Privacy Policy
Last Updated: March 11, 2026
1. Introduction and Controller Identity
This Privacy Policy explains how V Y J MACHUCA SL (“we”, “our”, or “us”) collects, uses, and protects personal data when you visit or interact with our website (vyjmachuca.com) and when you contact us about educational programs, consulting, and workforce development services offered across Canada. We are committed to transparent practices and to complying with applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR where relevant, and Canadian privacy legislation such as the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws.
Data Controller: V Y J MACHUCA SL, C/ de Francisco Silvela, 44, Salamanca, 28028 Madrid, Spain. For any privacy question or request, please contact: [email protected]. We do not currently appoint a Data Protection Officer. If that changes, we will update this Policy.
2. Personal Data We Collect
We collect only the information necessary to provide and improve our educational services and to respond to your inquiries:
- Identity and contact data: name, email address, phone number, organization, role or job title (if provided).
- Form content: program interests, messages you send us, objectives, timelines, team size, and other details you choose to include.
- Program administration data: enrollment preferences, scheduling availability, and correspondence related to program setup and participation.
- Technical data: IP address, device and browser type, operating system, language settings, and general location inferred from IP (city/region level).
- Usage data: pages viewed, referring pages, timestamps, session duration, and click paths on our site.
- Cookies and identifiers: essential session cookies, consent preferences, and (with consent) analytics and marketing identifiers. See Section 4 and our Cookie Policy.
- Conversion and communications data: records of messages, responses, and internal notes relating to service provisioning.
We do not collect special category data (such as health, biometric, political, religious, or union membership data), government IDs, or financial account numbers through our public site. If invoicing is required, limited billing contact details are processed under standard business records obligations.
3. Why We Process Personal Data and Legal Bases
- Responding to inquiries and providing information: to answer questions, send program outlines, and coordinate next steps. GDPR legal basis: Art. 6(1)(b) performance of a contract or steps at your request; and Art. 6(1)(a) consent where applicable.
- Program administration and service delivery: to schedule sessions, share materials, and manage participation. Legal basis: Art. 6(1)(b).
- Analytics (with consent): to understand how our site is used and improve content and navigation. Legal basis: Art. 6(1)(a).
- Marketing and remarketing (with consent): to measure campaign performance and reach similar audiences where permitted. Legal basis: Art. 6(1)(a). In Canada, we also comply with CASL for commercial electronic messages.
- Security and fraud prevention: to detect abuse, maintain system integrity, and protect our rights. Legal basis: Art. 6(1)(f) legitimate interests.
- Legal and tax compliance: to comply with record-keeping and other legal obligations. Legal basis: Art. 6(1)(c).
Automated Decision-Making: We do not make decisions that produce legal or similarly significant effects solely using automated processing. No profiling for such effects occurs.
4. Cookies and Similar Technologies
Our site uses cookies and similar technologies. We group them into three categories that align with our Cookie Policy and on-page consent controls:
- Essential: required for core functionality (e.g., session continuity and consent storage). These operate without consent.
- Analytics (consent-based): Google Analytics 4 (GA4) with IP anonymization to understand site usage. Typical cookies include _ga and _ga_XXXXXXXXXX (2-year lifetime).
- Marketing (consent-based): identifiers supporting remarketing and attribution, such as _gcl_au and, where used, Meta Pixel identifiers _fbp/_fbc (generally 90 days).
You can manage preferences at any time through the “Manage cookie preferences” link in our footer. Essential cookies cannot be disabled because the site would not function correctly without them.
5. Consent for Visitors in the EEA and UK
Users in the EEA and UK are shown a consent banner. Analytics and marketing cookies activate only after explicit consent. Your choice is stored in the cookie_consent cookie for up to 12 months. You can withdraw consent at any time via the footer link or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing before withdrawal.
6. Sharing with Service and Advertising Partners
We share personal data with third parties only as needed to operate our site and deliver services. These parties act as service providers (processors) or, for advertising, as independent recipients under their own terms. We do not sell personal data.
- Google LLC: GA4, Google Ads, and related tools for analytics and advertising. Data may include cookie IDs, usage metrics, and conversions. See Google’s Privacy Policy (policies.google.com/privacy).
- Meta Platforms, Inc.: where used, the Meta Pixel and related services for measurement and audience tools. Data may include page views, conversions, and hashed identifiers. See facebook.com/privacy/policy.
- Cloud infrastructure and security providers: content delivery, threat detection, and availability (e.g., a CDN). Providers process IP addresses and technical data to protect the site.
We require our service providers to use personal data only to provide contracted services and to apply appropriate security measures. We do not permit them to use site data for their independent commercial purposes.
7. International Data Transfers
Where data are transferred outside the EEA/UK (for example, to the United States for Google or Meta), we rely on recognized safeguards, including the EU–US Data Privacy Framework and its UK/Swiss extensions or, where required, the EU Standard Contractual Clauses (2021/914) or the UK International Data Transfer Addendum. We monitor legal developments and will adjust mechanisms as needed.
8. Retention Periods
- Contact and inquiry records: 2 years from the last interaction, unless required longer for legal reasons.
- Analytics data: generally 14 months in GA4 (subject to consent).
- Marketing identifiers: retained per cookie lifetime (e.g., 90 days for certain advertising cookies) and internal logs.
- Email correspondence: duration of the active relationship plus 1 year.
- Server logs: typically 90 days for security and troubleshooting.
- Cookie consent record: up to 3 years for audit purposes.
- Legal and tax records: retained as required by law (often 6–10 years, depending on jurisdiction).
9. Your Rights
Depending on your location, you may have rights under GDPR/UK GDPR and Canadian law, including: access, rectification, erasure, restriction of processing, portability, and objection to processing; withdrawal of consent when processing is based on consent; and the right to lodge a complaint with a supervisory authority. To exercise these rights, email [email protected]. We will respond within 30 days, or as otherwise required by law. Identity verification may be necessary before we act on your request.
If you are in the EU or UK, your supervisory authority is typically your place of residence. If you are in Canada, you may contact the Office of the Privacy Commissioner of Canada or a relevant provincial authority. Contact details for authorities can be found on their official websites.
10. Children’s Privacy
Our site and services are intended for adults and for organizations arranging training for their personnel. We do not knowingly collect personal data from individuals under 16. If we learn that data from a minor under 16 were collected without verifiable parental consent, we will delete it promptly.
11. Do Not Track
Our website does not currently respond to browser-initiated “Do Not Track” (DNT) signals. Third-party providers may have their own approaches to DNT. You can manage analytics and marketing preferences using our on-site cookie controls and your browser settings.
12. Security Measures
We implement administrative, technical, and physical safeguards designed to protect personal data, including HTTPS encryption in transit, access controls, least-privilege principles, and routine monitoring. While we maintain commercially reasonable security, no method of transmission or storage is completely secure. If we detect a security incident that poses a risk to your rights, we will follow applicable notification requirements.
13. Canadian Privacy Considerations
For individuals in Canada, we follow PIPEDA’s principles of accountability, identifying purposes, consent, limiting collection, limiting use, disclosure, and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Where provincial private sector laws apply (for example, in Quebec), we will address additional requirements such as transparency about cross-border transfers, privacy impact considerations for new projects, and responding to access requests within mandated timelines. Commercial electronic messages will comply with CASL, including consent and unsubscribe mechanisms.
14. California Consumer Privacy (CCPA/CPRA)
If you are a California resident, the following applies in addition to the information above. In the last 12 months, we may have disclosed the following categories for business purposes to service providers and advertising partners: identifiers (e.g., name, email, IP address, cookie IDs), internet or network activity information (e.g., browsing and usage data), and inferences (e.g., general interest segments created by advertising platforms). We do not sell personal information as defined by California law. We may “share” personal information for cross-context behavioral advertising only when you provide consent via our cookie controls.
California rights include: to know, delete, correct, and opt out of sale/sharing; and to be free from discrimination for exercising your rights. To submit a request, email [email protected] with the subject “California Privacy Request.” If using an authorized agent, we may require proof of authorization and identity verification.
15. Virginia Consumer Data Protection Act (VCDPA)
Virginia residents may request access, correction, deletion, and portability of personal data and may opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects. To exercise rights, email us with the subject “Virginia Privacy Request.” If we decline your request, you may appeal by emailing us with the subject “Appeal of Refusal — Privacy Request.” We will respond within the required timeframe. If unresolved, you may contact the Virginia Attorney General.
16. Nevada
Nevada residents may submit a verified request to opt out of the sale of covered information by emailing [email protected] with the subject “Nevada Do Not Sell Request.” We do not currently sell personal information as defined by Nevada law.
17. Business Transfers
If our business undergoes a merger, acquisition, reorganization, asset sale, financing, or insolvency, personal data may be transferred to a successor entity subject to this Policy. If material changes to data use occur, we will provide a notice on our website before new uses take effect.
18. How to Exercise Your Rights and Contact Us
To access, correct, delete, or obtain a copy of your data—or to withdraw consent—please email [email protected]. To help us locate your records, include your name, the email address used on our site, and a clear description of your request. We will verify identity before acting and will respond within legally required timeframes.
Postal inquiries may be sent to: V Y J MACHUCA SL, C/ de Francisco Silvela, 44, Salamanca, 28028 Madrid, Spain.
19. Changes to This Policy
We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. Material changes will be announced on our homepage at least 14 days before they take effect. The “Last Updated” date at the top of this page indicates the most recent revision.
20. Summary of Cookies and Identifiers
Below is a non-exhaustive summary aligned with our Cookie Policy:
- _site_session — site session continuity, Essential, first-party, session.
- cookie_consent — stores your consent choice, Essential, first-party, 12 months.
- _ga — GA4 user identifier, Analytics, third-party, 2 years (consent-based).
- _ga_XXXXXXXXXX — GA4 session state, Analytics, third-party, 2 years (consent-based).
- _gcl_au — Google Ads conversion linker, Marketing, third-party, 90 days (consent-based).
- _fbp / _fbc — Meta identifiers, Marketing, third-party, ~90 days (consent-based, if used).
To control cookies, use our on-site preferences panel (footer link) and your browser settings. For more detail, see our dedicated Cookie Policy. For terms governing site use, see our Terms.