Privacy policy
Effective date and last update: 5 July 2026
- 1. Data controller identification
- 2. Categories of personal data processed
- 3. Purposes of processing and legal basis
- 4. Data retention periods
- 5. Data recipients
- 6. International transfers
- 7. Data subject rights
- 8. Cookie use
- 9. Automated decision-making
- 10. Security measures
- 11. Changes to this policy
- 12. Contact and complaints
1. Data controller identification
The data controller for the personal data processed through bestardcapital.com (the "Website") is Francisco Bestard, operating under the trading name Bestard Capital as an independent professional (the "Controller", "we", "us").
Contact regarding personal data and this Privacy Policy: info@bestardcapital.com.
Bestard Capital is completing the incorporation of a corporate entity. Once that entity is registered, this Privacy Policy will be updated to identify the corporate controller together with its registered address and tax identification number. Until then, the Controller acts in an individual professional capacity and remains fully accountable under the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Under Article 37 GDPR, the processing activities described in this policy do not meet the thresholds that would require the formal appointment of a Data Protection Officer (no large-scale systematic monitoring, no large-scale processing of special categories of data). No formal Data Protection Officer is therefore appointed. All privacy-related requests should be addressed to info@bestardcapital.com, which is monitored directly by the Controller.
2. Categories of personal data processed
We process the following categories of personal data, depending on how you interact with the Website:
- Identification data — name, email address, company or firm name, collected through contact forms and direct email correspondence.
- Professional data — professional role, jurisdiction of operation, and stated investment interest or financing need, collected for the purposes of qualifying enquiries (e.g. confirming qualified-investor or producer status).
- Technical data — IP address, browser type and version, device type, operating system, referring page and timestamps, collected automatically through server logs when you visit the Website.
- Behavioural data — pages viewed, time on page, scroll depth and interaction events (e.g. clicks on contact links), collected via Google Analytics 4 ("GA4") only after consent, and via Plausible Analytics in aggregated, non-identifying form that does not constitute personal data.
3. Purposes of processing and legal basis
We process personal data for the following purposes, each with a corresponding legal basis under Article 6(1) GDPR:
- Responding to enquiries — processing necessary for pre-contractual steps taken at your request (Art. 6(1)(b) GDPR — measures prior to entering into a contract).
- Client / counterparty management — once an engagement letter or mandate is signed, processing necessary for the performance of that contract (Art. 6(1)(b) GDPR).
- Marketing communications — where you have opted in, processing is based on your consent (Art. 6(1)(a) GDPR); where communications relate to services similar to those you have already enquired about, we may instead rely on our legitimate interest in maintaining a professional relationship (Art. 6(1)(f) GDPR). In both cases, you may object or withdraw consent at any time — see Section 7 below.
- Analytics with GA4 — processing is based on your consent, collected and managed through our Consent Mode v2 cookie banner (Art. 6(1)(a) GDPR). No GA4 cookie is set, and no analytics_storage occurs, until you actively accept.
- Analytics with Plausible — processing is based on our legitimate interest in understanding aggregate Website usage without identifying individuals (Art. 6(1)(f) GDPR). Plausible does not use cookies, does not collect personal data, and is hosted on EU servers.
- Legal and regulatory obligations — where an engagement letter is signed, we may be required to carry out anti-money-laundering and know-your-customer ("AML/KYC") checks under applicable financial-crime legislation, processing necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR).
4. Data retention periods
We retain personal data only for as long as necessary for the purposes described above, and in accordance with the following schedule:
| Data category | Retention period | Basis |
|---|---|---|
| Contact form enquiries — no engagement reached | 3 years from last contact | Standard commercial prescription period |
| Client / counterparty records — engagement signed | 10 years from end of relationship | Spanish Commercial Code (Código de Comercio, Art. 30) and French commercial-document retention rules |
| Server logs (technical data) | 12 months | Security and fraud-prevention necessity |
| GA4 analytics data | 14 months (Google default event-data retention) | GA4 platform default configuration |
| Plausible analytics data | Not applicable — aggregated only, no personal data retained | No personal data processed |
5. Data recipients
Personal data is disclosed only to the following categories of recipients, each acting as a processor or independent controller under an appropriate data-protection instrument:
- Google Ireland Limited (Google Analytics 4) — analytics data is stored on Google's EU data infrastructure under GA4's EU data residency setting.
- Plausible Insights OÜ (Plausible Analytics) — EU-hosted (Germany), processes no personal data, sets no cookies.
- Web hosting provider (Namecheap) — hosting infrastructure with servers located in the US and/or EU depending on configuration, under a Data Processing Agreement ("DPA").
- Email hosting provider associated with the bestardcapital.com domain — processes correspondence sent to info@bestardcapital.com.
We do not use third-party marketing or advertising technology (adtech) on this Website, and we do not sell, rent or otherwise share personal data with data brokers.
6. International transfers
Where personal data is transferred outside the European Economic Area, we ensure an adequate level of protection is in place. Google Analytics 4 relies on the EU–US Data Privacy Framework (and, where applicable, Standard Contractual Clauses) as the transfer mechanism for any data that may be processed in the United States. Plausible Analytics is EU-only and does not transfer data outside the EU.
7. Data subject rights
Under Articles 15 to 22 GDPR, you have the right to:
- Access — obtain confirmation of whether we process your personal data, and a copy of that data.
- Rectification — request correction of inaccurate or incomplete personal data.
- Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations described in Section 4.
- Restriction of processing — request that we limit how we use your data in certain circumstances.
- Data portability — receive personal data you provided to us in a structured, machine-readable format, where technically feasible.
- Object — object to processing based on our legitimate interest, including for direct marketing purposes.
- Withdraw consent — where processing is based on consent (e.g. GA4 analytics or marketing communications), withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, send a written request to info@bestardcapital.com, specifying the right you wish to exercise and including sufficient information to verify your identity. We will respond within one month of receipt, extendable by two further months for complex requests, as permitted under Art. 12(3) GDPR.
You also have the right to lodge a complaint with a supervisory authority. If you are resident in France, the competent authority is the CNIL (Commission Nationale de l'Informatique et des Libertés — cnil.fr). If you are resident in Spain, the competent authority is the AEPD (Agencia Española de Protección de Datos — aepd.es). Residents of other EU/EEA member states may contact their local data protection authority; a full list is available from the European Data Protection Board.
8. Cookie use
The Website uses a limited set of cookies, described in full in our dedicated Cookie Policy. In summary: a strictly necessary cookie stores your consent choice; Google Analytics 4 cookies are set only after you actively consent; Plausible Analytics does not use cookies at all.
9. Automated decision-making
Bestard Capital does not carry out any automated decision-making or profiling that produces legal effects concerning you, or that similarly significantly affects you, within the meaning of Article 22 GDPR.
10. Security measures
We apply appropriate technical and organisational measures to protect personal data, including: enforced HTTPS with TLS 1.3 encryption across the Website; secure hosting infrastructure with access controls; and restriction of access to personal data to personnel who require it for the purposes described in this policy.
11. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our data-processing practices or in applicable law. The date at the top of this page indicates when it was last revised. We encourage you to review this page periodically.
12. Contact and complaints
For any question regarding this privacy policy or our data-protection practices, or to exercise your rights, please contact us at info@bestardcapital.com. You also have the right to lodge a complaint with the CNIL (France), the AEPD (Spain), or the competent supervisory authority in your country of residence, as detailed in Section 7 above.