Last updated: 17 May 2026 · Version: 2.1
This is a translation of our Spanish Privacy Policy provided for informational purposes. In the event of any discrepancy between the English and Spanish versions, the Spanish version prevails.
1. Commitment to privacy
The Optimal Flow, S.L. ("The Optimal Flow", "we", or "the Controller") considers privacy, information security, and responsible use of data to be essential elements of its professional activity.
This Privacy Policy explains how we process personal data collected through the website theoptimalflow.com, its subdomains, forms, meeting-booking tools, commercial channels, professional communications, and other media related to our activity.
The Optimal Flow provides B2B services in systems consulting, process automation, applied artificial intelligence, digital operations design, SaaS tool implementation, and workflow optimisation. In some projects, The Optimal Flow may process personal data on behalf of its clients. In such cases, it acts as a data processor and the processing is governed by the corresponding processing agreement under Article 28 GDPR.
This Policy has been drafted in accordance with Regulation (EU) 2016/679 ("GDPR"), Spanish Organic Law 3/2018 ("LOPDGDD"), Spanish Law 34/2002 ("LSSI-CE"), and, where applicable, Regulation (EU) 2024/1689 on Artificial Intelligence.
2. Data Controller
| Detail | Information |
|---|---|
| Corporate name | The Optimal Flow, S.L. |
| Tax ID (NIF/CIF) | B26922724 |
| Registered office | Calle de Núñez de Balboa, 120, 28006 Madrid (Spain) |
| Telephone | +34 911 676 271 |
| Privacy email | info@theoptimalflow.com |
The Optimal Flow has not designated a Data Protection Officer, as it does not, at the date of this Policy, meet the legally mandatory grounds set out in Article 37 GDPR and Article 34 LOPDGDD. Any privacy-related matter may be directed to the email address indicated above.
3. Principles applied to processing
The Optimal Flow processes personal data in accordance with the principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
We only request and process the data necessary for each purpose. Where a purpose requires consent, it will be requested in a specific, informed, and unambiguous manner.
4. User warranties
The user warrants that the personal data provided is true, accurate, complete, and up-to-date. When providing personal data of third parties, the user declares to have sufficient legitimacy to do so and to have previously informed those third parties of the content of this Policy.
The Website is not directed at minors. The Optimal Flow does not knowingly collect or process data of minors. If it becomes aware of unauthorised collection of a minor's data, it will proceed to delete it without delay.
Users are advised not to include sensitive data, confidential information, trade secrets, or personal data of third parties in forms, messages, open fields, or interactive tools, unless strictly necessary for the inquiry and with sufficient legitimacy.
5. Processing activities
5.1. Inquiries, contact forms, and information requests
| Aspect | Detail |
|---|---|
| Purpose | Respond to inquiries, information requests, quote requests, messages sent through forms, or communications received through professional channels. |
| Legal basis | Performance of pre-contractual measures at the data subject's request (Art. 6.1.b GDPR) and legitimate interest in responding to professional inquiries about our services (Art. 6.1.f GDPR). |
| Data processed | First name and surname, company, role, professional email, telephone, message content, and information related to the need or project raised. |
| Retention | For the time needed to address the inquiry and, if no further relationship begins, for up to one additional year. If the inquiry results in a commercial opportunity, CRM processing will apply. |
5.2. Meeting booking and management
| Aspect | Detail |
|---|---|
| Purpose | Schedule, manage, and run discovery calls, commercial meetings, follow-up meetings, demos, interviews, or sessions related to The Optimal Flow's services. |
| Legal basis | Performance of pre-contractual measures or contract performance where the meeting is part of an ongoing project (Art. 6.1.b GDPR). |
| Data processed | First name, surname, professional email, company, role, telephone, selected date and time, timezone, answers to pre-call questions, calendar metadata, and associated communications. |
| Retention | Until opportunity closure or, for clients, during the contractual relationship and applicable legal periods. |
The Optimal Flow may use calendar and videoconferencing tools to manage meetings, including pages such as call.theoptimalflow.com or booking links from external providers. If a meeting is recorded or transcribed, participants will be informed and, where necessary, express consent will be requested at the start of the session.
5.3. Commercial management, CRM, and relationships with prospective clients
| Aspect | Detail |
|---|---|
| Purpose | Manage professional contacts, commercial opportunities, proposals, follow-ups, interaction history, internal segmentation, and coordination of the B2B sales cycle. |
| Legal basis | For prospective clients, legitimate interest in B2B commercial development, particularly regarding professional contact data under Article 19 LOPDGDD (Art. 6.1.f GDPR). For clients, contract performance (Art. 6.1.b GDPR). |
| Data processed | First name, surname, company, role, professional email and telephone, history of emails, calls, meetings, forms, downloads, events, proposed solution or stated need, sales stage and, where applicable, internal scoring or segmentation. |
| Retention | While there is an active relationship or ongoing legitimate interest. For inactive prospects, generally up to three years from the last effective contact, unless objection or a basis justifying additional retention applies. |
5.4. Service delivery and project management
| Aspect | Detail |
|---|---|
| Purpose | Deliver contracted services, coordinate projects, manage tool access, document processes, implement systems, automations, or integrations, and provide support. |
| Legal basis | Performance of the contract entered into with the client entity (Art. 6.1.b GDPR). When The Optimal Flow processes data on behalf of the client, it acts as a data processor under Article 28 GDPR. |
| Data processed | Identification and professional contact data of stakeholders, technical and operational data needed for the project, credentials or access when essential, configurations, integrations, and data contained in client systems where applicable. |
| Retention | During the contract term and, subsequently, during applicable statute-of-limitation periods. Accounting and commercial documentation may be retained for up to six years under the Spanish Commercial Code. |
5.5. Invoicing, accounting, and legal obligations
| Aspect | Detail |
|---|---|
| Purpose | Issue invoices, manage collections, keep accounts, and comply with tax, commercial, and administrative obligations. |
| Legal basis | Compliance with legal obligations (Art. 6.1.c GDPR). |
| Data processed | Identifying, fiscal, accounting, banking, and contact data necessary for the economic relationship. |
| Retention | Four years for tax obligations and six years for accounting and commercial documentation, without prejudice to longer periods required by regulation or claims. |
5.6. Commercial electronic communications
| Aspect | Detail |
|---|---|
| Purpose | Send information about services, educational content, newsletters, events, invitations, news, use cases, or commercial communications related to The Optimal Flow. |
| Legal basis | Express consent of the data subject (Art. 6.1.a GDPR and Art. 21.1 LSSI-CE) or, for existing clients, the exception under Art. 21.2 LSSI-CE for similar products or services to those contracted, always with an opt-out. |
| Data processed | First name, surname, professional email, company, declared preferences, and basic interaction history with communications. |
| Retention | Until the data subject withdraws consent, objects to processing, or requests removal. |
All commercial communications will include a simple and free opt-out or objection mechanism.
5.7. B2B commercial prospecting
The Optimal Flow may carry out commercial prospecting addressed to professionals or company representatives who may have a reasonable interest in its services.
| Aspect | Detail |
|---|---|
| Purpose | Identify and contact potential B2B clients, present professional services, and assess possible collaboration opportunities. |
| Legal basis | Legitimate interest in B2B commercial development (Art. 6.1.f GDPR), limited to professional contact data under Article 19 LOPDGDD, without prejudice to compliance with LSSI-CE for commercial electronic communications. |
| Source of data | Publicly accessible professional sources, corporate websites, professional profiles, references, events, networking, or specialised providers with guarantees regarding the lawful origin of data. |
| Safeguards | Clear information at first contact, easy objection, immediate deletion upon objection, data minimisation, and periodic review of contact relevance. |
Commercial electronic communications will be sent in compliance with LSSI-CE requirements, either on the basis of consent or in legally permitted scenarios, such as the existence of a prior contractual relationship for similar services. Where applicable, The Optimal Flow will take into account advertising exclusion systems such as the Spanish Robinson List.
5.8. Events, webinars, and educational activities
| Aspect | Detail |
|---|---|
| Purpose | Manage registration, attendance, communications, reminders, follow-up, and participation in events, webinars, workshops, meetups, or activities organised or co-organised by The Optimal Flow. |
| Legal basis | Performance of the data subject's registration or request (Art. 6.1.b GDPR), consent for non-necessary communications, and legitimate interest in managing the activity and its professional community. |
| Data processed | First name, surname, company, role, email, preferences, attendance, participation, and event-related interactions. |
| Retention | During event management and, subsequently, for the time needed to evidence participation, address inquiries, or maintain a professional relationship, unless objection. |
If photos, videos, or recordings of events are taken for external communication purposes, attendees will be visibly informed and consent will be obtained where necessary.
5.9. Cookies and similar technologies
The use of cookies, pixels, tags, and similar technologies is governed by the Cookie Policy, permanently accessible from the Website.
5.10. Social networks and professional communities
The Optimal Flow may maintain corporate profiles on social networks or professional platforms such as LinkedIn, Instagram, YouTube, X/Twitter, or others. When a user interacts with these profiles, their data is processed both by The Optimal Flow, regarding community management, and by the corresponding platform, under its own privacy policies.
5.11. Rights handling and complaints
| Aspect | Detail |
|---|---|
| Purpose | Manage rights requests, privacy inquiries, complaints, legal requirements, or communications from authorities. |
| Legal basis | Compliance with legal obligations (Art. 6.1.c GDPR) and legitimate interest in defending rights and legitimate interests (Art. 6.1.f GDPR). |
| Retention | For the time needed to process the request and, subsequently, at least three years to evidence proper handling. |
6. Confidentiality of business and technical information
The Optimal Flow may receive business, technical, operational, or strategic information from prospective clients and clients, including internal processes, tools used, automation needs, workflows, documentation, integrations, incidents, or information about corporate systems.
Such information will be treated as confidential and used solely to analyse the request, prepare proposals, deliver services, coordinate projects, or maintain the corresponding professional relationship. This obligation is without prejudice to confidentiality agreements, data processing agreements, or other contractual documents that may be entered into.
7. Source of data
Data generally comes directly from the data subject or from the entity for which they provide services. It may also come from prior commercial communications, meetings, events, forms, calendar tools, professional networks, publicly accessible corporate sources, professional references, or B2B providers with guarantees regarding the lawful origin of data.
The categories of data obtained from sources other than the data subject will generally be limited to identifying and professional contact data, company, role, and relevant professional context.
8. Recipients and providers
The Optimal Flow does not sell personal data or transfer it to third parties for their own purposes, except by legal obligation or with the data subject's consent.
To provide its services and manage its activity, The Optimal Flow may rely on providers that process personal data on its behalf as data processors, bound by contract under Article 28 GDPR.
| Provider or category | Service | Main location | Applicable safeguards |
|---|---|---|---|
| HubSpot | CRM, forms, marketing automation, and meetings | EU / United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Apollo.io | B2B identification of visiting companies via reverse-IP, professional contact enrichment, and support for commercial prospecting | United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Vercel | Hosting, deployment, and web infrastructure | United States / global network | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Google Workspace, email, calendar, storage, analytics, or tags | EU / United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses | |
| n8n | Process automation | EU | Processing agreement and intra-EU safeguards |
| Make | Workflow automation | EU | Processing agreement and intra-EU safeguards; additional safeguards for sub-processors outside the EEA if applicable |
| Zapier | Workflow automation | United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Relay.app | AI automation | United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Stripe | Payment processing | EU / United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Slack | Internal and client communications where applicable | United States / EU regions | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| Notion | Documentation, knowledge management, and project coordination | United States | Processing agreement, DPF where applicable, and Standard Contractual Clauses |
| AI providers | Support in analysis, automation, documentation, or assisted generation | EU / United States or other locations | Processing agreement, transfer safeguards, and adequate privacy configuration |
| Tax, accounting, and legal advisors | Compliance with legal, tax, and accounting obligations | Spain / EU | Processing agreement or applicable legal basis |
| Public authorities, courts, and tribunals | Compliance with legal obligations | Spain / EU | Legal obligation |
The list above reflects the main categories of providers that may participate. The Optimal Flow will keep this information up to date based on the tools actually used.
9. International data transfers
Some providers may be located outside the European Economic Area or use sub-processors located in third countries, especially the United States.
When international transfers occur, The Optimal Flow will apply one of the mechanisms provided in Chapter V of the GDPR, including European Commission adequacy decisions, the EU-U.S. Data Privacy Framework where the provider is certified, Standard Contractual Clauses approved by the European Commission, and, where appropriate, additional technical and organisational measures.
Data subjects may request additional information about applicable safeguards by writing to info@theoptimalflow.com.
10. Automated decision-making and profiling
The Optimal Flow may use CRM or marketing tools that generate internal segmentations, tags, commercial scores, or lead scoring to prioritise follow-up with professional contacts.
These processes do not produce legal effects or significantly affect the data subject within the meaning of Article 22 GDPR. They do not automatically determine the conclusion or denial of contracts but serve as support for the internal organisation of the commercial team.
If, in the future, fully automated decisions with legal or significantly similar effects were implemented, The Optimal Flow will expressly inform the data subject and guarantee applicable rights.
11. Use of artificial intelligence
The Optimal Flow may use AI systems, including language models and intelligent automation tools, as support for its professional activity. These systems may be used to document processes, analyse client-supplied information, generate drafts, classify requests, assist in building automations, improve content, or support internal tasks.
When the Website includes conversational assistants, intelligent forms, automated diagnostics, or any AI-based functionality with direct user interaction, visible notice will be given before or at the start of the interaction.
Content sent to AI systems may incidentally include personal data provided by the user. Such data will be processed solely to address the inquiry, deliver the service, or execute the corresponding purpose, and will not be used to train third-party models without an adequate legal basis.
The Optimal Flow will apply reasonable measures to minimise data sent to AI providers, configure tools in a privacy-compatible manner, and human-review results before using them in relevant contexts.
The user must not enter sensitive data, confidential information, or personal data of third parties into AI tools, forms, or open fields unless necessary and with sufficient legitimacy.
12. Data retention and blocking
Data will be retained for the time needed to fulfil the purpose for which it was collected and, subsequently, during applicable statute-of-limitation periods.
Where data must be deleted, it may remain blocked for the time needed to address potential civil, commercial, tax, administrative, or criminal liabilities, under Article 32 LOPDGDD. During blocking, data will not be processed for ordinary purposes and will only be available to competent authorities, judges, courts, the Public Prosecutor, or Public Administrations.
Once limitation periods have elapsed, data will be irreversibly deleted or anonymised.
13. Rights of data subjects
Individuals whose data is processed by The Optimal Flow may exercise the following rights:
- Access: know whether we process their data and obtain information about the processing.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of data where applicable.
- Objection: object to processing based on legitimate interest and, in any case, to receiving commercial communications.
- Restriction of processing: request limitation of processing in legally provided scenarios.
- Portability: receive provided data in a structured format where applicable.
- Withdrawal of consent: withdraw at any time the consent granted, without affecting the lawfulness of prior processing.
- Not to be subject to automated decisions with legal or significantly similar effects under Article 22 GDPR.
13.1. How to exercise rights
The data subject may exercise their rights by writing to info@theoptimalflow.com or by postal mail to the registered office address indicated in this Policy. The request must adequately identify the applicant and indicate the right being exercised.
The Optimal Flow will respond within a maximum of one month from receipt of the request, extendable by two additional months in cases of particular complexity, informing the data subject of such extension and its reasons.
13.2. Complaint before the supervisory authority
If the data subject believes that the processing of their data does not comply with regulation, they may file a complaint with the Spanish Data Protection Agency:
- Website: www.aepd.es
- Electronic office: sedeagpd.gob.es
- Postal address: C/ Jorge Juan, 6, 28001 Madrid
14. Information security
The Optimal Flow applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where applicable, encryption of communications, multi-factor authentication, access control based on least privilege, backups, provider management, logging and monitoring, internal training, periodic risk review, and incident management procedures.
In the event of a personal data security breach, The Optimal Flow will act in accordance with Articles 33 and 34 GDPR, notifying the Spanish Data Protection Agency where applicable and communicating the incident to data subjects where there is a high risk to their rights and freedoms.
15. Mandatory or optional nature of data
Data requested in forms will be mandatory when indicated as necessary to address the corresponding request. Refusal to provide mandatory data may prevent the processing of the inquiry, meeting booking, request, or service delivery.
16. Modifications of the Privacy Policy
The Optimal Flow may modify this Policy to adapt to regulatory changes, supervisory authority criteria, service evolution, Website changes, or the addition of new tools or processing activities.
Where changes are substantial, they will be communicated via visible notice on the Website or, where appropriate, by direct communication to data subjects.
Document drafted in accordance with the GDPR, LOPDGDD, LSSI-CE, and other applicable regulations on data protection, information society services, and artificial intelligence.