Montserrat Strategic Advisory SL
Carrer de la Marina 16-18, 08005 Barcelona, Spain
Effective Date: 10 March 2026
This Privacy Policy and Data Processing Addendum ("DPA") form an integral part of the agreement between Montserrat Strategic Advisory SL ("MSA," "we," "us," or "our") and the Client, and supplement the Terms and Conditions. This document sets out how MSA collects, uses, stores, and protects Personal Data in connection with its B2B advisory and consulting services.
1. Definitions
1.1 "Personal Data," "Data Subject," "Controller," "Processor," and "Processing" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights ("LOPDGDD").
1.2 "Sub-Processor" means any third party engaged by MSA to process Personal Data on behalf of or in connection with the Services.
1.3 "Services" means the B2B strategic advisory, business architecture, structural consulting, digital platform access, and related offerings provided by MSA as described in the Terms and Conditions.
2. Controller Information
2.1 The Data Controller responsible for the processing of Personal Data is: Montserrat Strategic Advisory SL, Carrer de la Marina 16-18, 08005 Barcelona, Spain. CIF / NIF: To be provided. Contact: domenic.werners@montserrat-advisory.com.
2.2 For all inquiries relating to data protection, including the exercise of Data Subject rights, please contact: domenic.werners@montserrat-advisory.com.
2.3 The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain (www.aepd.es).
3. Roles and Relationship
3.1 MSA acts primarily as an independent Data Controller with respect to Personal Data collected in connection with the provision of its Services.
3.2 In limited circumstances where MSA processes Personal Data on behalf of the Client pursuant to the Client's specific documented instructions, MSA shall act as a Data Processor. In such cases, MSA shall process Personal Data only on documented instructions from the Client, unless required to do so by applicable European Union or Member State law.
3.3 Where MSA acts as both Controller and Processor in relation to different categories of data within the same engagement, the applicable role shall be determined by the nature and purpose of each specific processing activity.
4. Scope and Duration
4.1 Processing of Personal Data relates to the provision of B2B advisory, consulting, and digital platform services as described in the Terms and Conditions.
4.2 Processing shall continue for the duration of the contractual relationship and any applicable lawful retention periods thereafter as required by Spanish commercial, tax, and regulatory law.
5. Legal Bases for Processing
5.1 MSA processes Personal Data on the following legal bases pursuant to Article 6(1) GDPR: (a) performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b)); (b) compliance with a legal obligation to which MSA is subject, including Spanish tax, commercial, and accounting requirements (Article 6(1)(c)); (c) legitimate interests pursued by MSA, including business administration, fraud prevention, service improvement, and internal analytics, provided such interests are not overridden by the fundamental rights and freedoms of the Data Subject (Article 6(1)(f)); (d) consent, where explicitly obtained for specific processing activities such as marketing communications (Article 6(1)(a)).
5.2 Where processing is based on consent, the Data Subject may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
6. Categories of Data Subjects
- Clients and their authorized representatives
- Client employees and team members with platform access
- Prospective clients who engage with MSA's Services, including those booking sessions, registering for platforms, or submitting application forms
- Website visitors
7. Categories of Personal Data
- Identification data: name, business name, job title, professional role
- Contact data: email address, phone number, business address
- Access credentials: usernames, hashed passwords, authentication tokens
- Billing metadata: invoices, payment references, transaction identifiers, SEPA mandate references (no credit card numbers are stored by MSA)
- Communications: emails, messages, session recordings, call transcripts, meeting notes
- Usage data: platform login times, content accessed, session attendance, feature usage
- Business data shared during advisory sessions: revenue figures, business metrics, strategic information, operational data, organizational structures
- Technical data: IP addresses, browser type, device information, cookies, and similar tracking technologies
8. Purposes of Processing
- Delivery and performance of the contracted Services, including strategic advisory sessions and platform access
- Platform access management, user authentication, and account administration
- Billing, invoicing, and payment processing via QONTO, GoCardless, SEPA bank transfer, and card payment providers
- Compliance with legal and regulatory obligations, including Spanish tax and commercial law
- Documentation and quality assurance of advisory sessions, including AI-assisted transcription and analysis
- Communication with Clients regarding service delivery, scheduling, and operational matters
- Approved marketing communications where consent has been obtained
- Improvement and development of Services, including internal analytics and AI-assisted tools
- Fraud prevention, security monitoring, and enforcement of Terms and Conditions
9. AI-Assisted Processing
9.1 MSA utilizes artificial intelligence tools in connection with the delivery of its Services. These tools may include, but are not limited to, AI-powered transcription, content generation, data analysis, and strategic recommendation engines provided by third-party Sub-Processors including OpenAI (ChatGPT) and Anthropic (Claude).
9.2 AI-assisted tools may process Personal Data, including communications, session content, and business data shared during advisory engagements. MSA ensures that all AI Sub-Processors are bound by appropriate data processing agreements and that processing complies with GDPR requirements.
9.3 No automated decision-making with legal or similarly significant effects, as defined in Article 22 GDPR, is carried out by MSA. AI-generated outputs are used as advisory inputs only and are reviewed by MSA personnel before being delivered to Clients.
9.4 AI-generated outputs may contain inaccuracies. Clients remain solely responsible for verifying any AI-generated insights, analyses, or recommendations. MSA does not guarantee the accuracy, completeness, or fitness for purpose of any AI-generated output.
10. Sub-Processors
10.1 The Client provides general authorization for MSA to engage Sub-Processors for the purposes described in this Privacy Policy. MSA shall inform the Client of any intended changes to Sub-Processors by reasonable means (including email or platform notification) and give the Client the opportunity to object within fourteen (14) days.
10.2 MSA ensures that all Sub-Processors are bound by data processing agreements that impose obligations no less protective than those set out in this Privacy Policy and DPA.
10.3 Current Sub-Processors include:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Memberspot | Digital platform and member area | Germany (EU) |
| Google Workspace | Email, calendar, document storage, video conferencing (Google Meet) | EU/US (SCCs, DPF) |
| Calendly | Appointment scheduling | US (SCCs, DPF) |
| Close CRM | Client relationship management | US (SCCs) |
| Fireflies.ai | AI-powered meeting transcription | US (SCCs) |
| Loom | Video recording and sharing | US (SCCs, DPF) |
| OpenAI | AI language model (ChatGPT) for content analysis and generation | US (SCCs, DPF) |
| Anthropic | AI language model (Claude) for content analysis and generation | US (SCCs) |
| Notion | Internal documentation and project management | US (SCCs, DPF) |
| Slack | Internal and client communications | US (SCCs, DPF) |
| QONTO | Business banking and payment processing | France (EU) |
| GoCardless | SEPA direct debit payment processing | UK/EU (Adequacy Decision) |
| Wise | International payment processing | EU/UK (Adequacy Decision) |
| Netlify | Website hosting and content delivery | US (SCCs, DPF) |
11. International Data Transfers
11.1 Personal Data may be processed outside the European Economic Area (EEA), including in the United States and the United Kingdom, by Sub-Processors listed above.
11.2 Where data is transferred outside the EEA, MSA ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, including: (a) European Commission adequacy decisions, including the EU-US Data Privacy Framework (DPF) where applicable; (b) Standard Contractual Clauses (SCCs) adopted by the European Commission; (c) other approved transfer mechanisms as recognized under GDPR.
11.3 MSA conducts transfer impact assessments where required and monitors changes to the legal frameworks governing international data transfers. The Client may request information regarding the specific safeguards applied to any international transfer by contacting MSA at domenic.werners@montserrat-advisory.com.
12. Security Measures
12.1 MSA implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or unlawful processing, as required by Article 32 GDPR. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest where technically feasible
- Access controls and multi-factor authentication for all critical systems
- Regular security reviews and due diligence assessments of Sub-Processors
- Contractual and statutory confidentiality obligations for all personnel with access to Personal Data
- Incident response and data breach notification procedures
- Regular review and testing of security measures
13. Cookies and Tracking Technologies
13.1 MSA's website may use cookies and similar tracking technologies to ensure the proper functioning of the website, analyze usage patterns, and improve user experience. Cookies are categorized as: (a) strictly necessary cookies required for the operation of the website; (b) analytical cookies used to understand website usage (subject to consent where required by applicable law).
13.2 Users may manage cookie preferences through their browser settings. Disabling certain cookies may affect website functionality.
14. Data Retention
14.1 Personal Data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Retention periods are determined based on the nature of the data, the purposes of processing, and applicable legal requirements.
14.2 Upon termination of the contractual relationship, Personal Data shall be deleted or anonymized within a reasonable period, subject to applicable legal retention obligations. Under Spanish law, certain records must be retained for the following minimum periods: tax and accounting records: six (6) years (Código de Comercio, Art. 30); contractual documentation: five (5) years (Código Civil, Art. 1964); invoicing records: four (4) years (Ley General Tributaria).
15. Data Subject Rights
15.1 Data Subjects may exercise the following rights under GDPR Articles 15-22 and the LOPDGDD by contacting MSA at: domenic.werners@montserrat-advisory.com. These rights include: the right of access (Article 15); the right to rectification (Article 16); the right to erasure (Article 17); the right to restriction of processing (Article 18); the right to data portability (Article 20); the right to object to processing (Article 21); and the right not to be subject to automated individual decision-making (Article 22).
15.2 MSA shall respond to valid requests within thirty (30) days. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
15.3 Where MSA acts as Processor, it shall assist the Client in fulfilling Data Subject requests in accordance with Article 28(3)(e) GDPR.
15.4 Data Subjects have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or any other competent supervisory authority.
16. Data Breach Notification
16.1 In the event of a Personal Data breach, MSA shall notify the relevant supervisory authority (AEPD) within seventy-two (72) hours of becoming aware of the breach, where required by Article 33 GDPR.
16.2 Where the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, MSA shall also notify affected Data Subjects without undue delay in accordance with Article 34 GDPR.
16.3 Where MSA acts as Processor, it shall notify the Client (as Controller) of any Personal Data breach without undue delay after becoming aware of it, providing sufficient information to enable the Client to comply with its own notification obligations.
17. Confidentiality
17.1 All personnel authorized to process Personal Data are subject to contractual or statutory confidentiality obligations. MSA ensures that access to Personal Data is limited to those individuals who require it for the performance of their duties.
18. Liability
18.1 MSA's liability under this Privacy Policy and DPA is subject to the limitations set out in the Terms and Conditions. No additional liability arises from this document beyond what is stated in the Terms and Conditions, except to the extent that mandatory provisions of GDPR or applicable law require otherwise.
19. Client Data Accuracy
19.1 Clients are responsible for the accuracy and completeness of all information and Personal Data provided to MSA during the engagement. MSA is not responsible for outcomes, processing errors, or compliance failures resulting from inaccurate, incomplete, or misleading data provided by the Client.
20. Changes to this Privacy Policy
20.1 MSA reserves the right to update this Privacy Policy at any time. Material changes will be communicated via email or platform notification. Continued use of the Services after notification constitutes acceptance of the updated Privacy Policy.
21. Language
21.1 This Privacy Policy and DPA are available in English and Spanish. In the event of any discrepancy between the English version and any translation, the English version shall prevail.
22. Governing Law
22.1 This Privacy Policy and DPA are governed by the laws of the Kingdom of Spain and are subject to the exclusive jurisdiction of the courts of Barcelona, Spain.
23. Acceptance
23.1 This Privacy Policy and DPA are accepted upon acceptance of the Terms and Conditions, execution of an Offer Letter, or use of any MSA Service, whichever occurs first.