to contact you via email regarding a partially completed webform).
Legitimate Interest
To facilitate meeting and quotation requests.
Legitimate Interest
To communicate with you and send B2B marketing communications, including where you have attended events or webinars.
Legitimate Interest if you are already a customer or Consent in other cases
To communicate with you using our Chatbot, processing the information that you have voluntarily provided. We digitally monitor live chat conversations for the purposes of quality control and staff training. Please note this is an Enreach Group product and subject to its own privacy statement which can be found here:
Legitimate interest
To generate marketing/analytics from our website using cookies. This includes the monitoring, development and improvement of the website and your experience. For full details on our use of cookies please see our Cookie banner.
Consent
Products and services
To manage your online account and provide you access to your billing information.
Contractual Obligation
To carry out financial checks (e.g., if you are a company director) should they be required when you or your company purchase our services.
Legal Obligation or Legitimate Interest
To display the Caller ID. Enreach always displays your telephone number to the called number. This means that your number will be visible to the call recipient on the display of their telephone. This can be turned off by calling anonymously. However, we are legally obliged to always reveal your number when you call the national emergency number.

Legitimate Interest or Legal Obligation

To conduct security analysis. Based on analyses of call and internet behaviour, Enreach can proceed to restrict certain destinations when excessive usage is detected. Higher usage than average call behaviour may indicate fraud. A blockade can limit fraud and misuse and prevent you from receiving a huge bill for fees that you have not incurred yourself. Enreach also uses advanced techniques (such as firewalls, spam filters and virus scanners) to protect against security breaches, viruses, spam, and malware.
Legitimate Interest
To provide training and support in the use of our products and services.
Legitimate Interest
To prevent malicious or annoying contact. If someone is harassing you by telephone or via internet, then you can report this to us and submit a written request to provide information on the person responsible for this malicious or annoying behaviour. If we receive such a request, we will follow internal procedures.
Legitimate Interest
To permit number retention and transfer services. Enreach offers you the option of keeping your number when you transfer to a different provider. To do this, we exchange information with your current or next provider. In case of a landline, this information is your current telephone number, your name, and your address. For a mobile number, your SIM card number, telephone number and name are shared.
Contractual Obligation
To process your data for traffic management, network planning and quality of services. For the sake of the maintenance and the improvement of our platform, we analyse information about the use of our network. We do this so that we can, among other things, redirect traffic in case of potential overloading, but especially so that we can prevent this by planning and implementing targeted improvements. In addition, we can use the information to see when malfunctions occur on the platform.
Legitimate Interest
To process and facilitate an order you have made with us (e.g., through our website)
Contractual Obligation
To provide and improve services purchased by you or your employer. For example, the delivery of an order to the specified address, or setting up of a telephone call.
Contractual Obligation
To manage invoices and payments. For example, an invoice may show the fees charged for each service, specified by type of use. You can see fees incurred abroad, call costs, data usage and more.
Contractual Obligation
To store certain information from customers for a specific time period for the purposes of legal investigations and to cooperate with requests for Personal Data from competent authorities or other authorised governmental institutions, as well as with requests for information we process and store as part of our normal business operations.
For example, this can include information from your telephone records or about your data usage. When the storage period has elapsed, stored information is destroyed or made anonymous. Another example of a legal requirement is the calling of the national emergency number. When you do this, your telephone number and the location of your telephone can be transmitted to the relevant authorities, even when you have blocked the display of your telephone number.

Legal Obligation

Other operational or legal purposes
To negotiate and/or enter into and/or fulfil a contract with you, or the organisation for which you work.
Contractual Obligation
To fulfil pre-contractual steps, such as supplier questionnaires, as part of our onboarding process.
Contractual Obligation
To comply with applicable laws, lawful requests, and legal process, where appropriate/necessary.
Legal Obligation
To comply with regulatory monitoring and reporting obligations, where appropriate/necessary.
Legal Obligation
To digitally monitor and/or record calls between you and us for the purposes of quality control and staff training. You will be informed of this prior to the call.
Legitimate Interest
As part of professional services provided to us by lawyers, bankers, auditors, and insurers, where necessary.
Legitimate Interest or Legal Obligation
To meet our high security standards in managing your personal data, our systems, and our website.
Legitimate Interest
To share your data with healthcare professionals if you are taken ill or involved in an accident while visiting our office or sites and are unable to provide your consent.
Vital interest
Whistleblower Channel
The purpose of the treatment is the reception and management of complaints made about regulatory breaches or indications of commission of criminal offenses in the company.
In no case will be processed personal data that are not necessary for the knowledge and investigation of the actions or omissions referred to in Article 2 of Law 2/2023 on the protection of the informant, proceeding, if necessary, to their immediate deletion. Likewise, any personal data that may have been communicated and that refer to conduct that is not included in the scope of application of the law will be deleted.
If the information received contains personal data included in the special categories of data, it will be immediately deleted, without the registration and processing of such data.
Legal Obligation
We will process the data you provide us through your CV:
1. For the personnel selection during the processes that the company keeps open.
2. To maintain a file with curricular information of the candidates to provide services to our Company and whose required profile fits the characteristics of the company.
Consent
Suppliers
The purpose of the treatment is the management of suppliers, management of contracts, orders and payments, as well as maintaining a database of contacts for possible future contracts and / or collaborations.
Contractual Obligation
Sensitive Personal Data

In our capacity as a Data Controller, we do not actively collect Sensitive Personal Data for any of the purposes described in this Privacy Statement. If, for whatever reason, we need to collect such data, we will inform you at the time of collection, and it will only be done so with your explicit consent or in line with other lawful purposes under the Data Protection Legislation.

Anonymous information

We may create anonymous, aggregated, or de-identified data from your Personal Data and other individuals whose Personal Data we collect. We do this by excluding information that makes the data personally identifiable to you.

Legal requirement

Enreach is legally obliged to store certain customer information for a specific period for legal investigations. Enreach must cooperate with requests for Personal Data from the competent authorities or other authorised governmental institutions and requests for information we process and store as part of our normal business operations.

For example, this may include information from your telephone records or data usage. The stored information is destroyed or made anonymous when the storage period has elapsed. Another example of a legal requirement is the calling of the national emergency number. When you do this, your telephone number and location can be transmitted to the relevant authorities, even when you have blocked the display of your telephone number. This is a legal requirement.

Necessary for our service provision

Enreach uses third-party services, such as wholesalers, to facilitate the delivery of its services. In such cases, Enreach must share the necessary information with such wholesalers to provide certain services. For instance, when Enreach shares data with a wholesaler, the wholesaler must comply with Enreach’s terms and adhere to the same privacy standards as Enreach.

At the request of the customer

As a customer, you may purchase certain services that require Personal Data, such as an application using GPS data. In these cases, you can choose whether or not to share your information and grant permission to the application provider. Enreach is not responsible for processing your Personal Data in these circumstances.

OUR USE OF COOKIES

Information about our use of cookies

A cookie is a small file of letters and numbers that we store on your browser or your computer’s hard drive if you give us your consent to store the cookie. Cookies contain information that is transferred to your computer’s hard drive.  Pursuant to the Data Protection Legislation we can store cookies on your device without your prior permission if they are strictly necessary for the operation of our website or services. For all other types of cookies, we need your consent.

We may use different types of cookies. Some cookies may be placed by third-party services that appear on our pages.

If we ask for your consent for cookies, then this applies to the following domain: www.enreach.es

Types of cookies

We categorise cookies into four types: necessary, preference-based, statistical, and marketing-based. You can find descriptions of each type and the cookies we use under each category in our cookie banner. You can also learn about the purpose and duration of each cookie we use when choosing your cookie preferences.

Updating your cookie settings

When you visit our website for the first time, Enreach will present you with a cookie banner, which asks for your consent to place non-essential cookies or otherwise allows you to adjust your cookie settings.

Please note if you use your browser settings to block all cookies (including necessary cookies), you may not be able to access all or parts of our website.

If you require further information, please contact us using the contact details above. Once you have interacted with our cookie banner, you can change your cookie settings at any time by visiting our home page and clicking on the Cookie settings icon in the bottom right-hand corner of the screen.

HOW DO WE STORE AND RETAIN YOUR PERSONAL DATA

We retain your Personal Data to provide high-quality service compliant with the Data Protection Legislation. Personal Data is stored as long as necessary to fulfil collection purposes, legal obligations, and accounting reporting requirements.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and whether we can achieve the purposes through other means.

Personal Data may be anonymised in some circumstances rather than deleted. In this event, the anonymised data will no longer be traceable to you and is no longer considered Personal Data.

Whistleblower system

The data will be kept in the complaints channel system only for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts. In any case, after three months have elapsed since the receipt of the communication without any investigation actions having been initiated, the data will be anonymized in order to leave evidence of the system’s operation.

The company has a record book of information and investigation of the information received, guaranteeing the confidentiality of these as legally established and keeping the personal data for a period not exceeding ten years.

The person in charge of the internal information system, as well as the collaborators authorized by him/her to carry out the appropriate management and investigation, will have access to the information submitted by the interested party.

Newsletters

the data will be kept as long as the user does not express his will not to continue receiving information.

C.V.

the data will be kept for a maximum period of 2 years.

Clients, users
Commercial information

the data will be kept as long as the user does not express his will not to continue receiving information.

The interested party may revoke their consent at any time, communicating their desire not to receive any more commercial communications by following the instructions indicated at the bottom of each of the commercial communications sent by ENREACH.

Suppliers

For the duration of the contractual relationship and once it has ended during the legal prescription period for possible claims.

WITH WHOM WE MIGHT SHARE YOUR PERSONAL DATA

If we deem it necessary for the abovementioned processing purposes, your Personal Data may be shared with one or more third parties, regardless of whether the third party is affiliated with the Enreach Group, for the purpose of processing Personal Data in accordance with our instructions.

When third parties are given access to your Personal Data in line with the above, we undertake required contractual and organisational measures to ensure that your Personal Data are processed only to the extent that such processing is legitimate and necessary.

We may share your Personal Data with trusted third parties as follows:

Within the Enreach Group

As the Enreach entity that you have interacted with is part of a wider group of undertakings with headquarters in the Netherlands, and entities located in the EU, the UK and Serbia, Enreach may transfer your Personal Data to, or otherwise allow access to such data by other entities within the Enreach Group, which may use, transfer, and process your Personal Data for the purposes described within this Privacy Statement. We may also share aggregated data about our customers in the form of business intelligence and statistics with members of the Enreach Group.

With Data Processors

We may engage certain Data Processors who may process your Personal Data on our instructions. The Data Processors are contractually obliged to implement appropriate technical and organisational measures to ensure that your Personal Data is processed in accordance with our instructions.

Circumstances where your Personal Data may be shared include:

With regulators, authorities, and other relevant third parties

Where necessary for the processing purposes described above or where required by law, your Personal Data may be transferred to regulators, courts and other authorities, independent external advisors, insurance providers, pensions, and benefits providers, and internal or external compliance and investigation teams.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

In principle we process your Personal Data in the EEA. However, where necessary for the processing purposes described above or where required by law, we may transfer your Personal Data outside of the EEA to countries not deemed by the European Commission (as relevant) to provide an adequate level of personal information protection. In such cases any Personal Data transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contractual clauses approved by the European Commission as relevant to provide adequate protection of personal information.

HOW DO WE ENSURE THE SECURITY OF YOUR PERSONAL DATA

We attach great importance to your privacy. We therefore implement suitable physical, electronic, and managerial procedures to safeguard and secure your collected Personal Data.

Enreach has implemented generally accepted standards of technology and operational security in order to protect Personal Data from loss, misuse, alteration, or destruction. Only authorised Enreach personnel are provided access to Personal Data and these employees are contractually or statutorily obliged to ensure confidentiality of this data.

Enreach will implement appropriate technical and organisational measures to ensure that the processing of your Personal Data is performed in accordance with the Data Protection Legislation, in particular ensuring an appropriate level of security.

YOUR RIGHTS

Under the Data Protection Legislation, you have a number of rights regarding our processing of your Personal Data, as below:

Right to be informed about our collection and use of Personal Data

You have the right to be informed about the collection and use of your Personal Data. We ensure we uphold this right with our internal data protection policies and through this and other privacy statements. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right of access

You have the right to access the information we process about you.

Right to rectification

You have the right to have incorrect or outdated information about yourself corrected.

Right to be forgotten

In exceptional cases you have the right to have information about you deleted before the expiry of our retention period.

Right to restrict processing

In some cases, you have the right to have the processing of your Personal Data restricted. If you exercise this right, we may only process your Personal Data with your consent, or for the purpose of establishing, asserting, defending, protecting, a significant public or private interest, except when we process your data for storage.

Right to object

In certain cases, you have the right to object to our otherwise lawful processing of your Personal Data.

Right to transfer your information (data portability)

In certain cases, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to have that Personal Data transferred from one Data Controller to another without hindrance.

Right to withdraw your consent

You have the right to withdraw your consent at any time in the circumstances where you have given us consent to process your Personal Data.

Rights in relation to automated processing

An automated decision is one that is made by our systems rather than a person. You have the right to express your concerns and object to a decision taken by purely automated means under some laws such as the GDPR. You also have a right to request that a person review that decision.

This right is unlikely to apply to Enreach’s use of your data, as any automated processing we carry out is unlikely to make decisions and would include human intervention. If you would like to discuss this in further detail, please contact us as set out above.

You can invoke any of the above rights by reaching out to us on the Contact Information provided above. When you submit a request, we will ask you some additional questions to verify your identity. We will respond to your request as soon as possible, but at the latest within one month.

QUESTIONS OR COMPLAINTS

In case you have any questions with respect to the processing of your Personal Data as described within this Privacy Statement, you can contact the Enreach Data Protection Team and our DPO via the Contact Information above.

Please note that you also have the right to lodge a complaint with the competent supervisory authority for the Enreach entity that is acting as the Data Controller regarding how we process your Personal Data. However, we hope that you would consider raising any issue or complaint you have with us first (using the contact details above). Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have. If you have any questions regarding which supervisory authority is applicable to your engagement with Enreach, please contact us via the Contact Information above.

OTHER LINKS

Please be aware that the Enreach website you have accessed may link to other websites that you may access. We are not responsible for the data policies, content, or security of such sites. We do not have any control over any use of your data by third parties when you visit such sites or otherwise provide your data through these channels.

CHANGES

Enreach reserves the right to modify or amend this Privacy Statement at any time. The effective date will be displayed below. It is the user’s responsibility to check this document regularly for changes.

Thank you for taking the time to read our Privacy Statement.

Version 2.0; May 2024