Legal document
Privacy policy
Last updated: 20 May 2026 · Version 1.0 · Non-binding English translation; authoritative version: Spanish original.
At QuantumZIGMA we process the personal data you provide us with the utmost respect for applicable legislation, in particular EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), and Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
This policy describes who is responsible for the processing, what data we collect, for what purpose, on what legal basis, how long we keep it, with whom we share it, and what your rights are.
1. Data controller
Tax ID (NIF) [Spanish tax ID will be added upon operational registration]
Address Lleida, Spain
Email privacy@quantumzigma.com
Affiliated entity Quantum ZIGMA LLC (Florida, USA · incorporated July 2025 · no active commercial operations at present)
Rosford SLU acts as data controller for the personal data collected via this website and the contractual relationship with clients and prospects in the European Union. Quantum ZIGMA LLC is an entity incorporated in Florida since July 2025, currently dedicated to technological infrastructure, intellectual property and future international expansion. It does not conduct direct commercial operations with clients in the current phase; client activity is channelled through Rosford SLU in Spain. If, in the future, Quantum ZIGMA LLC begins operations with international data subjects, this policy will be updated and, where applicable, the joint-controllership arrangement provided for in Article 26 GDPR will be signed.
2. Categories of data processed
We process exclusively the following categories of personal data:
- Identifying data: first name, last name, professional role, company.
- Contact data: professional email address, professional phone number.
- Technical project data: historical energy consumption, configuration of industrial facilities, process data (these data usually refer to the client company and not to individuals, except where the contact is self-employed).
- Browsing data: IP address, browser type, pages visited and duration (with the specific legal basis detailed in the Cookies Policy).
We do not collect special categories of data (health, ideology, religion, sexual orientation, etc.) nor data about minors. If we detect that a minor's data has been collected by mistake, we will delete it immediately.
3. Purposes of processing
- Managing your request for information: responding to technical, commercial or methodology-related enquiries.
- Contract execution: providing energy auditing, optimisation, M&V and CAE/PERTE filing services.
- Compliance with regulatory obligations: issuing IPMVP reports, filing applications with IDAE and other administrations, retention of tax and commercial documentation.
- Relevant commercial communication: sending technical information about our services where legitimate interest or prior consent exists (you may opt out at any time).
- Website improvement: anonymised statistical analysis of site usage (no third-party cookies — see Cookies Policy).
4. Legal basis
- Contractual performance (Art. 6.1.b GDPR): for the provision of contracted services.
- Legal obligation (Art. 6.1.c GDPR): compliance with Spanish tax (LGT 58/2003), commercial (Commercial Code) and energy-sector-specific regulations (RD 56/2016, RD 36/2023 and CAE/PERTE rules).
- Legitimate interest (Art. 6.1.f GDPR): to respond to enquiries received and for proportionate B2B commercial management. The corresponding balancing test has been carried out.
- Consent (Art. 6.1.a GDPR): when you accept to receive commercial communications or when required by cookie regulations.
5. Retention period
We will keep your data for the following periods:
- Enquiries with no subsequent contracting: 12 months from the last contact, unless consent is withdrawn earlier.
- Signed contracts: during the term of the contract and afterwards for the legal retention periods (6 years for tax purposes, 10 years for M&V documentation under IPMVP best practices).
- Accounting and tax data: 6 years (Art. 30 Spanish Commercial Code).
- Energy audit and CAE data: 10 years from issuance, term established by sector-specific regulations.
6. Recipients
We do not share your data with third parties except:
- Legal obligation: Spanish Tax Agency, IDAE, the Autonomous Communities competent for energy efficiency, and judicial or administrative authorities upon request.
- Data processors: contracted technology providers (web hosting, email, document management tools) that have signed the corresponding Data Processing Agreement under Article 28 GDPR. The current list is available upon request at privacy@quantumzigma.com.
- External energy auditor on projects where legislation requires it, exclusively for M&V methodology validation.
No international data transfers outside the European Economic Area (EEA) are performed, except to those technology providers certified under the EU-US Data Privacy Framework or with EU Commission-approved standard contractual clauses.
7. Data subject rights
As the data owner, you have the right to:
- Access your personal data that we process.
- Rectify inaccurate or incomplete data.
- Erase data when no longer necessary or when consent is withdrawn.
- Object to processing based on legitimate interest.
- Restrict processing in the cases provided by law.
- Portability: receive your data in a structured, commonly used format.
- Not be subject to automated decisions with legal effects (we do not perform automated profiling).
- Withdraw consent at any time without retroactive effect.
To exercise any of these rights, send us an email to privacy@quantumzigma.com clearly stating the right you wish to exercise and attaching a copy of an identification document. We will resolve your request within a maximum period of one month (extendable to two additional months in complex cases).
If you consider that the processing does not comply with the regulations, you have the right to file a complaint with the Spanish Data Protection Agency (www.aepd.es), C/ Jorge Juan 6, 28001 Madrid, without prejudice to any other administrative or judicial route.
8. Security measures
We apply the technical and organisational measures provided for in Art. 32 GDPR to ensure the confidentiality, integrity and availability of data. In particular: TLS 1.3 encryption in transit, role-based access control, regular backups, incident logging and periodic staff training.
9. Modifications
We may update this policy to adapt it to regulatory changes or service evolution. The current version will always be published at this URL with the date of the last update. If changes affect consent-based processing, we will notify you by email before they take effect.