1. Our commitment to GDPR
Intrabase, developed by Opengea SCCL, has been designed from day one with data protection as a guiding principle. We do not consider the GDPR a regulatory burden, but an opportunity to demonstrate our respect for the digital rights of our users.
We fully comply with Regulation (EU) 2016/679 (General Data Protection Regulation) and Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
2. Data Protection Officer
For any matter related to the protection of personal data, you can contact our Data Protection Officer (DPO):
The DPO is the point of contact between the organisation, data subjects and the Spanish Data Protection Agency (AEPD).
3. Data processing register
We maintain an up-to-date register of all personal data processing activities, as required by Article 30 of the GDPR. This register includes:
- Purpose of each processing activity.
- Categories of personal data processed.
- Categories of recipients.
- Planned retention periods.
- Security measures applied.
You can request information about the processing activities register by contacting our DPO.
4. Security measures
Encryption
- In transit: All communications between your device and our servers are encrypted with TLS 1.3.
- At rest: Data stored on our servers is encrypted with AES-256.
- Passwords: Passwords are stored using bcrypt hashing, never in plain text.
Access controls
- Role-based access with the principle of least privilege.
- Two-factor authentication (2FA) available for all accounts.
- Audit logging of all system access.
- Periodic review of permissions and access.
Infrastructure
- Servers hosted in data centres in Barcelona and ISO 27001 certified data centres in Germany and Finland.
- Encrypted daily backups.
- Continuous 24/7 infrastructure monitoring.
- Security updates applied regularly.
5. Data breach notification procedure
In the event of a personal data security breach, we follow a strict procedure:
- Detection and containment: Immediate action to contain the breach and prevent further damage.
- Assessment: Analysis of the scope, nature and consequences of the breach.
- Authority notification: Notification to the AEPD within a maximum of 72 hours, as required by Article 33 of the GDPR.
- Data subject notification: If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected persons without undue delay (Article 34 of the GDPR).
- Documentation: Complete record of the breach, its consequences and the corrective measures adopted.
6. Privacy by design and by default
We apply the principles of Article 25 of the GDPR throughout the entire development lifecycle:
- Data minimisation: We only collect the data strictly necessary for each purpose.
- Default settings: The most restrictive privacy options are applied by default.
- Pseudonymisation: Where possible, data is pseudonymised to reduce risk.
- Automatic deletion: Temporary data is automatically deleted when no longer needed.
- Continuous review: Each new feature undergoes a data protection impact assessment where necessary.
7. Sub-processors
We work with a minimum number of sub-processors, all located within the European Union:
- Intergrid (Barcelona) — Cloud hosting and infrastructure provider.
We do not use any other sub-processors. We do not share data with analytics services, advertising, CDNs or any other external provider.
8. International transfers
We do not carry out international data transfers. All personal data is stored and processed exclusively within the European Union, specifically on servers located in Barcelona, Germany and Finland.
Should an international transfer become necessary in the future, it would only be carried out with the appropriate safeguards provided for in Chapter V of the GDPR.
9. Contact
For any enquiry related to GDPR compliance or the protection of your personal data:
Last updated: March 2026