In compliance with the provisions of Regulation (EU) 2016/679, General Data Protection Regulation (hereinafter, “GDPR”), Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (hereinafter, “LOPDGDD”), and Law 34/2002 on Information Society Services and Electronic Commerce (LSSICE), users of the website https://wearecloudworks.com/ and individuals who maintain a relationship with CLOUD WORKSPACES, S.L. are informed about the processing of their personal data.
The data controller is CLOUD WORKSPACES, S.L. (hereinafter, “CLOUDWORKS”), with Tax ID number B65071862 and registered office at Sardenya 229-237, Penthouse Floor, 08013 Barcelona, Spain.
For any matter related to this Privacy Policy, you may contact CLOUDWORKS at the following email address: privacy@wearecloudworks.com.
You may also contact the Data Protection Officer Auris Legal at xavi@auris.legal.
CLOUDWORKS processes personal data belonging to the following categories of data subjects: website users, individuals who make reservations or contract services, coworking members and pass holders, event attendees, visitors to the facilities, job applicants, suppliers, and collaborators.
CLOUDWORKS may process identification and contact data, professional data, billing and payment data, data derived from the contractual relationship, technical and browsing data, commercial preference data, images captured through video surveillance systems, data related to access control to facilities, and, exceptionally and voluntarily, biometric data consisting of fingerprints used to access the centers.
Personal data will be processed for the following purposes:
The management of room reservations, membership subscriptions, pass purchases, event organization, and the provision of coworking services is based on the performance of a contract or the application of pre-contractual measures at the request of the data subject, in accordance with Article 6.1.b GDPR.
The management of payments, invoicing, and compliance with tax, accounting, and administrative obligations is based on contractual performance and compliance with legal obligations applicable to the data controller, in accordance with Article 6.1.c GDPR.
The management of relationships with clients and members, including operational communications related to the contracted service, contractual updates, or incidents, is based on contract performance.
Access control to facilities through identification cards is based on the legitimate interest of CLOUDWORKS in ensuring the security of its facilities, employees, and users, in accordance with Article 6.1.f GDPR.
The exceptional processing of biometric data for access to facilities is based on the explicit consent of the data subject, in accordance with Article 9.2.a GDPR, which may be revoked at any time without retroactive effect.
Images captured through video surveillance systems installed in the centers are processed for the purpose of ensuring the security of people, property, and facilities, in accordance with Article 22 LOPDGDD and the legitimate interest of the controller.
The handling of inquiries submitted through web forms, email, or telephone is based on the legitimate interest of CLOUDWORKS in responding to information requests and, where applicable, on the application of pre-contractual measures.
The sending of commercial communications by electronic means regarding CLOUDWORKS’ own services will be carried out based on the prior consent of the data subject, in accordance with Article 21 LSSICE, except in the case of clients with a prior contractual relationship concerning similar services, where the legally established “soft opt-in” regime may apply.
The use of web analytics and security tools, including systems such as reCAPTCHA, aims to prevent fraud, automated access, or misuse of the platform and is based on the legitimate interest of the controller in ensuring the security of the website.
Within the “Work with us” section, data provided by candidates will be processed for the purpose of managing recruitment processes and evaluating applications, based on the application of pre-contractual measures. If the candidate expressly consents to being included in the CLOUDWORKS talent pool for future vacancies, the processing will be based on such consent.
Personal data will be retained for the time necessary to fulfill the purpose for which it was collected and subsequently for the legally established limitation periods.
Data related to the contractual relationship and invoicing will be retained for six years in accordance with the Spanish Commercial Code and other applicable regulations.
Video surveillance images will be retained for a maximum period of thirty days, unless they must be preserved to provide evidence of acts affecting the integrity of persons, property, or facilities.
Data processed for commercial purposes will be retained until the data subject withdraws consent or objects to the processing.
Candidate data will be retained for a maximum period of one year from receipt or from the moment consent is provided for inclusion in the talent pool.
Biometric data will be deleted when the relationship with the user ends or when consent is withdrawn.
Personal data may be communicated to financial institutions for payment management, to technology providers that provide hosting, maintenance, support, digital platform management, or cybersecurity services, and to public authorities where there is a legal obligation.
CLOUDWORKS contracts providers that act as data processors, entering into the corresponding agreements in accordance with Article 28 GDPR, ensuring the adoption of appropriate technical and organizational measures.
If certain technology providers are located outside the European Economic Area or use infrastructures located in third countries, international data transfers will only take place where adequate safeguards exist in accordance with Articles 44 and following of the GDPR.
In particular, these may rely on adequacy decisions adopted by the European Commission, adherence by the provider to the EU–US Data Privacy Framework, or the execution of Standard Contractual Clauses approved by the European Commission, together with the adoption of supplementary measures when necessary.
Data subjects may exercise at any time their rights of access, rectification, erasure, objection, restriction of processing, and data portability, under the terms provided in the GDPR.
CLOUDWORKS does not make decisions based solely on automated processing that produce legal effects or significantly affect the data subject.
However, within the scope of its commercial activities, CLOUDWORKS may perform basic segmentation based on geographical area, type of contracted service, or preferences expressed by the data subject, in order to send communications more aligned with their interests. Such segmentation does not produce legal effects nor constitute automated decision-making within the meaning of Article 22 GDPR.
Where processing is based on consent, such consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to its withdrawal.
Rights may be exercised by sending a request to privacy@wearecloudworks.com, clearly indicating the right you wish to exercise.
If CLOUDWORKS has reasonable doubts regarding the identity of the requester, it may request additional information necessary to verify it, in accordance with Article 12.6 GDPR.
If you consider that your rights have been violated, you may file a complaint with the Spanish Data Protection Agency (AEPD).
CLOUDWORKS applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, taking into account the nature of the data processed and the risks associated with the processing.
These measures include, among others, access controls to systems and facilities, permission management based on assigned roles, protection against unauthorized access, security measures in communications and data storage, as well as backup procedures and incident recovery mechanisms.
CLOUDWORKS also has internal protocols for managing security incidents and, where applicable, for notifying personal data breaches to the supervisory authority and to affected data subjects when legally required.
Access to personal data is limited to personnel and collaborators who need it for the performance of their duties, all of whom are subject to confidentiality obligations.
CLOUDWORKS reserves the right to modify this Privacy Policy whenever necessary to adapt it to legislative developments, case law, or changes in data processing operations. In the event of substantial modifications, data subjects will be duly informed.
Last updated: February 2026
